π©Mailing
By replican
Mailing Windows Β· Easy
USer Tldr
LFI on Port 80
Cracking hash password of the hMailServer admin email creds
zero click account leak outlook
Root tldr
LibreOffice CVE-2023-2255
Dump sam creds
User Flag
pertama kita scan pakai nmap ipnya
# Nmap 7.94 scan initiated Thu May 16 02:37:04 2024 as: nmap -sC -sV --verbose -oN reports_10.129.231.40 10.129.231.40
Nmap scan report for 10.129.231.40
Host is up (0.064s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://mailing.htb
110/tcp open pop3 hMailServer pop3d
|_pop3-capabilities: UIDL USER TOP
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
143/tcp open imap hMailServer imapd
|_imap-capabilities: ACL CAPABILITY IMAP4rev1 IDLE SORT QUOTA NAMESPACE CHILDREN completed OK RIGHTS=texkA0001 IMAP4
445/tcp open microsoft-ds?
465/tcp open ssl/smtp hMailServer smtpd
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Issuer: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-02-27T18:24:10
| Not valid after: 2029-10-06T18:24:10
| MD5: bd32:df3f:1d16:08b8:99d2:e39b:6467:297e
|_SHA-1: 5c3e:5265:c5bc:68ab:aaac:0d8f:ab8d:90b4:7895:a3d7
|_ssl-date: TLS randomness does not represent time
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
587/tcp open smtp hMailServer smtpd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Issuer: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-02-27T18:24:10
| Not valid after: 2029-10-06T18:24:10
| MD5: bd32:df3f:1d16:08b8:99d2:e39b:6467:297e
|_SHA-1: 5c3e:5265:c5bc:68ab:aaac:0d8f:ab8d:90b4:7895:a3d7
| smtp-commands: mailing.htb, SIZE 20480000, STARTTLS, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
993/tcp open ssl/imap hMailServer imapd
|_imap-capabilities: ACL CAPABILITY IMAP4rev1 IDLE SORT QUOTA NAMESPACE CHILDREN completed OK RIGHTS=texkA0001 IMAP4
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Issuer: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-02-27T18:24:10
| Not valid after: 2029-10-06T18:24:10
| MD5: bd32:df3f:1d16:08b8:99d2:e39b:6467:297e
|_SHA-1: 5c3e:5265:c5bc:68ab:aaac:0d8f:ab8d:90b4:7895:a3d7
Service Info: Host: mailing.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-05-15T19:37:36
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu May 16 02:38:16 2024 -- 1 IP address (1 host up) scanned in 71.32 seconds
terdapat smb,imap,pop3, dan http terbuka
lgsg aja masuk ke initial discovery ke port 80 nya kita set dlu di /etc/hosts
nah kita tau ini pakai hmailserver
First user initial foothold
lgsg aja search exploitnya dan dpt kalo vuln lfi : https://www.exploit-db.com/exploits/7012
tapi pas di cek gada. lgsg aja kita coba pakai dirsearch
nah ada download.php lgsg kita masukin payloadnya
nah di exploit db sebenrnya pakai program files doang karna program files doang itu gada 404 kita coba di x86 program files dan ada. ke download
masukin ke file buat kita crack
nah kita dapet deh creds emailnya yaitu
administrator@mailing.htb:homenetworkingadministrator
Second user initial foothold
balik ke port 80 tadi dan buka instruction.pdf nya ( download tombol paling bwh )
disini kita tau kalo kita ngesend email nanti sama maya auto diliat ( kita asumsi ada bot buat auto ngeliat setiap message baru )
disini lgsg terpikirkan exploit yg baru2 ini ada di email services outlook. ( gw jg tau nya dari htb forum dikasih hint :v )
lgsg aja pakai responder dan cve nya buat gaining zero click account leak
kalo yg gatau apa itu responder itu buat dpetin creds nya maya abis kita ngesend emailnya
nah di responder dapet deh creds hash nya si maya, tinggal kita crack lagi pake hashcat kali ini pakai mode 5600
dan dpet deh lgsg login pakai evil-winrm
dan ke desktop dapet user flag
Root Flag
First root initial foothold
kita cek list program files
versi 7.4 Libreoffice : https://www.libreoffice.org/about-us/security/advisories/CVE-2023-2255
fungsinya biar maya ada di group admin dan bisa ngedump creds sam
nah abis itu taruh di C:\Important Documents
Second root initial foothold
user maya jadi punya group administrator lgsg aja dump creds nya si localadmin
dapet deh tinggal login lgi pake winrm
done, tinggal ke desktop lgi dan ada root flag
Last updated