InfoSec LAB

Axlle_hMailServer

Created: 2 min read

hMailServer

The target system hosts a mail service, hMailServer, and it was initially discovered because the target port 25 was open. I could also see other mail related ports being open upon gaining the initial foothold PEAS also identified the hMailserver service

The installation directory is C:\Program File (x86)\hMailServer

 
PS C:\Program Files (x86)\hMailServer\Data\axlle.htb\dallon.matrix\2F> ls
 
 
    Directory: C:\Program Files (x86)\hMailServer\Data\axlle.htb\dallon.matrix\2F
 
 
Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----          1/1/2024   6:32 AM            997 {2F7523BD-628F-4359-913E-A873FCC59D0F}.eml  
 
PS C:\Program Files (x86)\hMailServer\Data\axlle.htb\dallon.matrix\2F> cat "{2F7523BD-628F-4359-913E-A873FCC59D0F}.eml"
Return-Path: webdevs@axlle.htb
Received: from bumbag (Unknown [192.168.77.153])
	by MAINFRAME with ESMTP
	; Mon, 1 Jan 2024 06:32:24 -0800
Date: Tue, 02 Jan 2024 01:32:23 +1100
To: dallon.matrix@axlle.htb,calum.scott@axlle.htb,trent.langdon@axlle.htb,dan.kendo@axlle.htb,david.brice@axlle.htb,frankie.rose@axlle.htb,samantha.fade@axlle.htb,jess.adams@axlle.htb,emily.cook@axlle.htb,phoebe.graham@axlle.htb,matt.drew@axlle.htb,xavier.edmund@axlle.htb,baz.humphries@axlle.htb,jacob.greeny@axlle.htb
From: webdevs@axlle.htb
Subject: OSINT Application Testing
Message-Id: <20240102013223.019081@bumbag>
X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
 
Hi everyone,
 
The Web Dev group is doing some development to figure out the best way to automate the checking and addition of URLs into the OSINT portal.
 
We ask that you drop any web shortcuts you have into the C:\inetpub\testing folder so we can test the automation.
 
Yours in click-worthy URLs,
 
The Web Dev Team

There is an interesting email sent by webdevs@axlle.htb, about OSINT Application Testing

It outlines that the Web Development team is working on automating the process of checking and adding URLs to the OSINT portal. They have requested that team members contribute web shortcuts by placing them in the C:\inetpub\testing directory for testing purposes.

PS C:\> ls C:\inetpub\testing -Hidden

The C:\inetpub\testing directory is empty

Presumably, there likely is a scheduled task that automates the process of checking and adding URLs to the OSINT portal as it claims.

There is a well-known shortcut URL trick to get code execution Moving on to Lateral Movement phase

Interactive Graph View

Backlinks