PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-07 23:36:40Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp open ▒�h��U Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49678/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49702/tcp open msrpc Microsoft Windows RPC
49708/tcp open msrpc Microsoft Windows RPC
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h52m08s, deviation: 4h37m09s, median: 12m07s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-time:
| date: 2024-01-07T23:37:32
|_ start_date: 2024-01-07T23:30:39
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Fuse
| NetBIOS computer name: FUSE\x00
| Domain name: fabricorp.local
| Forest name: fabricorp.local
| FQDN: Fuse.fabricorp.local
|_ System time: 2024-01-07T15:37:31-08:00
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.46 seconds
what we can see
Most likely a domain controller given the presence of DNS, Kerberos, ldap etc
Windows server 2016
domain name: fabricorp.local we can add this to our hosts file
Hosts name: FUSE
Lets see if we can perform a zone transfer since Port 53 (DNS) is present
No luck
Lets test for anonymous authentication among the services
when we do and try and access the page again we can see the following
Looking att the print logs we can see a couple of username's on the system
other then usernames i cant really find any other peices of interesting information, and we need a set of working creds to progress so we can utilise cewl to build a wordlist we could use with the usernames we have found
building a wordlist
Now we have a list of possible usernames Lets perform some password spraying via smb
we do see something interesting
we have
But looks like the passwords have expired
tried to authenticate to a few services, but no luck
if we look back at the image above we can see the message STATUS_PASSWORD_MUST_CHANGE , meaning we do have valid credentials but they are expired, we could try and reset the password using a tool like smbpasswd
Now we just need to create a password that matches the Password complexity
It seems the password expires after 1 minute from creation, wat we can do is write a basic python script that will automate the password change process
Now that we have our automation script, we can continue enumerating
Lets list all the shares
Lets create a new password
Now lets use crackmapexec to list all the shares
for good measures we will also use the spider_plus module and see if we can find anything interesting
Nothing to interesting within smb so lets head over to rpc
when we enumerate domain users we can see the following
Since within http it showed printing information a good place to start enumerating would be the printers
Looks like we could have a possible password
Looks like creds for the HP-MFT01 smb share
Doesnt authenticate
Lets perform some password spraying using the recently found usernames
first lets clean them up
Lets use crackmapexec to perform the password spraying
and we can see we have some valid creds
Lets list the shares we have access to
Lets use the spider_plus module and see if we have access to anything interesting
nothing interesting
Lets see if we can winrm into the machine
we have a shell on the system
Now we have a session on the target, Lets see if we can enumerate ldap with bloodhound-python and get some info on the system
Lets start neo4j
login
start bloodhound
Now we can digest all the information we found using bloodhound-python
Dont really find much interesting
If we look within our current privileges on the machine we can see something interesting
we can see we have the SeLoadDrivePrivilege enabled for our current user
essentially allows us to place something in the kernel
How can we exploit this?
essentially since we have the SeLoadDriverPrivilege we are able to load a vulnerable driver, then exploit said driver this post explains this better
Lets walk thorugh the steps needed to compile, load, and exploit the SeLoadDriverPrivilege
We will need to compile a few .exe files for the following attack, the best way to compile .exe files would be in a Windows VM. To load the vulnerable driver capcom.sys we will use the following tool from Tarlogic security https://github.com/TarlogicSecurity/EoPLoadDriver/
After we have downloaded the tool (essentially a single c++ file) Let's start a new project in VS , at the window, we will choose the C++ Console App
Note: when creating a new project and specifying the project template "Console App" you may run into an error when creating the project, to fix this go to the visual studio installer
click 'Modify' and download the 'Desktop development with C++'
After this is installed we should be able to specify the Console App template without error
alright back to compiling the eopladdriver.cpp
lets start a new project
click 'Next'
In the next window we can specify the name of our new project
here we can specify the name of the project (you can name it whatever you want)
Looking in the project we can see a basic hello world project
Now we can replace the code within EoPloadDriver.cpp code below
Since this is a .sln file we will need to utilise visual studio on our windows machine, after we have cloned the repo we can simply double click on the ExploitCapcom.sln file
Lets build the project to see if an error occur before we modify the code
No errors, ready for us to modify the code slightly, if we look at the LaunchShell function we can see the following
this just open a cmd prompt, but since we only have remote access to the machine this is pretty pointless, what we will do is generate a reverse-shell with msfvenom and drop that on the system, instead of the function executing cmd.exe we are going to make it execute shrek123.exe our reverse-shell
so we want to change one line in the code
Now we can build the executable file, just like what we did with the loader
Lets download this onto our linux host, same as before with a python http server
Lets generate our reverse-shell
Lets upload and start a listner
start a listener
Lets execute the exploit
note: may have to run the follwoing again before executing the exploit
