In this post, I would like to share a walkthrough of the Office Machine from Hack the Box


This room will be considered a Hard machine on Hack the Box

What will you gain from the Office machine?


For the user flag, you need to look at the Joomla instance that inadvertently exposes a password, I will perform a brute force attack on usernames via Kerberos and then conduct a password spray to identify instances of password reuse. This will allow access to an SMB share containing a PCAP file with a Kerberos authentication exchange. By constructing a hash from this exchange and subsequently cracking it, I will obtain another password, which also grants access to the Joomla admin account. I will then implant a webshell within a template to gain a foothold on the server. Additionally, an internal site designed for resume submissions can be exploited. Using LibreOffice, I will leverage both a CVE and registry modifications to enable macros. The subsequent user has saved credentials, which I will decrypt using Mimikatz to further my access.


As for the root flag, you need to leverage Group Policy Object (GPO) access to obtain administrative privileges.

Information Gathering on Office Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start

─[darknite@parrot]─[~/Documents/htb/office]
└──╼ $nmap -sC -sV 10.10.11.3 -oA initial
Starting Nmap 7.92 ( https://nmap.org ) at 2024-06-22 07:13 EDT
Nmap scan report for 10.10.11.3
Host is up (0.15s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
| http-robots.txt: 16 disallowed entries (15 shown)
| /joomla/administrator/ /administrator/ /api/ /bin/ 
| /cache/ /cli/ /components/ /includes/ /installation/ 
|_/language/ /layouts/ /libraries/ /logs/ /modules/ /plugins/
|_http-title: Home
|_http-generator: Joomla! - Open Source Content Management
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-06-22 19:07:00Z)
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername:<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after:  2024-05-09T12:36:58
|_ssl-date: 2024-06-22T19:08:31+00:00; +7h53m10s from scanner time.
443/tcp  open  ssl/http      Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28)
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_http-title: 403 Forbidden
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-06-22T19:08:30+00:00; +7h53m09s from scanner time.
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername:<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after:  2024-05-09T12:36:58
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername:<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after:  2024-05-09T12:36:58
|_ssl-date: 2024-06-22T19:08:31+00:00; +7h53m10s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername:<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after:  2024-05-09T12:36:58
|_ssl-date: 2024-06-22T19:08:30+00:00; +7h53m09s from scanner time.
Service Info: Hosts: DC, www.example.com; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h53m09s, deviation: 0s, median: 7h53m09s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-06-22T19:07:53
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 131.64 seconds
┌─[darknite@parrot]─[~/Documents/htb/office]
└──╼ $

Let’s access the website interface


There is nothing much that we can look at on the website interface


However, I did notice some directories being shown on the Nmap result.


It’s a Joomla Interface

Analyzing the website interface with office machine


We managed to find the Joomla CMS version that has been used in this machine



We managed to find one password but we don’t know which password belongs to

Kerbrute attack on the machne


Therefore, we should be able to obtain the username by using kerbrute script


At last, we managed to find a match for the username and password


There’s one directory that caught my attention when I first saw the list


Finally, we have successfully accessed the smb share of SOC analysis


There’s one pcap file stored inside


Let’s download the pcap file into our attacker’s machine

Analyze using the Wireshark tool


Let’s open the pcap within the Wireshark tool


We have found the cipher that we can use in the next step


Aside from that, we also found the KRB5 formating


It would look like something as shown above.


Let’s try to crack the hash that we found earlier


After a while, we managed to retrieve the password

Joomla Escalation on the machine


We should be able to enter the Joomla Dashboard


As shown in the screenshot above, we can access the main page as Tony Stark


We can see the source code for the error.php as shown above


As a result, we need to add our IP Address to the port where we listen


Boom! We have managed to obtain the reverse shell as tstark user



We can read the user flag by typing the “type user.txt” command


Another way to retrieve the shell as tstark is by using the RunasCs.exe script

Escalate to Root Privileges Access


When looking at the port that opens inside the machine, I notice there’s one port that stands which is port 8083


As a result, let’s do some port forwarding by using the port we found earlier.


We can access the localhost website as shown in the screenshot above


We can upload our resume to the application


Let’s a random file into the resume section


However, the web application cannot accept any file types as long it’s not Microsoft Word


Let’s download the CVE-2023-2255 exploit script that be found here on our machine.


The exploit file has been created with the usage of the script


Let’s start our listener



We should be uploading the malicious resume to the application


After a while, we retrieved the reverse shell connection back to us.


To be precise, we are accessing the shell as ppotts user access


Let’s execute the cmdkey /list


I managed to find one directory inside the Microsoft Protect Directory


Sadly, nothing is been found inside


Nothing looks interesting here.


However, some files are stored in the Credentials directory


As a result, let’s upload mimikatz into our victim’s machine

Gathering information using mimikatz on Offiice machine


Let’s start the mimikatz on the victim’s machine




We managed to obtain another username and password while executing the command in mimikatz


As a result, let’s access the machine with the credentials that we found earlier.


The screenshot above shows the privileged access that has been executing with the HHogan access


After reading some articles, we should download the script on our attacker’s machine


Let’s upload the exe file into the Office machine


We can retrieve all the Display for all GPO list


Therefore, we should execute the command above to get access


We should update the policy by executing the command above


Boom! We have assigned as Administrators group



We can read the root flag by typing the “type root.txt” command

Extra Information