Mailing - Hack The Box
Enumeration
Nmap
Initial Nmap scan revealed that SMTP, IMAP, POP3 SMTPs, HTTP and SMB ports are open.
WEB Enumeration
I applied directory and vhost brute forcing which did not reveal any useful information.
Then while checking the website I found that there is a ‘download.php’ file which downloads any file that is given on file parameter. So this endpoint has file disclosure vulnerability.
I know that the website is using hMailServer, so I simply searched for hMailServer config file location and tried to access it which revealed MD5 Hash of the administrator.
Crack The Hash
Then using crackstation, I cracked the administrator hash.
Exploitation
SMTP
Using administrator credentials, I tried to login SMTP server and it worked.
CVE-2024-21413
Now I know the target is windows and it is using mail server. So I simply searched for Windows Mailing Exploits and found an RCE exploit. It is a vulnerability occurs from improper input validation on file protocol.
So we need to craft a mail with malicious file URL and capture the NTLMv2 Hash with responder. Below are the names that are found form website. Instructions.pdf reveals mail format ‘maya@mailing.htb’. So using below names we can send each one of them a malicious mail.
The maya was the one that opened the mail.
Crack The Hash
So simply cracked the maya’s hash.
Got The User
Maya had permission to PSRemote so using ‘evil-winrm’, I got the user flag.
Privilege Escalation
Libre Office
Libre office had vulnerable version running.
So searching through internet reveals that this version can allow users to run commands with a maliciously crafted odt file. I created a file that runs nc64.exe and put it in ‘Important Documents’ folder, where maya had write permissions over SMB.
Got The Administrator Shell
Then started netcat listener, after a while I got the administrator shell.
Pwned
The machine was fully compromised.