CTF Walkthroughs, Hack The Box

Hack The Box – Fuse Walkthrough

Introduction

This was an intermediate Windows machine that involved crawling a username and password from a web application to access RPC, through which a password stored in a printer’s description can be found in order to obtain remote access to the box, and exploiting a known vulnerability with the SeLoadDriverPrivilege permission to escalate privileges to SYSTEM.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

The initial scan has revealead a few open ports, the first ones to enumerate should be port 53, 80 and 139,445.

Performing another Nmap scan using the -p- flag in order to scan all ports

This new scan has revealed a few new ports although none of these seem to be too useful at the moment.

Enumerating HTTP

When accessing the web application through a web browser an error is displayed – this is probably because it requires a DNS entry for the host.

Updating the host file adding a new entry for this machine:

This allows to finally access the web application, which seems to run the PaperCut Print Logger web application:

When viewing the logs of past prints(from the screen above), a few usernames can be found:

This information could be useful to perform a brute-force attack later on. Creating a text file with a list of the users found:

Using CEWL with the following flags to collect a list of words from the website which can later on be used for password cracking:

  • -d to specify the depth of the scan, in this case 5
  • -m to specify the minimum length for the words to collect, in this case 10
  • -w to specify the file to write the findings to, in this case fuse.txt
  • the URL of the website to scan
  • –with-numbers to collect words containing numbers as well

This has collected quite a few words, which can now be used to perform a brute-force attack against the SMB service.

Using hydra to brute-force the password, using the following flags:

  • -L to specify the username for the brute-force attack
  • -P to specify the wordlist to use for the bruteforce attack
  • the service and target to brute force

This has identified the password for the “bhult” and “tlavel” users was “Fabricorp01”. It was stored as the document name for one of the documents that were printed:

Enumerating SMB

Using SMBClient to list open shares for the bhult user:

It appears this user requires their password to be changed. Using the -r flag to prompt a password change:

Using SMBClient as the bhult user with the new password to list open shares:

None of these seemed to be useful unfortunately.

Enumerating RPC

Remote Procedure Call (RPC) is a protocol that systems can use to request a service from a program located in another system on a network and it can be used to gather information about a given system. Using the RPCClient tool to log into RPC as the bhult user in order to perform further enumeration:

Once logged in, using the enumdomusers command to enumerate users on the domain:

Using the enumprinters command to enumerate printers on the domain. The printer HP-MFT01 seems to have a description that contains a password:

Since port 5985 is open on the machine, WinRM can be used to authenticate to it. Using evil-winrm to authenticate, after a few attempts, it appears that the password belongs to the “svc-print” user on the system:

This allows to login and grants a Powershell shell as the svc-print user.

Privilege Escalation

Transferring the WinPEAS privilege escalation script using a Python web server and the Powershell Invoke-WebRequest PowerShell cmdlet to perform further enumeration on the host:

The script indicates the current user has the SeLoadDriverPrivilege enabled, which can be used to escalate privileges to SYSTEM:

Since this permission allows users to load any drivers, malicious code can be added to a driver to exploit this vulnerability. This useful article explains how this privilege can be exploited, in particular it mentions a GitHub repository that can be used to automatically exploit this vulnerability:

A pre-compiled version of the exploit is available here. Cloning the GitHub repository:

Creating a netcat.bat file which will be executed when the exploit runs

Transferring al of the required files to the victim host using the Python web server and the Invoke-WebRequest Powershell cmdlet:

The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Running the exploit, providing the service name and the capcom.sys file, then executing the ExploitCapcom_modded executable:

The Netcat.bat script has been executed, therefore connecting to the Netcat listener and granting a SYSTEM-level shell on the victim host.

Conclusion

This box was really interesting as it involved techniques that are often underestimated such as crawling words from a website to generate a wordlist or enumerating RPC to identify clear-text passwords hidden in printers or other elements of a domain. The privilege escalation process was also quite fun and not your usual Rotten/Juicy Potato exploit with the SeImpersonate & SeAssignPrimaryToken permissions.