Virtual Host
The PDF file from the School File Management System platform for the student, Kelly Shane, contained a new virtual host; mastermailer.seventeen.htb
Newly discovered virtual host information has been appended to the /etc/hosts file on Kali for local DNS resolution
┌──(kali㉿kali)-[~/archive/htb/labs/seventeen]
└─$ curl -s -i http://mastermailer.seventeen.htb/
HTTP/1.1 302 Found
date: Tue, 20 Jun 2023 00:39:29 GMT
server: Apache/2.4.29 (Ubuntu)
location: http://mastermailer.seventeen.htb:8000/mastermailer/
content-type: text/html; charset=iso-8859-1Just like the other virtual host, oldmanagement.seventeen.htb, mastermailer.seventeen.htb is hosted over the web server running on the port 8000 over HTTP
The port 80 is just a proxy
Another important thing to note is that it is using HTTP. Not HTTPs. That was likely just a typo
mastermailer
As expected, it’s a roundcube instance
I don’t have any credential at the moment as I was unable to crack the password hash extracted earlier
Version information is available at /mastermailer/CHANGELOG
It’s using 1.4.2
RoundCube 1.4.2 has many vulnerabilities
The majority of the vulnerabilities above are XSS attack, which is rather irrelevant to this scenario as there appears to be no user interaction
However, These two vulnerabilities appears most relevant
- CVE-2020-12640
- [[Seventeen_CVE-2020-12641#[CVE-2020-12641](https //nvd.nist.gov/vuln/detail/CVE-2020-12641)|CVE-2020-12641]]