InfoSec LAB

Outdated_SMTP

Created: 4 min read

SMTP

Nmap discovered a SMTP server on the target port 25 The running service is hMailServer smtpd

┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ dig +short mx mail.outdated.htb @$IP
dc.outdated.htb.

Interestingly, there is no MX record registered for the target domain. Instead, mail.outdated.htb is an alias to the dc.outdated.htb host

┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ nmap -Pn --script smtp-* -p25 $IP
starting nmap 7.94svn ( https://nmap.org ) at 2024-01-03 13:28 CET
Nmap scan report for dc (10.10.11.175)
Host is up (0.033s latency).
 
PORT   STATE SERVICE
25/tcp open  smtp
| smtp-vuln-cve2010-4344:
|_  the smtp server is not exim: NOT VULNERABLE
| smtp-enum-users:
|_  Couldn't perform user enumeration, authentication needed
| smtp-commands: mail.outdated.htb, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
|_smtp-open-relay: Server isn't an open relay, authentication needed
| smtp-brute:
|   accounts: No valid accounts found
|_  statistics: Performed 9961 guesses in 600 seconds, average tps: 14.5
 
nmap done: 1 IP address (1 host up) scanned in 600.53 seconds

Performing an additional Nmap scan reveals the available commands. I will confirm this manually

┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ telnet $IP 25                              
Trying 10.10.11.175...
Connected to 10.10.11.175.
Escape character is '^]'.
220 mail.outdated.htb ESMTP

Connected to mail.outdated.htb via telnet

EHLO all
250-mail.outdated.htb
250-SIZE 20480000
250-AUTH LOGIN
250 HELP
  • 250-mail.outdated.htb is a response from the server, indicating its identity or hostname.
  • 250-SIZE 20480000 suggests that the server supports message sizes up to 20,480,000 bytes.
  • 250-AUTH LOGIN indicates that the server supports the LOGIN authentication method.
  • 250 HELP signifies that the server is ready to accept additional commands, and it also provides help information.
HELP
211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
 
TURN
502 TURN disallowed.
VRFY
502 VRFY disallowed.

the subsequent lines list the additionally supported smtp commands: DATA, HELO, EHLO, MAIL, NOOP, QUIT, RCPT, RSET, SAML, TURN, and VRFY However, not all of them seems supported

itsupport@outdated.htb

As suggested by the PDF file found in one of the SMB shares, I will attempt to submit an “Internal Web Application” to the contact at itsupport@outdated.htb

┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ swaks --to itsupport@outdated.htb --from kali@kali --header "Subject: Internal Web App" --body "http://10.10.14.23/" --server $IP
=== Trying 10.10.11.175:25...
=== Connected to 10.10.11.175.
<-  220 mail.outdated.htb ESMTP
 -> EHLO kali
<-  250-mail.outdated.htb
<-  250-SIZE 20480000
<-  250-AUTH LOGIN
<-  250 HELP
 -> MAIL FROM:<kali@kali>
<-  250 OK
 -> RCPT TO:<itsupport@outdated.htb>
<-  250 OK
 -> DATA
<-  354 OK, send.
 -> Date: Fri, 05 Jan 2024 13:23:27 +0100
 -> To: itsupport@outdated.htb
 -> From: kali@kali
 -> Subject: Internal Web App
 -> Message-Id: <20240105132327.108539@kali>
 -> X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
 -> 
 -> http://10.10.14.23/
 -> 
 -> 
 -> .
<-  250 Queued (10.954 seconds)
 -> QUIT
<-  221 goodbye
=== Connection closed with remote host.

While it’s possible to send it out manually, swaks is a handy little tool

┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ nnc 80
listening on [any] 80 ...
connect to [10.10.14.23] from (UNKNOWN) [10.10.11.175] 49882
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.906
Host: 10.10.14.23
Connection: Keep-Alive

A moment later, Kali web server receives an inbound connection from the target system

Notably, the User-Agent field has PowerShell in it, which suggests that there is a PowerShell script processing submitted URLs Additionally, It uses PowerShell 5.1 with its OS build number; 19041.906

Vulnerability

checking for windows 19041.906 online reveals update kb5000842

KB5000842

Update KB5000842 was released on March 29, 2021

While the target system is vulnerable to all the CVEs, listed and confirmed in the PDF file;

  • CVE-2022-30190 appears to be the most approachable candidates
  • CVE-2022-30129, CVE-2022-30130, and CVE-2022-29110 cannot be confirmed at this time
  • CVE-2022-30138 doesn’t appears to be applicable as the Print Spooler service is not exposed; [MS-PAR] and [MS-RPRN]

Interactive Graph View

Backlinks