Hack The Box Job

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2026/01/26/htb-job.html
• Blog Title: Hack The Box: Job
• Suggested Section: Windows Hardening -> Windows Local Privilege Escalation (IIS/AppPool SeImpersonatePrivilege -> GodPotato) AND Network Services Pentesting -> Pentesting Web -> IIS / ASP.NET (Writeable webroot -> ASPX webshell) AND Phishing Methodology / Client-side -> Malicious Documents (LibreOffice macro auto-execution via document events + swaks delivery notes)

🎯 Content Summary

This post is a HackTheBox “Job” walkthrough on Windows Server 2022 (build 20348). It chains: (1) client-side RCE by emailing a malicious LibreOffice .odt with an auto-executing Basic macro via SMTP, (2) remote command execution via IIS by abusing write permissions to the IIS webroot to drop an ASPX cmd webshell, and (3) local privilege escalation to SYSTEM from an IIS AppPool token that has SeImpersonatePrivilege, using GodPotato<...

🔧 Technical Details

SMTP-delivered “document open” macro execution (LibreOffice Writer): If a target workflow opens untrusted LibreOffice documents (e.g., CV intake), an attacker can embed a LibreOffice Basic macro and bind it to the Open Document event (Tools → Customize → Events). The macro can invoke OS command execution to run a reverse shell. A crucial implementation detail is LibreOffice Basic quoting: embed quotes inside a quoted string by doubling them (""), otherwise the macro breaks (the post highlights a command tail like AApAA==""") to correctly close nested strings). Deliver the payload via SMTP using swaks, and use --attach @file so the attachment content is the document bytes (not the filename).

Write-to-webroot → ASPX webshell execution on IIS: When a low-privileged user/group has write permissions to the IIS webroot (e.g., JOB\developers:(OI)(CI)F on C:\inetpub\wwwroot), an a...

🤖 Agent Actions

Summary:

• Added LibreOffice ODT auto-run macro tradecraft, quoting nuances, and swaks --attach @file delivery guidance to phishing documents methodology with updated references.
• Documented IIS webroot write-to-ASPX-shell abuse workflow and AppPool-to-potato escalation note, plus added HTB Job reference.
• Enriched GodPotato usage notes with .NET build selection and staged payload execution from webshells; referenced the HTB Job chain.

Files Modified:

• src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md
• src/network-services-pentesting/pentesting-web/iis-internet-information-services.md
• src/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2026/01/26/htb-job.html

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Windows Local Privilege Escalation (IIS/AppPool SeImpersonatePrivilege -> GodPotato) AND Network Services Pentesting -> Pentesting Web -> IIS / ASP.NET (Writeable webroot -> ASPX webshell) AND Phishing Methodology / Client-side -> Malicious Documents (LibreOffice macro auto-execution via document events + swaks delivery notes)".

Repository Maintenance:

• MD Files Formatting: 944 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0