Fuse Writeup — HackTheBox
Made by RebornSec ®
Fuse is windows box made up by egre55, this box a good practice in the advanced enumeration on Windows machines. Without further do let’s start our work :)
Enumeration phase :
As usual let’s start with the Nmap scan :
[~] Nmap -sC -sV 10.10.10.193
Several ports are open let’s start with port 80 (http)and this will lead you to this page :
We can’t reach our page, but we can add it into /etc/hosts:
http://fuse.fabricorp.local/papercut/logs/csv/daily/papercut-print-log-2020–05–30.csv
http://fuse.fabricorp.local/papercut/logs/csv/daily/papercut-print-log-2020-05-29.csv
http://fuse.fabricorp.local/papercut/logs/csv/daily/papercut-print-log-2020-06-10.csv
I found a username, sharing group for a printer in the file, and we already got the domain name from our Nmap scan (fabricorp.local):
Using Robin Wood tool to generate a wordlist using the page we got :
This the list i got :
PaperCut
LETTER
DUPLEX
GRAYSCALE
Logger
LONWK
papercut
Excel
Notepad
sthompson
About
Pages
Copies
Printer
…
And wanted working group is fabricorp/bhult so let’s try smbclient using deferent combination of password but it seems that i can’t login :
After a while of searching i found a sysadmin asking for the way to change smb password :
Using the old password Fabricorp01 that we got using metasploit :
I can change the password now to my own :
Now lets use rpcclient to get information and maybe claim some credentials :
And here we got our password in plain text : $fab@s3Rv1ce$1
Let’s try to find out our user that we want to use our password on him :
We create a list of users and password, and we test it out with our tool Cme :
Our final credential is : svc-print:$fab@s3Rv1ce$1
We login using Evil-winrm :
And here we got our user.txt :)
Root phase :
If we check the files stored in directory of our user we notice the Capcom.sys file :
Also checking whoami /all :
For that we going to use :
And since our user had SeLoadDriverPrivilege we use both to proc our shell :
And there you go you got full NT Authority :)
