Official Mailing Discussion

Just rooted the box. I feel this is a medium box. Some tips:

user: you need to fish to get something and crack it using the cat
root: not that easy for me, find some unusual directories and look for something that may use that. this needs a lot of connecting the dots

Can someone give me a hint for user foothold. i have identified L** on the ** but cant seem to exploit it.

thanks .

hi guy search for config file on the mail server

Maybe you should look for other potential users? And a CVE against the service you’re using to exploit those users?

I can perform the Python script exploit, but nothing appears with impacket or responder.

Tried multiple ways of executing with different parameters, nothing ever comes back.

Edit: I just watched a walkthrough, and read another - I’ve performed the exact same things - and I get no results returned. Something doesn’t appear to be working.

This one root took me awhile. I was thinking in regards of user execution context and spent way too much time trying to exploit the initial foothold user. This box is working just fine. For user I suggest checking your url syntax. To collect a hash you need to reference a samba style share that doesn’t need to exist.

PS - Please cleanup after you leave otherwise it is confusing to people that get a foothold and are already an admin :slight_smile:

stuck in empty mail box for ad*** :pensive:

same. Well, at least we are in the mailbox haha

I have a question, although I am a newbie, but I started by deciding to scan the ports of the machine, and no matter what flag I use (-Pn, -sV, -p-, -sX, -sU, -sN, -sA ), it it still says that all 1000 ports of the first are closed, although apparently this is not the case, what am I doing wrong?

@LostChance verify your vpn connection, and check if you typed the ip address of the target correctly, it should work

1 Like

I am stumped here. I have identified the L**. I have used it to reveal h**********.ini, I have decrypted the Adm** hash. But the other password for the mssqlce db I cannot decrypt.

My question is how do I gain a foothold? I can’t figure out how to get my reverse shell. I can’t even use thunderbird and get into the mail server. I have used all three of the given names and common usernames.

Am I down the wrong rabbit hole here?

I’m stuck at that part now…

Try taking a walk on the SMTP side…

May I ask how I can properly do the enumeration for the privilege escalation?

I have a session via evil-winrm but it is extremely broken.
As for winpeas, none of the versions work. They all crash at some point and kill my session. Before that they only produce broken output.

When trying to use evil-winrms Invoke-Binary feature, I only ever get Error: Check File names. Loading ps1 scipts also kills the session

I will try to do it manually for now, but I have always had these issues and am wondering what I am doing wrong.

Im having issue finding out the correct syntax for the L** portion… how do i determine the file location and how to traverse to it… relatively new

What worked for me was reading:

  • Documentation about hMailServer (especially)
  • Guides about LFI
  • Documentation about the windows server
1 Like

how do people create office 365 A1 accounts for mailing?

A good tip here would be:
For determining the location, look up relevant CVEs for the software being used. You should quickly come across the location of interesting files.

Then for how to traverse, try to use your L** to reveal the code for the do******.php script. It should help tell you where you are in the file system.

Then put those two together.

1 Like

There’s one particular file from hMailServer that would be nice to get your hands on. You’ll have to refer doc and guess a bit (I found a forum post listing the full path where it was installed since I couldn’t be botherer to install it myself and see) then experiment with arguments to get it.

1 Like

winPEAS.bat ran ok for me