HackTheBox - Office

00:00 - Introduction
01:00 - Start of nmap
02:00 - Testing the XAMPP PHP Vulnerability, which doesn't work
06:20 - Getting the Joomla Version from the manifest, then exploiting CVE-2023-23752 to get the MySQL Password (same as devvortex)
11:30 - Using KerBrute to bruteforce valid usernames and then NetExec to spray the MySQL Password to get DWOLFE's password
16:40 - Examining the PCAP on the FileShare then building a Kerberos Hash for ETYPE 18
22:30 - Logging into Joomla then getting a shell through editing a template
30:00 - Looking at the other VHOSTS on the box, discovering a site running on localhost
42:00 - Discovering an old version of LibreOffice, exploiting CVE-2023-2255 to get a shell
51:10 - Showing another way, since TSTARK can edit the registry to allow macros to run then just sending a malicious document
57:40 - Pillaging DPAPI with the RPC flag, since we don't know the password and gained access to an interactive login
1:12:00 - We have the ability to edit GP as HHOGAN, using SharpGPOAbuse to create a local admin