search

๐Ÿ–ฅ๏ธOffice

hashtag
Enumeration

We are working with a Windows AD machine

A webserver with XAMPP is installed, Joomla is the CMS

This Joomla version, 4.2.7, is vulnerable to CVE-2023-23752, an information disclosure vulnerability

We got the DB password

We cannot authenticate to Joomla, but since it's a DC we can enumerate users and spray this password

We get a hit for a user

Now we can enumerate the domain

But we cannot find a viable path with Bloodhound and our user

We can try to enumerate shares with the creds we already have

We find a .pcap file

In the traffic regarding kerberos we find a pre-auth authentication attempt for the user tstark

We can crack this hash

This account is a member of Registry Editors

This group can modify certain registry keys

But we cannot directly execute commands or login with WinRM on the system

hashtag
Initial access

We can try this password for Joomla

The user is Administrator, as seen in the CVE exploit at the beginning

We modify error.php and add a reverse shell

We now have a shell as web_account

The AV is disabled, we can upload a Sliver beacon without bypassing stuff

Checking listening connections we find a port that was not discovered from the nmap scan

We can forward the port with Sliver portfwd functionality

If we click on submit application we can upload a file, If we try to upload an exe file we get this message

A somewhat recent CVE for Libreoffice is CVE-2023-2255 we can use a poc to create a .odt file that will fetch a payload and execute it

This time we don't need to download a payload, we can use the beacon from before

Next we upload the .odt file

For some weird reason placing the payload in C:\Users\Public worked, i tried using the payload in C:\Windows\Tasks and a PowerShell reverse shell but both did not work

hashtag
DPAPI and GPO privilege escalation

This is the new user

Now we can try to enumerate the machine

We can try to check if there are any saved credentials with DPAPI

It's probably possible to do all with SharpDPAPI but i still don't understand how to import masterkeys in the cache :)

We can use mimikatz to import the key and then retrieve the decrypted password from SharpDPAPI

The path is C:\Users\user\AppData\Roaming\Microsoft\Protect\USER-SID\GUID-MASTERKEY

Now we have it in the cache

And we can get the decrypted password

This user can manage domain GPOs

We can use SharpGPOAbuseto add this user to the Administrators group

You need to be fast to login after doing this, the changes will be reverted after a minute or so

PreviousEscape

Last updated