👨‍💼Office - HTB

https://app.hackthebox.com/machines/Office

User

found that the web cms is joomla ,after determine the version through /administrator/manifests/files/joomla.xml ,it's vulnerable to CVE-2023-23752

i used kerberute to find enum the usernames

then i sprayed the password for all those users

found this article explaining the kerberos credentials leak

Getting Passwords From Kerberos Pre-Authentication PacketsVbScrub

the final hash should look like this

$krb5pa$18$tstark$OFFICE.HTB$a16f4806da05760af63c566d566f071c5bb35d0a414459417613a9d67932a6735704d0832767af226aaa7360338a34746a00a3765386f5fc

Decrypt it with hashcat using model 19900

we can use this to login as an admin to joomla

visit the link in number http://office.htb/templates/cassiopeia/index.php to trigger the reverse shell

now we are user web_account and we can use RunAs tool to get into tstark user with the credentials we got earlier tstark:playboy69

Root

we found open port 8083 ,we forward that port to work with it

found upload webpage resume.php

i used this tool to generate .odt file

GitHub - elweth-sec/CVE-2023-2255: CVE-2023-2255 Libre OfficeGitHub

then upload the file ,and wait a bit then got revshell

now forward port 3306 ,then user msfconsole module "multi/mysql/mysql_udf_payload"

that user has "SeImpersonate " privilege ,which we can use godpotato to privilege escalation

PreviousRebound - HTB NextWave - FlagYard

Last updated 1 year ago