In this post, I would like to share a walkthrough of the Office Machine from Hack the Box

This room will be considered a Hard machine on Hack the Box

What will you gain from the Office machine?

For the user flag, you need to look at the Joomla instance that inadvertently exposes a password, I will perform a brute force attack on usernames via Kerberos and then conduct a password spray to identify instances of password reuse. This will allow access to an SMB share containing a PCAP file with a Kerberos authentication exchange. By constructing a hash from this exchange and subsequently cracking it, I will obtain another password, which also grants access to the Joomla admin account. I will then implant a webshell within a template to gain a foothold on the server. Additionally, an internal site designed for resume submissions can be exploited. Using LibreOffice, I will leverage both a CVE and registry modifications to enable macros. The subsequent user has saved credentials, which I will decrypt using Mimikatz to further my access.

As for the root flag, you need to leverage Group Policy Object (GPO) access to obtain administrative privileges.

Information Gathering on Office Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start

─[darknite@parrot]─[~/Documents/htb/office]
└──╼ $nmap -sC -sV 10.10.11.3 -oA initial
Starting Nmap 7.92 ( https://nmap.org ) at 2024-06-22 07:13 EDT
Nmap scan report for 10.10.11.3
Host is up (0.15s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
| http-robots.txt: 16 disallowed entries (15 shown)
| /joomla/administrator/ /administrator/ /api/ /bin/ 
| /cache/ /cli/ /components/ /includes/ /installation/ 
|_/language/ /layouts/ /libraries/ /logs/ /modules/ /plugins/
|_http-title: Home
|_http-generator: Joomla! - Open Source Content Management
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-06-22 19:07:00Z)
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername:<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after:  2024-05-09T12:36:58
|_ssl-date: 2024-06-22T19:08:31+00:00; +7h53m10s from scanner time.
443/tcp  open  ssl/http      Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28)
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_http-title: 403 Forbidden
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-06-22T19:08:30+00:00; +7h53m09s from scanner time.
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername:<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after:  2024-05-09T12:36:58
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername:<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after:  2024-05-09T12:36:58
|_ssl-date: 2024-06-22T19:08:31+00:00; +7h53m10s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername:<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after:  2024-05-09T12:36:58
|_ssl-date: 2024-06-22T19:08:30+00:00; +7h53m09s from scanner time.
Service Info: Hosts: DC, www.example.com; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h53m09s, deviation: 0s, median: 7h53m09s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-06-22T19:07:53
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 131.64 seconds
┌─[darknite@parrot]─[~/Documents/htb/office]
└──╼ $

Let’s access the website interface

There is nothing much that we can look at on the website interface

However, I did notice some directories being shown on the Nmap result.

It’s a Joomla Interface

Analyzing the website interface with office machine

We managed to find the Joomla CMS version that has been used in this machine

We managed to find one password but we don’t know which password belongs to

Kerbrute attack on the machne

Therefore, we should be able to obtain the username by using kerbrute script

At last, we managed to find a match for the username and password

There’s one directory that caught my attention when I first saw the list

Finally, we have successfully accessed the smb share of SOC analysis

There’s one pcap file stored inside

Let’s download the pcap file into our attacker’s machine

Analyze using the Wireshark tool

Let’s open the pcap within the Wireshark tool

We have found the cipher that we can use in the next step

Aside from that, we also found the KRB5 formating

It would look like something as shown above.

Let’s try to crack the hash that we found earlier

After a while, we managed to retrieve the password

Joomla Escalation on the machine

We should be able to enter the Joomla Dashboard

As shown in the screenshot above, we can access the main page as Tony Stark

We can see the source code for the error.php as shown above

As a result, we need to add our IP Address to the port where we listen

Boom! We have managed to obtain the reverse shell as tstark user

We can read the user flag by typing the “type user.txt” command

Another way to retrieve the shell as tstark is by using the RunasCs.exe script

Escalate to Root Privileges Access

When looking at the port that opens inside the machine, I notice there’s one port that stands which is port 8083

As a result, let’s do some port forwarding by using the port we found earlier.

We can access the localhost website as shown in the screenshot above

We can upload our resume to the application

Let’s a random file into the resume section

However, the web application cannot accept any file types as long it’s not Microsoft Word

Let’s download the CVE-2023-2255 exploit script that be found here on our machine.

The exploit file has been created with the usage of the script

Let’s start our listener

We should be uploading the malicious resume to the application

After a while, we retrieved the reverse shell connection back to us.

To be precise, we are accessing the shell as ppotts user access

Let’s execute the cmdkey /list

I managed to find one directory inside the Microsoft Protect Directory

Sadly, nothing is been found inside

Nothing looks interesting here.

However, some files are stored in the Credentials directory

As a result, let’s upload mimikatz into our victim’s machine

Gathering information using mimikatz on Offiice machine

Let’s start the mimikatz on the victim’s machine

We managed to obtain another username and password while executing the command in mimikatz

As a result, let’s access the machine with the credentials that we found earlier.

The screenshot above shows the privileged access that has been executing with the HHogan access

After reading some articles, we should download the script on our attacker’s machine

Let’s upload the exe file into the Office machine

We can retrieve all the Display for all GPO list

Therefore, we should execute the command above to get access

We should update the policy by executing the command above

Boom! We have assigned as Administrators group

We can read the root flag by typing the “type root.txt” command

Extra Information

Categories:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *