Enumeration

Nmap

Initial Nmap scan revealed only HTTP port was open.

00 - nmap

Web Enumeration

Website had upload functionality.

01 - website

And it was only allowing odt files.

02 - odt file upload

Exploitation

At first I tried to bypass but only odt was allowed. Then I tried ODT information disclosure and obtained NTLMv2 hash but could not crack it.

LibreOffice (ODT) Macro to RCE

After some reserach I found that libre office can run macros which can be used to obtain RCE. So steps to create and assign a macro is liste below.

  • Tools > Macros > Edit Macros to open Macro Menu

08 - odt macro

  • Tools > Select Macro to open Macro Creation Menu

09 - select macro

  • Create a new Macro

10 - new macro

  • Edit Macro to run shell commands

11 - shell command test

  • Tools > Customize to open Event menu and assign Macro

12 - tools customize

  • Assign Macro to Open Document Event

13 - assign macro

  • Test it

14 - rce

As seen in above steps we can run commands. So all we need to do is update macro to gain Reverse Shell.

15 - revshell encoded

With this update I got the user and flag.

16 - revshell

17 - flag

Lateral Movement

Write to C:\xampp\htdocs

User had write access to web folder, so I simply uploaded a reverse php shell.

18 - upload revshell

Privilege Escalation

SeImpersonatePrivilege

Service account had SeImpersonatePrivilege.

19 - seimpersonate

I used GodPatato to exploit it and got reverse shell using nc64.exe

20 - nc

And I got the Administrator flag.

21 - root

<
Previous Post
Codo - Proving Grounds Practice
>
Next Post
Crane - Proving Grounds Practice