Official Office Discussion

system · February 17, 2024, 3:00pm

Official discussion thread for Office. Please do not post any spoilers or big hints.

thetempentest · February 18, 2024, 7:20pm

Enjoyed this one, had some trouble with some services malfunctioning, but made me learn a couple new tricks.

thetempentest · February 19, 2024, 9:09am

DM me if you need a nudge.

Alther · February 19, 2024, 2:31pm

Could I please get a nudge? I have managed to get some usernames and a password, but I do not know what to do going further

Faelian · February 19, 2024, 5:12pm

There is something a bit unusual for hackthebox here.
You need to use some pretty large wordlist for the enumeration early on.

xdarksyderx · February 19, 2024, 5:50pm

I have a shell, but when trying to runas or RunAsCs to login the user with the password, the prompt automatically closes or simply give me an error…

christrc · February 19, 2024, 7:15pm

Big wordlist avaible in s**list ?

Grimsolo · February 20, 2024, 12:26am

I think the box may be broken on AU servers as despite multiple reverts, LDAP/S ports were closed which are required for priv esc.

Dan · February 20, 2024, 2:50am

Have you tried using openvpn seasonal release us release arena? to have a private box

Faelian · February 20, 2024, 2:53am

Yes, but not the category you use on every box .

nudefender · February 20, 2024, 5:10am

Any nudges on root? I am working on CVE-2023-2255 but I can’t get a reverse shell that pivots to other users.

christrc · February 20, 2024, 6:39am

Ok thank you

tabboy · February 20, 2024, 10:42am

When I run my gobuster command to look for vhosts it returns status 200 for every subdomain, why does it do that??

vincecipher · February 20, 2024, 10:59am

no this is the same on all . I tried several vpn and for all the servers it was the same ldap and ldaps ar not running. You have to manage with it^

Edit : In the fact if ladp is not accessible, change the vpn/server until you find one which is ok, because you can’t do the privesc without it (or it will be more difficult “task” …)

Yovecio18 · February 20, 2024, 2:48pm

I am also having same issues, on several VPNs actually!
Yesterday LDAP was working and today nope

rigpa108 · February 21, 2024, 7:21am

Can someone help me with root flag? I’m trying some pivoting to the MySQL service to login with the first credentials found on Joomla!, but not being able to do it.

pyfffe · February 21, 2024, 6:40pm

I think for admin right need to use gpo abuse, but in won’t work

*Evil-WinRM* PS C:\Users\HHogan\Documents> .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount 'HHogan' --GPOName "Default Domain Controllers Policy" --DomainController 'DC.office.htb' --Domain 'office.htb'
[+] Domain = office.htb
[+] Domain Controller = DC.office.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=office,DC=htb
The server could not be contacted.[!] Exiting...
*Evil-WinRM* PS C:\Users\HHogan\Documents> .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount 'HHogan' --GPOName "Default Domain Controllers Policy"
[!] Cannot enumerate domain.

Gh0styy · February 22, 2024, 6:53am

Is anyone having problem after logging into joomla. I am not able to do anything. This sucks! I am stuck for 3 hours and nothing is working

Yovecio18 · February 22, 2024, 8:14am

For pivtoting you can use socat, chisel, meterpreter… you name it!

Yovecio18 · February 22, 2024, 8:15am

I can confirm same for EU servers… Managed to solve the challenge on Release Arena servers where indeed LDAP worked fine.