Machine Synopsis

JobTwo is a hard-diffculty Windows machine that involves a macro phishing attack for initial foothold. The box has hMailServer installed, which includes a configuration file containing encrypted credentials for the database connection. After extracting the password database, we decrypt the SQL Server Compact database file (SDF), allowing a compromised user who can use WinRM to the machine. The machine has a vulnerable version of Veeam Backup & Replication; the attacker executes a malicious executable under `sqlserver.exe`, which is running as SYSTEM to gain full access.