This is my TryHackMe Fusion Corp machine writeup. You can also find the same writeup on my personal website here:

Firstly I ran nmap and the results was:

As port 80 was open I used “dirb” command to see if there was some useful folder. So I found “backup” folder in which there was a file named “employees.ods”.

I downloaded and open it. It contains a users table:

The victim dnsHostName is Fusion-DC.fusion.corp. I found it using the following command:

So I add in my /etc/hosts file Fusion-DC.fusion.corp.

At this point I used a users list found before to enumerate kerberos:

And the result was:

User lparker in fusion.corp domain was found.

Now, using impacket, I enumerate to find lparker password hash, but first I saved lparker in a new user file (user2):

I cracked the found hash file using john:

and with –show option:

I found lparker password:

Now to connect to victim machine in google I found this:

So I got User 1 flag.

USER 2 flag

For LDAP enumeration using lparker credentials, googling, I found it:


And I got many files including one interesting file (domain_users.html) which contains users SAM Name and in one user (jmurphy) there was his password.

So it was easy to connect to victim machine using new credentials. As seen before, using evil-winrm.rb:

Got USER 2 flag.

USER 3 flag

Running whoami /privs I saw that jmurphy has SeBackupPrivilege and SeRestorePrivilege enabled.

Googling I found this:

I had to copy SeBackupPrivilegeCmdLets.dll and SeBackupPrivilegeUtils.dll files in victim machine:

upload SeBackupPrivilegeCmdLets.dll

Then import them:

Import-Module C:\Users\jmurphy\Documents\SeBackupPrivilegeCmdLets.dll

And finally, as the author “giuliano108” says, run:

and read the USER 3 flag.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store