Fuse from HTB is a Medium Windows ‘vulnerability assessment’ based box in which you build a brute-force list Papercut and escalate with seloaddriverprivilege. The reason I classify this box as a ‘vulnerability assessment’ is you need to think as if you already have access to services (such as print services) that I feel you wouldn’t normally have access to in a typical engagement.
I start every scan with AutoRecon:
Port 80 alongside
LDAP services running right away. Heading to the website takes me to a PaperCut print management software with some logs of recent print jobs.
AutoRecon Papercut screenshot.
I stumble around with
SMB for a while looking for any footholds. Eventually, I try to brute-force the shares utilizing
CME (CrackMapExec) alongside
CeWL. First I grabbed a list of all users who were printing stuff. Then I ran
CeWL against the platform to build a list of possible passwords. I removed any PaperCut related words. I along removed any dates/words that I felt the software was using such as View/CSV/etc. Running the list with
CME I get back a few hits:
This list shouldn’t have worked but it did and I was running out of ideas. In a ‘real-word’ scenario I would have used the companies website/social media pages to build these lists. I wish a one-page website was present for this portion of the box. Using the three (yes, three) valid accounts I attempted to login all gave me the following error – STATUS_PASSWORD_MUST_CHANGE. Googling eventually lead me to this guide HERE which I used to reset the password.
My second gripe was the fact that the password only stays valid for about 1minute. I feel like more users could have been created to increase the overall timeout during release day.
I then used
rpcclient after finding no valid SMB shares open to the three users available.
rpcclient was able to show me a password under
enumprinters which I only tried because I started on a print management software.
SMB shares giving me a whole lot of nothing.
Finding money with enumprinters.
I spray the
SMB shares and
CME until I get a hit. I actually had to reinstall my
CrackMapExec as I was getting errors when running certain commands. I also reinstalled
Evil-WinRM to make sure everything was fresh.
CME coming in with a win after being fixed.
After logging in with
Evil-WinRM I run
whoami /all to see what permissions are available to the account. Immediately I see
SeLoadDriverPrivilege and head over to HackTricks HERE.
After reading through the post and doing some Googling I find the repository HERE. I upload the files to test folder on the machine and run the commands below for root.
ExploitCapcom-both.exe rooting Fuse from HTB.
session.bat as I was unable to get the command flag to work correctly without it.