Fuse
Windows : Medium
Password spray attack, Windows API, Windows Privilege Escalation, WinRM.
Reconnaissance: NMAP
┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.193
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-22 09:50:13Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2016 (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Fuse
| NetBIOS computer name: FUSE\x00
| Domain name: fabricorp.local
| Forest name: fabricorp.local
| FQDN: Fuse.fabricorp.local
|_ System time: 2024-01-22T01:50:23-08:00
|_clock-skew: mean: 2h52m59s, deviation: 4h37m09s, median: 12m58s
| smb2-time:
| date: 2024-01-22T09:50:25
|_ start_date: 2024-01-22T09:03:33
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: requirednmap found twenty open TCP ports, looking like a Windows domain controller The LDAP script identified a domain, fabricorp.local. The SMB script identified the OS as Windows Server 2016 Standard 14393, which matches with the IIS version of 10.
Enumeration: SMB Port 139/445/tcp
crackmapexec confirms the OS and domain:
smbmap shows that null auth doesn’t allow access:
I’m able to connect with rpcclient, but don’t have permissions to access anything:
Enumeration: MSRPC Port 135/tcp RPC - TCP 445
I’m able to connect with rpcclient, but don’t have permissions to access anything:
Enumeration: LDAP - TCP 389
I’ll use ldapsearch to confirm the base domain of fabricorp.local with -s base namingcontexts:
Looks like I need creds to get deeper:
Shell as svc-print
Spray for Password: At this point, I don’t have a lot of options without credentials. I do have a handful of user names from the these printer logs. The logs are also potentially a good source of target specific words that might be used as a password. I’ll use them to build a wordlist and try to spray that against SMB to see if I can get anything.
Build Wordlist: I’ll create a wordlist from the webpage using cewl. The --with-numbers flag is a good one to use, especially here:
Because I didn’t specify a --depth, it will go two links away from the root page, which should be enough to get everything I want.
Privesc: svc-print –> SYSTEM
Generate Payload: I could compile my own payload since I’ve already got Visual Studio open, but I’ll opt for a simple msfvenom payload. I’ll use windows/x64/shell_reverse_tcp to get a reverse shell I can handle with nc:
Now I’ll upload the two executables:
ExploitCapcom This is a standalone exploit for a vulnerable feature in Capcom.sys. The feature is exposed through IOCTL and to execute an arbitrary user supplied function pointer with disabling SMEP. This exploit simply abuses the feature to perform token stealing to get the SYSTEM privileges, and then launches the command prompt with the elevated privilege.
Last updated