๐Ÿ’€
Samfisher blog
  • Common Vulnerabilities and Exposures
    • ๐ŸงบCVE-2023-27163
    • ๐Ÿ›ค๏ธMaltrail - OS Command Injection
  • ๐Ÿ‘พCrafty - HTB
  • ๐ŸŒŒSkyfall - HTB
  • ๐Ÿ”ขRegistryTwo - HTB
  • โฌ‡๏ธDownload - HTB
  • โ˜ ๏ธCybermonday - HTB
  • ๐Ÿ€Rebound - HTB
  • ๐Ÿ‘จโ€๐Ÿ’ผOffice - HTB
  • Wave - FlagYard
  • Blackhat - Saudi <Web> iFrame
Powered by GitBook
On this page

Office - HTB

https://app.hackthebox.com/machines/Office

PreviousRebound - HTBNextWave - FlagYard

Last updated 11 months ago

User

found that the web cms is joomla ,after determine the version through /administrator/manifests/files/joomla.xml ,it's vulnerable to CVE-2023-23752

i used kerberute to find enum the usernames

then i sprayed the password for all those users

found this article explaining the kerberos credentials leak

the final hash should look like this

$krb5pa$18$tstark$OFFICE.HTB$a16f4806da05760af63c566d566f071c5bb35d0a414459417613a9d67932a6735704d0832767af226aaa7360338a34746a00a3765386f5fc

Decrypt it with hashcat using model 19900

we can use this to login as an admin to joomla

visit the link in number http://office.htb/templates/cassiopeia/index.php to trigger the reverse shell

now we are user web_account and we can use RunAs tool to get into tstark user with the credentials we got earlier tstark:playboy69

Root

we found open port 8083 ,we forward that port to work with it

found upload webpage resume.php

i used this tool to generate .odt file

then upload the file ,and wait a bit then got revshell

now forward port 3306 ,then user msfconsole module "multi/mysql/mysql_udf_payload"

that user has "SeImpersonate " privilege ,which we can use godpotato to privilege escalation

๐Ÿ‘จโ€๐Ÿ’ผ
  • User
  • Root
LogoGitHub - elweth-sec/CVE-2023-2255: CVE-2023-2255 Libre OfficeGitHub
LogoGetting Passwords From Kerberos Pre-Authentication PacketsVbScrub