Official discussion thread for Office. Please do not post any spoilers or big hints.
Enjoyed this one, had some trouble with some services malfunctioning, but made me learn a couple new tricks.
DM me if you need a nudge.
Could I please get a nudge? I have managed to get some usernames and a password, but I do not know what to do going further
There is something a bit unusual for hackthebox here.
You need to use some pretty large wordlist for the enumeration early on.
I have a shell, but when trying to runas or RunAsCs to login the user with the password, the prompt automatically closes or simply give me an error…
Big wordlist avaible in s**list ?
I think the box may be broken on AU servers as despite multiple reverts, LDAP/S ports were closed which are required for priv esc.
Have you tried using openvpn seasonal release us release arena? to have a private box
Yes, but not the category you use on every box .
Any nudges on root? I am working on CVE-2023-2255 but I can’t get a reverse shell that pivots to other users.
Ok thank you
When I run my gobuster command to look for vhosts it returns status 200 for every subdomain, why does it do that??
no this is the same on all . I tried several vpn and for all the servers it was the same ldap and ldaps ar not running. You have to manage with it^
Edit : In the fact if ladp is not accessible, change the vpn/server until you find one which is ok, because you can’t do the privesc without it (or it will be more difficult “task” …)
I am also having same issues, on several VPNs actually!
Yesterday LDAP was working and today nope
Can someone help me with root flag? I’m trying some pivoting to the MySQL service to login with the first credentials found on Joomla!, but not being able to do it.
I think for admin right need to use gpo abuse, but in won’t work
*Evil-WinRM* PS C:\Users\HHogan\Documents> .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount 'HHogan' --GPOName "Default Domain Controllers Policy" --DomainController 'DC.office.htb' --Domain 'office.htb'
[+] Domain = office.htb
[+] Domain Controller = DC.office.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=office,DC=htb
The server could not be contacted.[!] Exiting...
*Evil-WinRM* PS C:\Users\HHogan\Documents> .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount 'HHogan' --GPOName "Default Domain Controllers Policy"
[!] Cannot enumerate domain.
Is anyone having problem after logging into joomla. I am not able to do anything. This sucks! I am stuck for 3 hours and nothing is working
For pivtoting you can use socat, chisel, meterpreter… you name it!
I can confirm same for EU servers… Managed to solve the challenge on Release Arena servers where indeed LDAP worked fine.