In this post, I would like to share a walkthrough of the Office Machine from Hack the Box
This room will be considered a Hard machine on Hack the Box
What will you gain from the Office machine?
For the user flag, you need to look at the Joomla instance that inadvertently exposes a password, I will perform a brute force attack on usernames via Kerberos and then conduct a password spray to identify instances of password reuse. This will allow access to an SMB share containing a PCAP file with a Kerberos authentication exchange. By constructing a hash from this exchange and subsequently cracking it, I will obtain another password, which also grants access to the Joomla admin account. I will then implant a webshell within a template to gain a foothold on the server. Additionally, an internal site designed for resume submissions can be exploited. Using LibreOffice, I will leverage both a CVE and registry modifications to enable macros. The subsequent user has saved credentials, which I will decrypt using Mimikatz to further my access.
As for the root flag, you need to leverage Group Policy Object (GPO) access to obtain administrative privileges.
Information Gathering on Office Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start
─[darknite@parrot]─[~/Documents/htb/office]
└──╼ $nmap -sC -sV 10.10.11.3 -oA initial
Starting Nmap 7.92 ( https://nmap.org ) at 2024-06-22 07:13 EDT
Nmap scan report for 10.10.11.3
Host is up (0.15s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
| http-robots.txt: 16 disallowed entries (15 shown)
| /joomla/administrator/ /administrator/ /api/ /bin/
| /cache/ /cli/ /components/ /includes/ /installation/
|_/language/ /layouts/ /libraries/ /logs/ /modules/ /plugins/
|_http-title: Home
|_http-generator: Joomla! - Open Source Content Management
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-06-22 19:07:00Z)
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername:<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after: 2024-05-09T12:36:58
|_ssl-date: 2024-06-22T19:08:31+00:00; +7h53m10s from scanner time.
443/tcp open ssl/http Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28)
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
|_http-title: 403 Forbidden
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-06-22T19:08:30+00:00; +7h53m09s from scanner time.
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername:<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after: 2024-05-09T12:36:58
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername:<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after: 2024-05-09T12:36:58
|_ssl-date: 2024-06-22T19:08:31+00:00; +7h53m10s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername:<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after: 2024-05-09T12:36:58
|_ssl-date: 2024-06-22T19:08:30+00:00; +7h53m09s from scanner time.
Service Info: Hosts: DC, www.example.com; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h53m09s, deviation: 0s, median: 7h53m09s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-06-22T19:07:53
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 131.64 seconds
┌─[darknite@parrot]─[~/Documents/htb/office]
└──╼ $
Let’s access the website interface
There is nothing much that we can look at on the website interface
However, I did notice some directories being shown on the Nmap result.
It’s a Joomla Interface
Analyzing the website interface with office machine
We managed to find the Joomla CMS version that has been used in this machine
We managed to find one password but we don’t know which password belongs to
Kerbrute attack on the machne
Therefore, we should be able to obtain the username by using kerbrute script
At last, we managed to find a match for the username and password
There’s one directory that caught my attention when I first saw the list
Finally, we have successfully accessed the smb share of SOC analysis
There’s one pcap file stored inside
Let’s download the pcap file into our attacker’s machine
Analyze using the Wireshark tool
Let’s open the pcap within the Wireshark tool
We have found the cipher that we can use in the next step
Aside from that, we also found the KRB5 formating
It would look like something as shown above.
Let’s try to crack the hash that we found earlier
After a while, we managed to retrieve the password
Joomla Escalation on the machine
We should be able to enter the Joomla Dashboard
As shown in the screenshot above, we can access the main page as Tony Stark
We can see the source code for the error.php as shown above
As a result, we need to add our IP Address to the port where we listen
Boom! We have managed to obtain the reverse shell as tstark user
We can read the user flag by typing the “type user.txt” command
Another way to retrieve the shell as tstark is by using the RunasCs.exe script
Escalate to Root Privileges Access
When looking at the port that opens inside the machine, I notice there’s one port that stands which is port 8083
As a result, let’s do some port forwarding by using the port we found earlier.
We can access the localhost website as shown in the screenshot above
We can upload our resume to the application
Let’s a random file into the resume section
However, the web application cannot accept any file types as long it’s not Microsoft Word
Let’s download the CVE-2023-2255 exploit script that be found here on our machine.
The exploit file has been created with the usage of the script
Let’s start our listener
We should be uploading the malicious resume to the application
After a while, we retrieved the reverse shell connection back to us.
To be precise, we are accessing the shell as ppotts user access
Let’s execute the cmdkey /list
I managed to find one directory inside the Microsoft Protect Directory
Sadly, nothing is been found inside
Nothing looks interesting here.
However, some files are stored in the Credentials directory
As a result, let’s upload mimikatz into our victim’s machine
Gathering information using mimikatz on Offiice machine
Let’s start the mimikatz on the victim’s machine
We managed to obtain another username and password while executing the command in mimikatz
As a result, let’s access the machine with the credentials that we found earlier.
The screenshot above shows the privileged access that has been executing with the HHogan access
After reading some articles, we should download the script on our attacker’s machine
Let’s upload the exe file into the Office machine
We can retrieve all the Display for all GPO list
Therefore, we should execute the command above to get access
We should update the policy by executing the command above
Boom! We have assigned as Administrators group
We can read the root flag by typing the “type root.txt” command
Extra Information
