Official Fuse Discussion

I have trouble compiling the EC file at the end, tips?

PM if you can give me a nudge :stuck_out_tongue:

Why was i able to jump from initial shell to root ??
user2 was totally skipped.

some member messed up the user privs??
can someone confirm??

i am stuck at user and would need a sanity check. I think I know what to do to get to the next step but it seems my connection is to slow with s*b and everything is reset before I can make use of the change. If someone could please pm me and I will explain what I am trzing to do.

Type your comment> @nav1n said:

IMHO, this box didn’t get the fair rating, it should have got the rating “hard”. For me it was harder than Blackfield because it was a straight forward machine. But, Fuse is NOT.
I believe, if the machine requires a custom exploit or some lines of coding, that should consider as “hard machine”. Thank you @egre55 for the great fun filled ride .

This makes me feel less stupid, hahah!

i found password but when i tried to use that password with the usernames found , no username and password combination works . i am getting this error.

Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError

Error: Exiting with code 1.

What i am doing wrong here. :confused:

Can somebody help me with compiling the exploit. I am using VS 19 but after executing .exe I get no output at all.

Edit: rooted. I was compiling it in a wrong way.
Generally it is a very bad box (before the root part). Initial foothold and user are absolutely kings of CTF style which is pretty bad because people on HTB looking for learning real skills and not solving puzzles. This is at least a third box with a password hidden on page for last couple machine that I solved. Did author really think that there are passwords hidden between the lines or it’s just his wet dreams?

Type your comment> @Rayz said:

Why was i able to jump from initial shell to root ??
user2 was totally skipped.

some member messed up the user privs??
can someone confirm??

That’s just the way it is, the privs are legit don’t worry :wink:
Nobody messed up with the user privs :slight_smile:

@zaphoxx said:
i am stuck at user and would need a sanity check. I think I know what to do to get to the next step but it seems my connection is to slow with s*b and everything is reset before I can make use of the change. If someone could please pm me and I will explain what I am trzing to do.

The reset are normal :), u just need to use what u have with the right service.

Type your comment> @sn0b4ll said:

Type your comment> @MTOTH said:

Type your comment> @danielcues said:

Anybody else getting a “result was WERR_INVALID_NAME”?

I had the same issue, welcome to the club… Thanks for @SanderZ31 to helping me out :slight_smile:

Recompiling and installing an older version of samba didn’t help either.

Sadly getting the same error - did you find a fix?

Sure. Do.not.use.hostname!

idk why i cant take shell after runing ex*****a****.exe!

Type your comment> @falsepromise said:

idk why i cant take shell after runing ex*****a****.exe!

It depends on what u have done with the code…

As the author of the box I’m happy to discuss any questions you have about realism @VoltK

If anything the root is the most unrealistic component, due to how Microsoft has changed the behavior in later releases of Windows, you are less likely to see this is many environments.

User is very realistic and something you see in real environments.

I accept that foothold is contrived to a certain extent, but if you gain a foothold on such a device, even the names might be insightful, in terms of company-specific language/vocabulary

@egre55 said:

As the author of the box I’m happy to discuss any questions you have about realism @VoltK

If anything the root is the most unrealistic component, due to how Microsoft has changed the behavior in later releases of Windows, you are less likely to see this is many environments.

User is very realistic and something you see in real environments.

I accept that foothold is contrived to a certain extent, but if you gain a foothold on such a device, even the names might be insightful, in terms of company-specific language/vocabulary

Totally agree. And as a professional pentester, I can confirm that this kind of information leakage (and the resulting “breach”) are all too common. Especially with larger infrastructures, you WILL find passwords for all kinds of services and users that are derived from publicly available information about the target.
Due to the limited attack surface (usually, a single system), the foothold always has to be slightly “crafted”, but on this box it is a very tiny “slightly”.

For anyone that don’t get any output of the first executable, but still works locally - Make sure you compile that in the same build as the second executable under different name.

Spoiler Removed

@n00baaa said:

so,Is this a problem with the machine itself or an exploit attack?

I think it is an issue with the way you’ve run the exploit.

@HomeSen said:

@egre55 said:

As the author of the box I’m happy to discuss any questions you have about realism @VoltK

If anything the root is the most unrealistic component, due to how Microsoft has changed the behavior in later releases of Windows, you are less likely to see this is many environments.

User is very realistic and something you see in real environments.

I accept that foothold is contrived to a certain extent, but if you gain a foothold on such a device, even the names might be insightful, in terms of company-specific language/vocabulary

Totally agree. And as a professional pentester, I can confirm that this kind of information leakage (and the resulting “breach”) are all too common. Especially with larger infrastructures, you WILL find passwords for all kinds of services and users that are derived from publicly available information about the target.
Due to the limited attack surface (usually, a single system), the foothold always has to be slightly “crafted”, but on this box it is a very tiny “slightly”.

I just want to add to this - because I quite strongly agree with @HomeSen and @egre55.

Although I am not a pentester, I work in incident response and I’ve lost count of the number of events which have been a result of the kind of issue presented here. It’s why the tool most people will have used exists and why recon is a critical step taught on every pentest course.

While the privesc is a bit unrealistic for an organisation with a well patched, up-to-date environment, in 2020 I’ve seen organisations with Windows 2000 Active Directory servers…

I try build E-L–D–.cpp with VS2019.build successful,but it no any output when i run E–L–D–.exe in the machine, If someone successfully compiled E–L–D–.cpp, please DM me.
I want to know where is the problem.
thank you!

Root: For those who are facing problems with the E*LD.cpp update,
Hope this is not considered a Spoiler!!!

1 - Download the project to your windows machine. Unzip it.
2 - Open VS2019
3 - Open file E**Cm.sln
4 - Open file .cpp and update it accordingly ( look at this code approach: https://cboard.cprogramming.com/windows-programming/109024-createprocess-plus-command-line.html.)
5 - Compile!!!
6 - Upload the .exe and the recommended files to the server and shot!!!

Just rooted!!!

Type your comment> @egre55 said:

As the author of the box I’m happy to discuss any questions you have about realism @VoltK

If anything the root is the most unrealistic component, due to how Microsoft has changed the behavior in later releases of Windows, you are less likely to see this is many environments.

User is very realistic and something you see in real environments.

I accept that foothold is contrived to a certain extent, but if you gain a foothold on such a device, even the names might be insightful, in terms of company-specific language/vocabulary

Respect to the Box Creator @egre55 ,The box is Real ,enum,recon are real world ,vulnerabilities can be patched ,Not humans