final HTB Report Heap Driver

Report by Rowen
 Table of Contents
Pen Test:
Intro and Objective
Introduction
Objective
Report – high level summary
High level summary
Recommendations
Report – Methodologies
 Introduction and Objective
Introduction
This document provides comprehensive and detailed documentation
outlining the steps taken to penetrate the security and resilience of the target known
as "HeapDriver." Throughout this guide, we will cover various measures and best
practices aimed at fortifying the machine against potential vulnerabilities and
security threats.
Objective
The objective of the penetration test is to discover and exploit vulnerabilities
in the machine with the main target being to gain access to machine and gain
administrator privileges. However, this is not for malicious purpose as the scope of
this test is to demonstrate the process used in a concise manner while also
explaining any steps or best practices to be taken to patch or monitor the associated
vulnerabilities to secure the target machine.
 Report: High level summery

Summery
I was tasked with performing the Pen test against the target on the HTB
network. The test serves as a simulated attack against this specific machine.
Initially I scanned the machine to see what ports were open and what was running.
I initially scanned but nothing came up so I did a full scan of the box and was able
to find the webserver, but I was unable to do anything with the web shell that it
provided, I was able to see directories but couldn’t figure out how to go further.
When I was doing my research, I found that the htb referenced a specific cve for
privilege escalation on windows that overwrites some data which I surmise is used
to gain access to the root. The main issue I have is figuring out where I need to go
from here to find more info to gain a better foot hold into the site.
Recommendations
There is a patch for the CVE 2021 40449 which can be used to prevent an
escalation of the privileges to root. Securing the web shell is the next thing and
removing the command executer would limit direct interaction. However, making
sure to sanitize and validate input would become increasingly important so that
threats can’t gain more access to the machine. Also, make sure to implement
logging of the machine and make sure to audit those logs.
 Report – Methodologies
First we scan the target

👉HeapDriver [Very Easy - Windows]

▪️Skills: CVE Exploitation (CVE-2021-40449)
▪️Type: System
▪️CVSS Score: 7.8

https://www.cve.org/CVERecord?id=CVE-2021-40449

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40449

https://cwe.mitre.org/data/definitions/416.html

https://nvd.nist.gov/vuln/detail/CVE-2021-40449

https://packetstormsecurity.com/files/164926/Win32k-NtGdiResetDC-Use-After-Free-Local-Privilege-
Escalation.html

Initaial scnas didn’t show anything

https://httpd.apache.org/security/vulnerabilities_24.html

2.4.51 vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2022-23943

https://nvd.nist.gov/vuln/detail/CVE-2022-22720