Hack The Box RE Writeup – (Up to User only)

Hack The Box RE Writeup -

Hello, welcome back! and wish you a very happy new year 2020.

After a break of almost 2 weeks, I’m back with another Windows machine writeup. The machine I’m doing today’s walkthrough is RE ( The machine categorized in Hack the Box is as hard and real-life like, so let us see how it goes.


Note: This post is up to the user only. I will post the root part soon.

As always, I added the machine IP to etc/hosts as re.htb for easiness and let us start our enumeration with the nmap scan – nmap -A -oA re.namp re.htb

After nmap enum, we found only two ports are open. An HTTP port on 80 and a TCP port 445 that runs server message block (SMB). The webserver on 80 seems doesn’t have much to show, but the view-source shows a few filenames and indications that there are unfinished works in the project called “Ghidra”.



Since nothing can be done with port 80 at this stage, let us see what port 445 has to offer. I used the smbclient to connect the SMB to see what it contains. I didn’t provide any password, though the SMB asked for the root password. I tried to log in using anonymous that went well too. I was served with a directory called "malware_dropbox". I went ahead connecting the directory malware_dropbox but it seems to be empty.

At this point, I’m again clueless, so letup scan again higher ports and services and find if we missed anything in the previous nmap scan. However, this was not helpful either. So I decided to go to the HTB forum for hints, and there is one! A user mentioned a page called “reblog.htb“. I added this to my etc/hosts against machine IP and proceeded to browse it.

The reblog.htb is actually a blog with a few posts and an email id “malware@re.htb”. I decided to go through the posts to find something useful. The latest post “ods Phishing Attempts” is actually talking about Apache Open Office ODF Documents exploitation and phishing using maliciously crafted ODF macro payloads.

Actually there are a lot of Open Office exploitations that are possible using maliciously crafted macros. The Armitage in Kali actually has inbuilt modules to create such macros, especially a couple of for Open office. I’m going to test one to create a malicious macro file and send it using Python HTTP server in-to the malware_dropbox SMB and proceed from there. A couple of things that need to consider are LPORT and SRVPORT. LPORT.

The ODT Macro is successfully created and stored in /root/.msf4/local/msf.odt. I copied the file to my Windows machine and extracted the file msf.odt using WinRAR.

I now have the package with all the required files. I just need one main xml file which always resides in msf/Basic/Standard. I opened it and amend it with my reverse shell command to have a reverse shell when the macro is executed.

Final Module1.xml file screenshot is below. Let us zip the package back to its original state and rename it as msf.odt. After this step, I moved the msf.odt file back to my Kali machine inside my Re directory to import it to the Re machine.

In the Kali machine, I’m going to host a Python Webserver, At the same time, I will start listening to nc on the designated port 8089 and open the SMB and import the msf.odt file using PUT command. Here is the screenshot of successfully importing the msf.odt described in the above steps.

Here is my setup:

Getting User.txt

As soon as I put my malicious macro file, the host at RE reads it. The reading runs my command of reverse shell and it executes my nc.exe and I have the shell in my listener.

After a couple of minutes enum, I found the user.txt in the directory of the user Luke’s desktop.

Click to rate this post!
[Total: 0 Average: 0]


Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: https://www.hackthebox.eu/home/users/profile/68523

View all posts by Navin →
Notify of
Inline Feedbacks
View all comments
Sorry, that action is blocked.
Would love your thoughts, please comment.x
%d bloggers like this: