Introduction

Fuse from HTB is a Medium Windows ‘vulnerability assessment’ based box in which you build a brute-force list Papercut and escalate with seloaddriverprivilege. The reason I classify this box as a ‘vulnerability assessment’ is you need to think as if you already have access to services (such as print services) that I feel you wouldn’t normally have access to in a typical engagement.

I start every scan with AutoRecon:

Copy

I notice Port 80 alongside LDAP services running right away. Heading to the website takes me to a PaperCut print management software with some logs of recent print jobs.

AutoRecon Papercut screenshot.

AutoRecon Papercut screenshot.

I stumble around with RPC and SMB for a while looking for any footholds. Eventually, I try to brute-force the shares utilizing CME (CrackMapExec) alongside CeWL. First I grabbed a list of all users who were printing stuff. Then I ran CeWL against the platform to build a list of possible passwords. I removed any PaperCut related words. I along removed any dates/words that I felt the software was using such as View/CSV/etc. Running the list with CME I get back a few hits:

Copy
Copy

This list shouldn’t have worked but it did and I was running out of ideas. In a ‘real-word’ scenario I would have used the companies website/social media pages to build these lists. I wish a one-page website was present for this portion of the box. Using the three (yes, three) valid accounts I attempted to login all gave me the following error – STATUS_PASSWORD_MUST_CHANGE. Googling eventually lead me to this guide HERE which I used to reset the password.

My second gripe was the fact that the password only stays valid for about 1minute. I feel like more users could have been created to increase the overall timeout during release day.

Copy

I then used rpcclient after finding no valid SMB shares open to the three users available. rpcclient was able to show me a password under enumprinters which I only tried because I started on a print management software.

SMB shares giving me a whole lot of nothing.

SMB shares giving me a whole lot of nothing.

Copy
Finding money with enumprinters.

Finding money with enumprinters.

I spray the SMB shares and WINRM with CME until I get a hit. I actually had to reinstall my CrackMapExec as I was getting errors when running certain commands. I also reinstalled Evil-WinRM to make sure everything was fresh.

CME is broken...

CME is broken…

Copy
Copy
CME coming in with a win after being fixed.

CME coming in with a win after being fixed.

Privilege Escalation

Copy

After logging in with Evil-WinRM I run whoami /all to see what permissions are available to the account. Immediately I see SeLoadDriverPrivilege and head over to HackTricks HERE.

After reading through the post and doing some Googling I find the repository HERE. I upload the files to test folder on the machine and run the commands below for root.

Copy
Copy
ExploitCapcom-both.exe rooting HTB - Fuse.

ExploitCapcom-both.exe rooting Fuse from HTB.

I used session.bat as I was unable to get the command flag to work correctly without it.

Root HTB Fuse.

Rooted.

Rooted

Published On: November 1st, 2020 / Categories: HTB, Technology / Tags: , , , , , , , /

Leave A Comment