HackTheBox – Drivers

Hello ! This time I’m gonna show you my write up of Driver. This boot2root challenge from HackTheBox was a great journey, the first part included the explotation of a user side attack, through a well known Windows feature and the second part was useful to understand a critical vulnerability that appeared some months ago in the Windows Spooler service.

Initial enumeration

As always, we start the enumeration executing some Nmap, in this case a simple execution is enough to get all the needed information. After adding the new hostname to the “/etc/hosts” file, we execute:

nmap -Pn -On simple.nmap driver.htb

If we launch the same execution with the additional arguments “-sC -sV” we will obtain some more information as Nmap is able to interact with the services and figure out the version as well as other useful information:

As we can see, the main page of the website is requesting credentials. In this occasion, the credentials were straightforward, as they are the most typical credentials so far: “admin:admin”. It was not even necessary to execute bruteforce attack to access the application, which looked like this:

There was only one part with some functionality: “Firmware Updates”, which was a simple file uploader:

We spend some time trying to find any vulnerability that may allow us to advance further by the uploading of a webshell or the overwrite of some files in the webserver… However, the file uploader seems pretty simple and we didn’t get our uploaded test files reachable in any point of the website (and the directory scanner only found the /images/ folder…)

After getting some frustration at this point, we look closer to the website content and the descriptions placed in the pages:

If we remember, we are in front of a Windows Server regarding the Nmap scann output and the SMB service is clearly running as the 445 port is opened. The message explains that some manually review is going to be done with the files that we upload from the web application, which always indicates that a client-side exploitation is possible.

In this sense, there are some vectors which may allow the retrieval of user’s hashed windows credentials. In this page is explained how the Shell Command Files (SCF) can be used to get the user’s credentials (hashed) whenever he/she browses with, for example, the Windows Explorer to the folder where the .SCF file is. It looks like this:

The “IconFile” is pointing to a UNC path where we have placed our IP. By the use of tools such as Responder we can capture the hashed user’s credentials just waiting until he/she browses to the folder where the file has been saved.

We capture the hash in 1 second after uploading the file using the web application, this is how it looked:

Alright! we have now the tony’s credentials. This type of hash is a “NTLMv2”, which is a bit slower for cracking than the NTLM and it cannot be used to perform PassTheHash attacks. We successfully crack the weak password using hashcat:

Okay, the password is “liltony”, let’s see if he is part of any high privileged group using enum4linux (if we launch it with the argument -G we will search only for the groups and it will be faster):

Unfortunately, Tony is not any kind of administrator of the computer. Let’s move on and try to use these credentials to get the initial access into the server. Typically, when we have SMB opened we can get the chance of finding some interesting file with relevant information that helps us to move forward but in this case there wasn’t. There were three shares: ADMIN$, C$ and IPC$ and we had only read access in IPC$ which doesn’t contain nothing interesting.

Another ways to get access are RDP but it is closed. Fortunately, we always execute a full port scanning Nmap at the beginning of every HackTheBox challenge and there is the port 5985 opened which indicates that WinRM is opened and we obtain access utilizing this protocol by the use Evil-WinRM.

After accessing with the user Tony, we can get the “user.txt” flag.

Privilege Escalation

The privEsc of this machine is based mainly in the name of the challenge: “Driver”. The enumeration with WinPEAS didn’t return nothing relevant enough and something suspicious was the fact that our user couldn’t enumerate the installed security patches (KBs). This is something that every user usually can enumerate and this caught our attention.

Furthermore, the thematic of the printers in the website part and the name “Driver” of the HTB boot2root challenge indicates something and we just figure it out: “Maybe the privilege escalation part has to be done by the abuse of the famous PrintNightmare vulnerability”. Additionally, we could confirm that the “Spooler” service was running, which is one of the requirements:

We downloaded a checker from here and, after execute it in the evil-winrm session we confirmed that there is such possibility:

Alright, for those who don’t know what “PrintNightmare” is, I would recommend this post where it is perfectly technically explained. In short terms, a race condition was discovered in the default “Printer Spooler” service in all the Windows distributions and it is possible to load a malicious DLL by the addition of a new printer driver. Since this service has to run with SYSTEM rights, this vulnerability allows the attacker to gain maximum privileges.

After downloading the following exploit written in PowerShell, we got administrator rights by the addition of a new user to the Administrators local group:

And now we can access using again evil-winrm with the newly created user and read the “root.txt” flag:

Posted on