Official Fuse Discussion

Hello. I can’t get out of the user for days… I compile and run eopld*r.exe, but I get no output.
What should I modify in that exe file? Is it Image_path? I don’t even know what to fix.

@lee321 said:

Hello. I can’t get out of the user for days… I compile and run eopld*r.exe, but I get no output.
What should I modify in that exe file? Is it Image_path? I don’t even know what to fix.

There are a couple of other files you need to use with it - one of them has to be modified to point to your payload. Its the second exe which does the work, so there may be no output from this one.

Anyone else getting NTSTATUS: c0000034 when executing the loader?

Rooted. Very fun box that taught me a bunch of new very interesting things. Also made me work a little more than I usually have to for the root. Loved it.

I guess my least favorite part was the initial foothold because I never like brute-forcing but the rest of it was amazing.

Thanks to @egre55 for the box and @SanderZ31 for the nudges.

Feel free to PM me for nudges.

Root obtained. Managed to find a pre-compiled ver so I didn’t need to set up my own VM thankfully.

after through multiple pages of this forum, i guess i am doing it wrong if i am running after ldap/smb!!!

i have compiled explxxxcxxcom but how to compile epxxxdriver.cpp in VS2019?
please helpppppp

Can someone give me a small nudge on how to move for user? I’ve been able to make initial creds work, dumped domain info and see to what user I have to move… but don’t see how. I tried krbs attack and tried to abuse the pnt*r sp**ler service without luck…

@ompamo said:

Can someone give me a small nudge on how to move for user? I’ve been able to make initial creds work, dumped domain info and see to what user I have to move… but don’t see how. I tried krbs attack and tried to abuse the pnt*r sp**ler service without luck…

You wont thank me for this but it depends which user you are in as…

If you use the first account to enumerate more you can find a way to access as the second account via a very stable evil tool. This second account gives access to the user flag.

Looking for a nudge on ELD****.exe complied it and it works properly on my machine. However the victim machine it is not working.

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Great box, not so experienced with windows so it was a good learning experience of some core windows functions. Thanks to @TazWake for taking the time to explain the difference between some clients.

Rooted!
Feel free to pm me for nudges

Welp, for everybody struggling with c000004a just try to input full path for .sys file. Wasted about 40 minutes trying to figure it out.
Thanx, @egre55, that was a really interesting thing and a lot of experience!

My head is spinning from that privesc. Foothold is just, well, foothold 101.
Great box.

May have been too much for me to absorb it all at once. I’ll need to try it from scratch again. Just not this week.

Rooted.
User: when you find something try in other services. more and more and …
root: Think of it like a potato attack. “whoami is your friend.”
If you need some help, DM me.

looking for a nudge on foothold. I’ve just nmapped the box and I’ve found some users, not sure it’s the right way to procede. dm me please :smile:

# whoami;hostname
whoami;hostname
nt authority\system
Fuse

User: just totally ctf. I didn’t enjoy it at all, like, at all.
Root: Okay that was fun, tbh - even when I’m drunk at 3 AM XD

Rating: 6/10
Thanks for the box :slight_smile:

Hi, I got shell and user but I have something weird I don’t fully understand.
When I play with a box I usually add it to my hosts file like 10.10.10.193 fuse fuse.htb .

Not sur if it is a good practice or not. during the enumeration I used some credentials to enumerate more to find user password. the command used to find it ens (via r) failed when I used fuse.htb and worked fine with IP. The error was WERR_INVALID_NAME.

I hope it isn’t and spoiler. Apologies if it is.

@Darvidor said:

Hi, I got shell and user but I have something weird I don’t fully understand.
When I play with a box I usually add it to my hosts file like 10.10.10.193 fuse fuse.htb .

Not sur if it is a good practice or not.

There is nothing wrong with it. Just remember you might not be using the same hostname as the box creator, so always be flexible enough to try different things.

during the enumeration I used some credentials to enumerate more to find user password. the command used to find it ens (via r) failed when I used fuse.htb and worked fine with IP. The error was WERR_INVALID_NAME.

This is possibly down to the technology stack involved.

Other people have discovered the issue: Official Fuse Discussion - #180 by danielcues - Machines - Hack The Box :: Forums

Someone with a better understanding of the stack might have a good answer, but in my experience, it is simply that some tools work better with an IP address, some with a hostname and sometimes you need to find out what the hostname is for that tool.

In this case, IP works.

Hi, I’ve made it with get two creds that actually works. I have now the problem that I can see the shares but no perms to execute stuff with ps/smbexec (I guess the users aren’t admins).
any idea?