Hepet Proving Grounds Write-Up
SUMMARY
This write-up covers the Hepet machine from Offsec’s Proving Grounds, a creative Windows machine involving mail-based initial access through a malicious document.
The web application on port 443/8000 displayed user information including what appeared to be a password in a description field. Port 79 (Finger) was open and confirmed valid usernames on the system. Connecting to port 143 (IMAP) with the discovered credentials revealed mail messages indicating that someone was regularly checking emails and expected to receive a LibreOffice spreadsheet (ODS) attachment. A malicious LibreOffice macro was crafted using powercat with the Windows macro structure (Dim Str As String / CreateObject("Wscript.Shell").Run Str), assigned to the OpenDocument event, and sent to the mail admin using sendemail. When the document was opened, the macro executed and a reverse shell was received.
For privilege escalation, enumeration revealed an unquoted service path for veyon-service.exe, running as SYSTEM with automatic startup. The service binary was replaced with a msfvenom payload, and after a system reboot a shell as NT AUTHORITY\SYSTEM was received.
PATH TO FOLLOW
- Reconnaissance & Web Application Credential Discovery
- Finger Enumeration for Valid Usernames
- IMAP Mail Enumeration & Target Identification
- Malicious LibreOffice ODS Macro Crafting (Windows Structure)
- Email Delivery via
sendemail& Reverse Shell - Unquoted Service Path Discovery
- Service Binary Replacement & Shell as NT AUTHORITY\SYSTEM
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.