Official Fuse Discussion

Rooted.

@TazWake thanks for the nudge on the foothold.

Side-stepped compiling from the PoC’s by modifying an existing tool.

Not sure if that’s considered cheating in this case…

Can someone give me a nudge on the initial foothold? I swear I’ve enumerated every service to my ability. Literally don’t understand where I’m going wrong.

Just rooted this machine.
Wow, that was truly a fun journey. Thank you @egre55 for creating this challenge (Keep up the good work)

Also a big thank you to @TazWake for your nudges :slight_smile:

Type your comment> @magomed said:

Can someone give me a nudge on the initial foothold? I swear I’ve enumerated every service to my ability. Literally don’t understand where I’m going wrong.

Examine all that you can on the webpage. There are interesting things in there. Some words out of place maybe?

Type your comment> @MTOTH said:

Type your comment> @danielcues said:

Anybody else getting a “result was WERR_INVALID_NAME”?

I had the same issue, welcome to the club… Thanks for @SanderZ31 to helping me out :slight_smile:

Recompiling and installing an older version of samba didn’t help either.

Sadly getting the same error - did you find a fix?

Type your comment> @sparrow1 said:

Type your comment> @magomed said:

Can someone give me a nudge on the initial foothold? I swear I’ve enumerated every service to my ability. Literally don’t understand where I’m going wrong.

Examine all that you can on the webpage. There are interesting things in there. Some words out of place maybe?

Thanks mate! Will look into it!

I have trouble compiling the EC file at the end, tips?

PM if you can give me a nudge :stuck_out_tongue:

Why was i able to jump from initial shell to root ??
user2 was totally skipped.

some member messed up the user privs??
can someone confirm??

i am stuck at user and would need a sanity check. I think I know what to do to get to the next step but it seems my connection is to slow with s*b and everything is reset before I can make use of the change. If someone could please pm me and I will explain what I am trzing to do.

Type your comment> @nav1n said:

IMHO, this box didn’t get the fair rating, it should have got the rating “hard”. For me it was harder than Blackfield because it was a straight forward machine. But, Fuse is NOT.
I believe, if the machine requires a custom exploit or some lines of coding, that should consider as “hard machine”. Thank you @egre55 for the great fun filled ride .

This makes me feel less stupid, hahah!

i found password but when i tried to use that password with the usernames found , no username and password combination works . i am getting this error.

Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError

Error: Exiting with code 1.

What i am doing wrong here. :confused:

Can somebody help me with compiling the exploit. I am using VS 19 but after executing .exe I get no output at all.

Edit: rooted. I was compiling it in a wrong way.
Generally it is a very bad box (before the root part). Initial foothold and user are absolutely kings of CTF style which is pretty bad because people on HTB looking for learning real skills and not solving puzzles. This is at least a third box with a password hidden on page for last couple machine that I solved. Did author really think that there are passwords hidden between the lines or it’s just his wet dreams?

Type your comment> @Rayz said:

Why was i able to jump from initial shell to root ??
user2 was totally skipped.

some member messed up the user privs??
can someone confirm??

That’s just the way it is, the privs are legit don’t worry :wink:
Nobody messed up with the user privs :slight_smile:

@zaphoxx said:
i am stuck at user and would need a sanity check. I think I know what to do to get to the next step but it seems my connection is to slow with s*b and everything is reset before I can make use of the change. If someone could please pm me and I will explain what I am trzing to do.

The reset are normal :), u just need to use what u have with the right service.

Type your comment> @sn0b4ll said:

Type your comment> @MTOTH said:

Type your comment> @danielcues said:

Anybody else getting a “result was WERR_INVALID_NAME”?

I had the same issue, welcome to the club… Thanks for @SanderZ31 to helping me out :slight_smile:

Recompiling and installing an older version of samba didn’t help either.

Sadly getting the same error - did you find a fix?

Sure. Do.not.use.hostname!

idk why i cant take shell after runing ex*****a****.exe!

Type your comment> @falsepromise said:

idk why i cant take shell after runing ex*****a****.exe!

It depends on what u have done with the code…

As the author of the box I’m happy to discuss any questions you have about realism @VoltK

If anything the root is the most unrealistic component, due to how Microsoft has changed the behavior in later releases of Windows, you are less likely to see this is many environments.

User is very realistic and something you see in real environments.

I accept that foothold is contrived to a certain extent, but if you gain a foothold on such a device, even the names might be insightful, in terms of company-specific language/vocabulary

@egre55 said:

As the author of the box I’m happy to discuss any questions you have about realism @VoltK

If anything the root is the most unrealistic component, due to how Microsoft has changed the behavior in later releases of Windows, you are less likely to see this is many environments.

User is very realistic and something you see in real environments.

I accept that foothold is contrived to a certain extent, but if you gain a foothold on such a device, even the names might be insightful, in terms of company-specific language/vocabulary

Totally agree. And as a professional pentester, I can confirm that this kind of information leakage (and the resulting “breach”) are all too common. Especially with larger infrastructures, you WILL find passwords for all kinds of services and users that are derived from publicly available information about the target.
Due to the limited attack surface (usually, a single system), the foothold always has to be slightly “crafted”, but on this box it is a very tiny “slightly”.

For anyone that don’t get any output of the first executable, but still works locally - Make sure you compile that in the same build as the second executable under different name.