To solve this machine, we begin by enumerating open ports using
nmap – finding ports
5985 open. Going to the webserver, we are able to authenticate with default credentials, which gives us access to MFP Firmware Update Center. We are able to exploit a fileshare upload to get the NTLMv2 hash of
tony. After cracking the hash, we are able to get a shell on the machine as
tony, and read
tony, we are able to exploit privileged file operations in the Windows Print Spooler service to get a reverse shell on the machine as
NT Authority\System, thus allowing us to read
Like all machines, we begin by enumerating open ports using
nmap. From our scans, we find ports
$ sudo nmap -v -p- --min-rate 3000 $RHOST [...] $ sudo nmap -sV -A -p 80,135,445,5985 -oA enum/nmap/tcp-scripts $RHOST # Nmap 7.91 scan initiated Sun Oct 3 11:26:46 2021 as: nmap -sV -A -p 80,135,445,5985 -oA enum/nmap/tcp-scripts 10.129.229.19 Nmap scan report for 10.129.229.19 Host is up (0.054s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Basic realm=MFP Firmware Update Center. Please enter password for admin | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Microsoft Windows Server 2008 R2 (91%), Microsoft Windows 10 1511 - 1607 (87%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows 10 1607 (85%), Microsoft Windows 10 1511 (85%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%), Microsoft Windows Server 2008 SP1 or Windows Server 2008 R2 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 7h00m00s, deviation: 0s, median: 6h59m59s | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-10-03T23:27:00 |_ start_date: 2021-10-03T23:24:06 TRACEROUTE (using port 445/tcp) HOP RTT ADDRESS 1 52.10 ms 10.10.14.1 2 52.23 ms 10.129.229.19 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Oct 3 11:27:39 2021 -- 1 IP address (1 host up) scanned in 53.31 seconds
Checking SMB (port
445) and RPC (port
135) for anonymous and guest authentication, we are unable to get access. Next, we attempt to enumerate the webserver with
nikto, however, are unable to since it requires HTTP authentication. From
nikto‘s output, we are suggested to attempt to authenticate using the credentials
$ nikto -h $RHOST -o enum/web/nikto-80.txt - Nikto v2.1.6/2.1.5 + Target Host: 10.129.229.19 + Target Port: 80 + GET Retrieved x-powered-by header: PHP/7.3.25 + GET The anti-clickjacking X-Frame-Options header is not present. + GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + GET Default account found for 'MFP Firmware Update Center. Please enter password for admin' at / (ID 'admin', PW 'admin'). Generic account discovered.. + OPTIONS Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST + OPTIONS Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
Going to the webserver on port
80, we log in with the credentials
nikto suggests. Doing so, we are presented with a page titled “MFP Firmware Update Center”. At the bottom of the page, we get the FQDN
driver.htb. When we try to enumerate for additional vhosts, we do not get any.
Looking around the site, we see that “MFP Firmware Update Center” is the only valid page. Based on its contents, it allows firmware uploads for different printer models. Additionally, the page states that firmware will be uploaded to a file, and the testing team will review the uploads and test them.
Since uploads are being placed on a file share, we can attempt to get the user to connect to our machine some way. For this, we can attempt to upload a .scf file that will get executed when the user navigates to the share. If successful, we should get the user’s NTLM/NTLMv2 hash. To test this, we create the
.scf file, start
responder in analyze mode, and upload the file. Shortly after, we get the NTLMv2 hash for the user
To get the user’s password, we take the hash and attempt to crack it with
hashcat. Doing so, we are successful.
Using the credentials with
evil-winrm, we are able to get a shell on the machine via port
5985. Going to
tony‘s desktop, we are now able to read
Now that we have a shell as
tony, we start to enumerate for our path to privilege escalation. As the machine’s logo is a printer, we assume “PrintNightmare” is the path for privilege escalation. After a little research, we find a Github repository by Hack The Box’s own Cube0x0. At the bottom of the page, we see that we can use
rpcdump.py to check for the vulnerability. Doing so, we see that the machine is indeed vulnerable.
To exploit this, we begin by creating a malicious DLL file that executes a reverse shell to our machine. After it’s created, we use
smbserver.py to serve the malicious DLL.
Lastly, we start a reverse shell listener with
netcat, and run the script. After some time, we get a reverse shell as
NT Authority\System – which allows us to read
Thank you for taking the time to read my write-up. I am interested in other ways this machine has been solved. Feel free to reach out to me and we can discuss it. Thanks!