Scribd
Upload
51 views19 pages

HTB Office Hard Machine 1720381784

Htb

Uploaded by

Vishwas Dave
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
51 views19 pages

HTB Office Hard Machine 1720381784

Htb

Uploaded by

Vishwas Dave
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

HackTheBox Office Hard machine walkthrough

Author : Nima Dabbaghi


● Intro
● Stage1:
○ Recon
○ Information gathering
○ Try find way to move forward
○ Joomla scan
○ Directory Scan

● Stage2:
○ Kerberos enumeration
○ SMB shares
○ Passwords From Kerberos Pre-Authentication Packets
○ Gain Access web management

● Stage3:
○ Getting shell as web_account
○ RunasCs + information disclosure into tstark shell
○ Enumeration source codes!
○ Exploiting LibreOffice
○ Reading DPAPI Encrypted Secrets with Mimikatz
○ add users to local administrators groups, GPO abuse
○ End
Hello again!

So as you know this is a windows machine and hard level. Well


seems it will be nice journey while pwning this machine.

Anyway, let's go for it.


First of all we should know about our target and get much
information as we can from Nmap to directory scan and … .

For Nmap we will get this result:


what do we have? We have only ports like 53,443,80,88,464
80,443 for web and also dc.office.htb.

Open webapp to investigate more :

Well this webpage seems like a gaming website. So after


checking some info i found this website based on Joolma.

So i start to scan with joomscan :


Version found; 4.2.7 !
After i searched about this version, there is exploit for
Information Disclosure in this version:

https://github.com/Acceis/exploit-CVE-2023-23752

Lets use it.

Now we have user and password if DB !


I tried to login with this creds in /administrator but no luck.

What should do??


As you know, Kerberos Protocol is Open so I can use Kerbrute
to Enumerate Domain Users.

Now we have list of users and a password.


Here, I demonstrate how a user can log in to SMB using a
previously leaked password with Crackmapexec.

Great. Now time to investigate more the SMB shares by this


creds.
A .pcap file.
Download it into machine and check it by wireshark

It give us a cipher and need to decrypt it and convert into usable


version.
https://vbscrub.com/2020/02/27/getting-passwords-from-kerberos-pre-authentication-packets/
Here we go!

Login with as administrator with above password in website.

In System>Site template>
We can create new file and upload our shell.

Which i used : https://github.com/flozz/p0wny-shell

And then open shell file into web browser:

As you can see i transferred RunasCs.exe to get direct shell from


machine!

Having acquired the credentials for tstark, I use them to run


RunasCs with the -r switch, successfully obtaining another reverse
shell.

Here is command :
Lets get back into our first shell directory C:\xampp\htdocs\
And look into files. In the resume.php
The PHP code in C:\xampp\htdocs\internal\resume.php lets you
upload files with the following extensions: docm, docx, doc, and odt.
It saves the files in the applications folder. I could upload a resume
and hope that another user opens it, which would let me run code on
their system. Since LibreOffice is installed, it’s likely the application
used for odt files.

With further more enum, i got the version of LibreOffice used in


machine :
Now just search for exploiting this version.

https://github.com/elweth-sec/CVE-2023-2255

Well, The credentials are saved in


%APPDATA%\Microsoft\Credentials, and their keys are in
%APPDATA%\Microsoft\Protect<SID>. These keys are protected, but
I can use them via the BackupKey Remote Protocol (MS-BKRP).
Mimikatz has this function, so all I need is the filename of the stored
credentials and the user's SID :
With this information, I can start decrypting the secrets. First, I
query the GUID of the master key (in this case,
191d3f9d-7959-4b4d-a520-a444853c47eb). Then, I retrieve the
master key from the Domain Controller using /rpc. Finally, I use the
key to decrypt the secret.
Alright we got pass of HHogan and now can just do evil-winrm to
connect as HHogan into machine!

Time to escalate into administrator!


If we deep dive into HHogan user information we saw this :
To list all Group Policy Objects (GPOs), I'll use PowerView to identify
policies accessible for modification by the group."

Well, The GUID {31B2F340-016D-11D2-945F-00C04FB984F9}


corresponds to the 'Default Domain Policy.' This policy is created and
linked automatically whenever a server is promoted to a Domain
Controller.
"I take advantage of these privileges by using SharpGPOAbuse to
add hhogan to the local administrators group.

SharpGPOAbuse is a tool that exploits permissions on Group Policy Objects (GPOs)


to gain elevated privileges, such as adding users to local administrators groups.
Now what we need is only logoff from this session and reconnect into it.

After that we can see we are in Administrator mode!

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy