Capture the flag (CTF)

Hack the Box (HTB) machines walkthrough series — Fuse

Security Ninja
January 11, 2021 by
Security Ninja

Today, we will be continuing with our exploration of Hack the Box (HTB) machines, as seen in previous articles. This walkthrough is of an HTB machine named Fuse.

HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest) in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform.

Note: Only write-ups of retired HTB machines are allowed. The machine in this article, named Fuse, is retired.

Let’s start with this machine.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The walkthrough

  1. Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN.
  2. The “Fuse” machine IP is 10.10.10.193.
  3. We will adopt the usual methodology of performing penetration testing. Let’s start with enumeration in order to gain as much information as possible.
  4. As usual, let’s start with the Nmap scan to gather more information about the services running on this machine. [CLICK IMAGES TO ENLARGE]

    nmap -sC -sV -oA Fuse 10.10.10.193

  5. We got lots of hits on ports. Let’s start the enumeration. First, let’s add the box in the hosts file in order to resolve port 80 successfully.
  6. Below is what we got from port 80. Here we have some Excel files.
  7. Combining all the files, we got a bunch of usernames.
  8. Let’s also create an interesting wordlist using cewl, as shown below.
  9. Now, since the SMB port is opened, we can pass on the username and wordlist to SMB module in Metasploit, as shown below.

  10. After the exploit runs, we got following hits combinations working.

  11. Let’s try to connect over SMB using user tlavel. We got a password change error.
  12. Using smbpasswd, we can change the password of the user.
  13. After changing the password, we can do further enumeration using rpcclient, as shown below. We got a list of usernames.
  14. During the enumeration of printers, we got a password.
  15. After figuring out the combination using the above method again, we can log in using evil-winrm as shown below. Once we are in, enumerate further to collect user.txt.
  16. Now, let’s start the enumeration for system-level privileges. Looking into current user privileges, it has the privilege of SeLoadDriver:
  17. Following the exploit here, we can collect the below artifacts.
  18. First the driver file (EOPDriver.cpp) and compile it for x64:
  19. Upload the prepared .exe file to the system and execute it for a sample run.
  20. Upload the CapCom.sys directly to the victim machine.
  21. Once the upload is done, we can install and load the driver, as shown below.
  22. With that loaded, now we can create a reverse shell using msfvenom for x64, as shown below.
  23. Upload the shell to the victim machine also.
  24. Let’s start a listener for the msfvenom shell created above.
  25. Now let’s create the file to exploit the Capcom.sys driver. Under the file, modify it to execute the shell created and uploaded above.
  26. Once the exploit is created, upload it. It will find the loaded driver list and execute the reverse shell.
  27. Once the reverse shell is executed, we got a connection back on our listener.
  28. Then spawning a shell to collect root flag.

This was an interesting machine. The initial foothold is all about enumeration and finding the right credential combination, while the later part is all about exploiting a privilege.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

We will continue this series with more examples of interesting HTB machines in this style.

Security Ninja
Security Ninja