Skip to main content

Craft

Enumeration

  • Nmap scan
Nmap scan report for 192.168.179.169
Host is up, received user-set (0.24s latency).
Scanned at 2026-04-09 07:05:21 UTC for 38s
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 125 Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)
|_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
|_http-title: Craft
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
Warning: OSScan results may be unreliable because we could not find at
  • We can upload a file

  • File must be odt

  • We can write a macro and set trigger to execute on opening the document.

Craft Exploit

  • Creating odt file using LibreOffice

  • Go to tools > macros > Organise Macros > basic

  • Click New to create new macro and give macro a name
  • Create a powershell reverse shell code

  • Use it in the macro

  • Save macro and close this window
  • Go to odt file window > tools > customise

  • Select events > open document

  • Select macro from odt file and click ok, you should see below

  • Click ok save everything and close libereoffice

Exploitation

  • Upload the crafted odt file

  • And we get the reverse shell

Lateral Movement

  • After getting reverse shell I noticed there are multiple users.
S C:\Program Files\LibreOffice\program> whoami
craft\thecybergeek
PS C:\Program Files\LibreOffice\program> net users

User accounts for \\CRAFT

-------------------------------------------------------------------------------
Administrator apache DefaultAccount
Guest thecybergeek WDAGUtilityAccount
The command completed successfully.

PS C:\Program Files\LibreOffice\program>
  • Trying to access apache user
  • There is interesting folder xampp at C:\
ls


Directory: C:\


Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 7/13/2021 3:27 AM java
d----- 5/28/2021 4:20 AM PerfLogs
d-r--- 7/13/2021 3:37 AM Program Files
d----- 5/28/2021 3:53 AM Program Files (x86)
d-r--- 7/13/2021 3:35 AM Users
d----- 10/14/2021 1:30 AM Windows
d----- 5/28/2021 6:04 AM Windows10Upgrade
d----- 7/13/2021 3:24 AM xampp
-a---- 4/11/2026 3:51 AM 2697 output.txt

  • We have write access and the file is hosted via apache and php.

  • We can create php file to access apache user
  • Uploaded cmd.php

  • Getting reverse shell from cmd.php using powershell code

  • After executing powershell code from cmd.php we get second shell as apache user

  • Apache user have SeImpersonate Privilege enabled

Privilege Escalation

  • Using PrintSpooler.exe to exploit SeIpersonate privilege

  • We are administrator