👨💼Office - HTB
https://app.hackthebox.com/machines/Office

User
found that the web cms is joomla ,after determine the version through /administrator/manifests/files/joomla.xml ,it's vulnerable to CVE-2023-23752

i used kerberute to find enum the usernames

then i sprayed the password for all those users



found this article explaining the kerberos credentials leak

the final hash should look like this
$krb5pa$18$tstark$OFFICE.HTB$a16f4806da05760af63c566d566f071c5bb35d0a414459417613a9d67932a6735704d0832767af226aaa7360338a34746a00a3765386f5fc
Decrypt it with hashcat using model 19900
we can use this to login as an admin to joomla





visit the link in number http://office.htb/templates/cassiopeia/index.php to trigger the reverse shell

now we are user web_account and we can use RunAs tool to get into tstark user with the credentials we got earlier tstark:playboy69
Root
we found open port 8083 ,we forward that port to work with it

found upload webpage resume.php
i used this tool to generate .odt file

then upload the file ,and wait a bit then got revshell

now forward port 3306 ,then user msfconsole module "multi/mysql/mysql_udf_payload"

that user has "SeImpersonate " privilege ,which we can use godpotato to privilege escalation

Last updated