Hackthebox: Driver Machine Walkthrough: Produced by

Download as pdf or txt
Download as pdf or txt
You are on page 1of 11

HackTheBox: Driver Machine

Walkthrough

Produced by

P a g e 1 | 11
Table of Contents:
Section 1: Scanning: ...............................................................................3
Section 2: Accessing the Web page:.......................................................4
Section 3: SCF file attacks: .....................................................................5
What is SCF File? ................................................................................5
Why have we used it? ..........................................................................5
How to use it? ......................................................................................5
The file we used to upload it on our target machine: ............................5
Section 4: Dumping the hashes with responder: .....................................6
Startup Responder: ..............................................................................6
Upload the file to our target: .................................................................6
Dumping the hashes: ...........................................................................6
Section 5: Crack the hash: ......................................................................7
Save the hash: .....................................................................................7
Crack with Hashcat: .............................................................................7
Section 6: Gain Access: ..........................................................................8
Gain Access with the user credentials:.................................................8
PrintNightmare (CVE-2021-1675): .......................................................9
Download, Upload & Exploit (CVE-2021-1675) on the target machine: 9
Gain Access with the newUser credentials:........................................10
Section7: References:...........................................................................11

P a g e 2 | 11
Section 1: Scanning:
o scanning the target
o Sudo nmap -sV -A -O 10.10.11.106

o We found that there are 3 open ports

• We will add the IP in the domain hosts


o Sudo nano /etc/hosts
o Add 10.10.11.106

P a g e 3 | 11
Section 2: Accessing the Web page:
• Open driver.htb in your browser

o Username: admin & Passwd: admin

o Now we will think about uploading a file in the Firmware


update page to dump the hashes saved on this machine.
P a g e 4 | 11
Section 3: SCF file attacks:
What is SCF File?
o SCF (Shell Command Files) can be used to perform a limited set
of operations such as showing the Windows desktop or opening a
Windows explorer.
Why have we used it?
o SCF file can be used to access a specific UNC path which allows
the penetration tester to build an attack.
How to use it?
o The code below can be placed inside a text file which then needs
to be planted into a network share.

o Saving the file as SCF file will make the file to be executed when
the user will browse the file.
o Adding the @ symbol in front of the filename will place the
pentestlab.scf on the top of the share drive.
o Replace your target IP with the X.X.X.X.
The file we used to upload it on our target machine:

P a g e 5 | 11
Section 4: Dumping the hashes with responder:
Startup Responder:
o Sudo responder -I tun0

Upload the file to our target:

Dumping the hashes:

P a g e 6 | 11
Section 5: Crack the hash:
Save the hash:
o Save the NTLMv2 hash into a txt file.
Crack with Hashcat:
o we try to crack the NTLMv2 captured hash via Hashcat

o Now we have a username: tony & Passwd: liltony

P a g e 7 | 11
Section 6: Gain Access:
Gain Access with the user credentials:
o we will use the Evil-winrm tool to gain access on the machine.

o Searching for the user hash

P a g e 8 | 11
PrintNightmare (CVE-2021-1675):
o This machine is talking about drivers for printer. So, we will think
about printer vulnerabilities.
o We will look for CVE 2021-1675.
o CVE 2021-1675: A vulnerability that allows an attacker with low
access privileges to use a malicious DLL file to escalate privilege.
Threat actors can only take advantage of the vulnerability if they
have direct access to the vulnerable system, so Microsoft
categorized it as low risk.
o We will use this CVE to create a user with the administrator
privilege.
o Github link: https://github.com/calebstewart/CVE-2021-1675

Download, Upload & Exploit (CVE-2021-1675) on the target


machine:
o Download the file from the Github link.

o We will use evil-winrm again with tony user to upload the CVE and
exploit it.
o We will use python to create a http server in the folder which
contain the file.

o From the Evil-winrm terminal we will download the CVE file and
create a new user with new passwd:
✓ Username: newUser
✓ Passwd: SuperSecure

o ‘http://your-ip:8080/CVE-2021-1675.ps1’

P a g e 9 | 11
Gain Access with the newUser credentials:
o Login with the newUser from Evil-Winrm

o search for the root hash

o Cat the root.txt file

Pwned

P a g e 10 | 11
Section7: References:
o https://pentestlab.blog/2017/12/13/smb-share-scf-file-
attacks/
o https://www.ired.team/offensive-security/initial-
access/t1187-forced-authentication
o https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-
2021-1675
o https://www.blumira.com/cve-2021-1675/

P a g e 11 | 11

You might also like