Introduction to Mailing:

In this write-up, we will explore the “Mailing” machine from Hack the Box, categorized as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “Mailing” machine from Hack The Box by achieving the following objectives:

User Flag:

PHP Site Vulnerability

  • Found a PHP site with a file read vulnerability.
  • Detected a directory traversal exploit allowing deeper access to the file system.

CVE-2024-21413 Exploitation

  • A remote code execution vulnerability in Microsoft Outlook allows the capture of user hashes via specially crafted emails or links.
  • Exploiting the vulnerability enables unauthorized access to credentials for further system exploitation.

Root Flag:

hMailServer Configuration Leak and Credential Discovery

  • Extracted the hMailServer configuration file.
  • Cracked the password hash to retrieve valid credentials.

CVE-2023-2255 Exploitation

  • A flaw in LibreOffice’s editor components allowed the automatic loading of external links without user consent.
  • Documents with “floating frames” linked to external files triggered this vulnerability.
  • Affected versions: LibreOffice 7.4 (before 7.4.7) and 7.5 (before 7.5.3).

Enumerating the Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine.


nmap -sC -sV -oN nmap_initial.txt 10.10.11.14

Nmap Output:

┌─[darknite@parrot]─[~/Documents/htb]
└──╼ $nmap -sC -sV 10.10.11.14 -oA initial 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-07 06:34 EDT
Nmap scan report for 10.10.11.14
Host is up (0.017s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT    STATE SERVICE       VERSION
25/tcp  open  smtp          hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp  open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://mailing.htb
110/tcp open  pop3          hMailServer pop3d
|_pop3-capabilities: UIDL USER TOP
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
143/tcp open  imap          hMailServer imapd
|_imap-capabilities: RIGHTS=texkA0001 IDLE CHILDREN NAMESPACE IMAP4rev1 IMAP4 completed ACL CAPABILITY QUOTA OK SORT
445/tcp open  microsoft-ds?
465/tcp open  ssl/smtp      hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after:  2029-10-06T18:24:10
|_ssl-date: TLS randomness does not represent time
587/tcp open  smtp          hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, STARTTLS, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after:  2029-10-06T18:24:10
|_ssl-date: TLS randomness does not represent time
993/tcp open  ssl/imap      hMailServer imapd
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after:  2029-10-06T18:24:10
|_imap-capabilities: RIGHTS=texkA0001 IDLE CHILDREN NAMESPACE IMAP4rev1 IMAP4 completed ACL CAPABILITY QUOTA OK SORT
|_ssl-date: TLS randomness does not represent time
Service Info: Host: mailing.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-09-07T10:25:06
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: -10m10s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.37 seconds

Analysis:

  • Port 25 (SMTP): Handles email transmission via hMailServer smtpd, supports authentication.
  • Port 80 (HTTP): Web server running on IIS 10.0, redirects to mailing.htb.
  • Port 110 (POP3): hMailServer pop3d used for retrieving emails from the server.
  • Port 135 (MSRPC): Microsoft RPC service for remote procedure calls.
  • Port 139 (NetBIOS-SSN): Provides file and printer sharing over NetBIOS.
  • Port 143 (IMAP): hMailServer imapd for email retrieval with IMAP protocol.
  • Port 445 (Microsoft-DS): Likely SMB file-sharing service on Windows.
  • Port 465 (SSL/SMTP): Secure SMTP for sending emails using SSL encryption.
  • Port 587 (SMTP): SMTP service using STARTTLS for secure email communication.
  • Port 993 (SSL/IMAP): Secure IMAP for encrypted email access

Web Enumeration:

Perform web enumeration to discover potentially exploitable directories and files.


  gobuster dir -u http://10.10.11.14 -w /usr/share/wordlists/dirb/common.txt

Gobuster Output:

┌─[darknite@parrot]─[~/Documents/htb]
└──╼ $gobuster dir -u http://mailing.htb -w /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://mailing.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/assets               (Status: 301) [Size: 160] [--> http://mailing.htb/assets/]
/Assets               (Status: 301) [Size: 160] [--> http://mailing.htb/Assets/]
/instructions         (Status: 301) [Size: 166] [--> http://mailing.htb/instructions/]
/Instructions         (Status: 301) [Size: 166] [--> http://mailing.htb/Instructions/]
Progress: 20116 / 20117 (100.00%)
===============================================================
Finished
===============================================================

Analysis:

Status Code 301 (Moved Permanently):

  • These paths are redirected, indicating they are directories:
    • /Assets /Assets/
    • /instructions/instructions/
    • /Instructions/Instructions/

Web Exploitation

Web Application Exploration:

The site’s interface is pretty basic, and at first glance, it doesn’t seem like there’s much to explore.

A few image files are sitting in the assets directory.

You can spot the download option at the bottom of the page.

I encountered an error stating, “No file specified for download.”

Exploit CVE-2024–21413 on mailing machine

CVE-2024–21413 is a remote code execution flaw in Microsoft Outlook that can be used to capture user hashes. The exploit code is available at this GitHub repository.

It seems like an LFI (Local File Inclusion) attack might be possible here.

What is hMailServer?

hMailServer was a free email server for Windows, developed by Martin Knafve. It operated as a Windows service and included tools for management and backup. The server supported IMAP, POP3, and SMTP protocols and could use external databases like MySQL, MS SQL, or PostgreSQL, or an internal MS SQL Compact Edition engine for storing configuration and index data. Email messages were stored on disk in raw MIME format. As of January 15, 2022, active support and development have ended, but version 5.6 still receives updates for critical bugs.

We’ve encountered an MD5 hash that needs to be decrypted to obtain and crack the password. We’ll use CRACKSTATION to try and crack it.

We’ve successfully cracked the password.

Play around with Responder

Configuring Responder:
To capture the hash, launch Responder using the following command:

sudo responsder -I tun0

It’s running as demonstrated above.

We’ll run the Python script as shown above.

We can read the user flag by typing the “cat user.txt” command

Escalation to Root Privileges Access

Privilege Escalation:

  • Exploration: During your system investigation, you discovered a LibreOffice file that stood out. This file, named dark.odt, was significant due to its associated LibreOffice version.
  • LibreOffice File Version: You reviewed the version of LibreOffice related to this file. This detail was key as it could impact the relevance of certain vulnerabilities or exploits.

After searching, I located the LibreOffice component in the Program Files folder, and it’s version 7.4.

CVE-2023-2255 Vulnerability

LibreOffice had a flaw in its editor components that let attackers create documents causing external links to load automatically without user consent. Specifically, documents with “floating frames” linked to external files would load their contents without asking for permission. This inconsistent handling affected versions of LibreOffice 7.4 before 7.4.7 and 7.5 before 7.5.3.

Run the Python script to generate an output file.

Copying the file to the victim’s machine.

The dark.odt file doesn’t work when executed from the home directory; it only functions when run from C:\Important Documents. After execution, you can see that Maya’s Local Group Memberships have changed to Administrators.

Next, we need to log in localadmin and get his hash. We can use netexec it for this purpose.

We can read the root flag by typing the “type root.txt” command