Craft
Enumeration
- Nmap scan
Nmap scan report for 192.168.179.169
Host is up, received user-set (0.24s latency).
Scanned at 2026-04-09 07:05:21 UTC for 38s
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 125 Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)
|_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
|_http-title: Craft
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
Warning: OSScan results may be unreliable because we could not find at
- We can upload a file

- File must be odt

- We can write a macro and set trigger to execute on opening the document.
Craft Exploit
- Creating odt file using LibreOffice

- Go to
tools > macros > Organise Macros > basic

- Click
Newto create new macro and give macro a name - Create a powershell reverse shell code

- Use it in the macro

- Save macro and close this window
- Go to
odt file window > tools > customise

- Select
events > open document

- Select macro from odt file and click ok, you should see below

- Click ok save everything and close libereoffice
Exploitation
- Upload the crafted odt file

- And we get the reverse shell

Lateral Movement
- After getting reverse shell I noticed there are multiple users.
S C:\Program Files\LibreOffice\program> whoami
craft\thecybergeek
PS C:\Program Files\LibreOffice\program> net users
User accounts for \\CRAFT
-------------------------------------------------------------------------------
Administrator apache DefaultAccount
Guest thecybergeek WDAGUtilityAccount
The command completed successfully.
PS C:\Program Files\LibreOffice\program>
- Trying to access apache user
- There is interesting folder
xamppatC:\
ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 7/13/2021 3:27 AM java
d----- 5/28/2021 4:20 AM PerfLogs
d-r--- 7/13/2021 3:37 AM Program Files
d----- 5/28/2021 3:53 AM Program Files (x86)
d-r--- 7/13/2021 3:35 AM Users
d----- 10/14/2021 1:30 AM Windows
d----- 5/28/2021 6:04 AM Windows10Upgrade
d----- 7/13/2021 3:24 AM xampp
-a---- 4/11/2026 3:51 AM 2697 output.txt
- We have write access and the file is hosted via apache and php.

- We can create php file to access
apacheuser - Uploaded
cmd.php

- Getting reverse shell from
cmd.phpusing powershell code

- After executing powershell code from
cmd.phpwe get second shell asapacheuser

- Apache user have
SeImpersonatePrivilege enabled
Privilege Escalation
- Using
PrintSpooler.exeto exploitSeIpersonateprivilege

- We are administrator