Fuse-Hack The Box Writeup

Initial Nmap scan

When I tried access port 80, it got redirected to fuse.fabricorp.local. After adding it to my /etc/hosts file I got the below page

I downloaded each CSV file and found something interesting

I found below usernames

pmerton

tlavel

sthompson

bhult

I tried smbclient anonymous login allowed, but nothing there was found.

I created a list of passwords from the website usig cewl.

cewl -d 5 -m 3 –with-numbers -w passwd.txt  http://fuse.fabricorp.local/papercut/logs/html/index.htm

Then I started msfconsole for brute forcing with these usernames and possible passwords

We got username tlavel and password Fabricorp01

lets try login with tlavel

I got to change the password now

I created a new password: d3r1c@htb

I used rpccient for further enumeration

After a while I was able to find an intresting passwrod after enumerating the printers

We got a set of usernames and a password.

Using msfconsole again for bruteforcing

I got a new set of username and password

Username : svc-print

Password: $fab@s3Rv1ce$1

Now I tried to get shell using evilwinrm

We got the user flag!!

Previlege escalation

I executed whoami /all and I found the user svc-print has permission to load and unload drivers

You can learn how to exploit this by below link

https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/

I loaded all files in my local machines and in netcat.bat I setup a command to get remote connection to my machine

Now it is execution time

PS: you need to setup a netcat session opened

Rooted!

Just let me know if you have any doubts

If you found this write-up useful, you can respect me on HTB

https://www.hackthebox.eu/home/users/profile/240146

You can connect me on

LinkedIn: Derick N

Twitter: Derick N