Initial Nmap scan
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-49.png)
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-50.png)
When I tried access port 80, it got redirected to fuse.fabricorp.local. After adding it to my /etc/hosts file I got the below page
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-51.png)
I downloaded each CSV file and found something interesting
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-53.png)
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-54.png)
I found below usernames
pmerton
tlavel
sthompson
bhult
I tried smbclient anonymous login allowed, but nothing there was found.
I created a list of passwords from the website usig cewl.
cewl -d 5 -m 3 –with-numbers -w passwd.txt http://fuse.fabricorp.local/papercut/logs/html/index.htm
Then I started msfconsole for brute forcing with these usernames and possible passwords
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-55.png)
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-56.png)
We got username tlavel and password Fabricorp01
lets try login with tlavel
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-58.png)
I got to change the password now
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-59.png)
I created a new password: d3r1c@htb
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-60.png)
I used rpccient for further enumeration
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-61.png)
After a while I was able to find an intresting passwrod after enumerating the printers
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-62.png)
We got a set of usernames and a password.
Using msfconsole again for bruteforcing
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-63.png)
I got a new set of username and password
Username : svc-print
Password: $fab@s3Rv1ce$1
Now I tried to get shell using evilwinrm
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-64.png)
We got the user flag!!
Previlege escalation
I executed whoami /all and I found the user svc-print has permission to load and unload drivers
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-65.png)
You can learn how to exploit this by below link
https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/
I loaded all files in my local machines and in netcat.bat I setup a command to get remote connection to my machine
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-66.png)
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-67.png)
Now it is execution time
PS: you need to setup a netcat session opened
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-68.png)
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-69.png)
Rooted!
Just let me know if you have any doubts
If you found this write-up useful, you can respect me on HTB
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-16.png)
https://www.hackthebox.eu/home/users/profile/240146
You can connect me on
LinkedIn: Derick N
Twitter: Derick N
Leave a Reply