search

Fuse

Windows : Medium

Password spray attack, Windows API, Windows Privilege Escalation, WinRM.

hashtag
Reconnaissance: NMAP

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.193  

53/tcp   open  domain       Simple DNS Plus

80/tcp   open  http         Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).

88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-22 09:50:13Z)

135/tcp  open  msrpc        Microsoft Windows RPC

139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn

389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)

445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)

464/tcp  open  kpasswd5?

593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0

636/tcp  open  tcpwrapped

3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)

3269/tcp open  tcpwrapped

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2016 (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Fuse
|   NetBIOS computer name: FUSE\x00
|   Domain name: fabricorp.local
|   Forest name: fabricorp.local
|   FQDN: Fuse.fabricorp.local
|_  System time: 2024-01-22T01:50:23-08:00
|_clock-skew: mean: 2h52m59s, deviation: 4h37m09s, median: 12m58s
| smb2-time: 
|   date: 2024-01-22T09:50:25
|_  start_date: 2024-01-22T09:03:33
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required

nmap found twenty open TCP ports, looking like a Windows domain controller The LDAP script identified a domain, fabricorp.local. The SMB script identified the OS as Windows Server 2016 Standard 14393, which matches with the IIS version of 10.

hashtag
Enumeration: SMB Port 139/445/tcp

crackmapexec confirms the OS and domain:

smbmap shows that null auth doesn’t allow access:

I’m able to connect with rpcclient, but don’t have permissions to access anything:

hashtag
Enumeration: MSRPC Port 135/tcp RPC - TCP 445

I’m able to connect with rpcclient, but don’t have permissions to access anything:

hashtag
Enumeration: LDAP - TCP 389

I’ll use ldapsearch to confirm the base domain of fabricorp.local with -s base namingcontexts:

Looks like I need creds to get deeper:

hashtag
Shell as svc-print

Spray for Password: At this point, I don’t have a lot of options without credentials. I do have a handful of user names from the these printer logs. The logs are also potentially a good source of target specific words that might be used as a password. I’ll use them to build a wordlist and try to spray that against SMB to see if I can get anything.

Build Wordlist: I’ll create a wordlist from the webpage using cewl. The --with-numbers flag is a good one to use, especially here:

Because I didn’t specify a --depth, it will go two links away from the root page, which should be enough to get everything I want.

LogoHTB: Fuse0xdf hacks stuffchevron-right

hashtag
Privesc: svc-print –> SYSTEM

Generate Payload: I could compile my own payload since I’ve already got Visual Studio open, but I’ll opt for a simple msfvenom payload. I’ll use windows/x64/shell_reverse_tcp to get a reverse shell I can handle with nc:

Now I’ll upload the two executables:

LogoVisual Studio: IDE and Code Editor for Software DevelopmentVisual Studiochevron-right
LogoInstalling Visual Studio Code on Debian 12 Linux - BookwormLinuxShoutchevron-right

ExploitCapcom This is a standalone exploit for a vulnerable feature in Capcom.sys. The feature is exposed through IOCTL and to execute an arbitrary user supplied function pointer with disabling SMEP. This exploit simply abuses the feature to perform token stealing to get the SYSTEM privileges, and then launches the command prompt with the elevated privilege.

LogoCapcom-Rootkit/Driver/Capcom.sys at master · FuzzySecurity/Capcom-RootkitGitHubchevron-right
LogoCapcom-Rootkit/Driver/Capcom.sys at master · FuzzySecurity/Capcom-RootkitGitHubchevron-right
LogoCompiled-capcom-exploit/ExploitCapcom-updated.exe at main · Ant1sec-ops/Compiled-capcom-exploitGitHubchevron-right
PreviousMonteverdeNextScrambled

Last updated