Ahmed Samir

Nov 2, 2020

5 min read

Hackthebox — Fuse

Summary

Another windows machine is retired with IP 10.10.10.193

Enumeration

Nmap

We have many ports open:88(Kerberos), 139(NetBios), 389(Ldap), 445(SMB) and ,more

Web Enum

I found usernames in printlogs , So i dump all users in pages
After that i created password file to try to use with this usernames

Let’s bruteforce

We have the same password for the usernames
I tried to login using smbclient

Tried to change password

I changed password to “Fixed011”
Now login using rpc

Now we have new credentials username svc-print password $fab@s3Rv1ce$1, Let’s login with evil-winrm

Gain user flag!

Privilege Escalation

I tried to find anything useful

After searching about Load and upload device drivers, I found this blog https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/

At this point we can use the PoC tool EOPLOADDRIVER

The tool can be invoked as shown below:

The RegistryKey parameter specifies the registry key created under HKCU (“Registry User{NON_PRIVILEGED_USER_SID}”, while the DriverImagePath specifies the location of the driver in the file system.

Run it

We don’t have permissions to see that the driver is running, but given the tool output, it seems good. If it returns anything other than NTSTATUS: 00000000, that’s an error. When I initially tried compiling this with mingw-64, I was getting 0xC000003B, which is STATUS_OBJECT_PATH_SYNTAX_BAD - Something in the path forming was breaking.(which is STATUS_OBJECT_NAME_NOT_FOUND) is thrown when the driver is already loaded

Now try to get reverse shell after execute the file

Gain root flag!

If u learn any thing useful from write up, Respect me on HackTheBox

THX for ur time!