Throwback — Part 8 — Emails

From the update_email.txt notice, we now know that the corporation is using another email server with other email formats. We also know that there is a web service available that will check emails for leaked credentials.

LeedLinked

Now we need to get a list of emails in order to check for leaked credentials. We can start by finding employee on LinkedIn. With LeetLinked it is possible to crawl LinkedIn:

python3 leetlinked.py -e "throwback.local" -f 1 "Throwback Hacks"

This command will generate the following spreadsheet:

It was also possible to get a flag, which was in Summer Winters account:

Namely

With Namely we can generate a list of emails. I have saved the names, which we was able to acquire through LinkedIn, in a file called “names.txt”:

python3 namely.py -nf /home/kali/CTF/THM/Throwback/namley/names.txt -d TBHSecurity.com -t HRE-\${first1}\${last}@\${domain}

I have used this list and pasted it into my Python code to automate the requests for checkig for leaked data. I have changed the following line to prefixes that were inside the email_update.txt file from Part 7:

email = email.replace("HRE", "SEC")

It is important that you add www.breachgtfo.local to your /etc/hosts file.

After running the script with the following command…:

proxychains python3 breach.py

…I was able to acquire credentials of JStewart:

Also the breach site contains a flag as HTML comment:

Web Mail

With these credentials we can now access the web mail of JStewart. For that navigate to mail.corporate.local after you have added the domain to your /etc/hosts file:

After login, we can read an email that contains credentials for the CORPORATE.local domain and a flag:

Remediation

The Breach GTFO should be protected by a captcha from bots.

Also JStewart should change his password. Users should be alerted when their credentials were found in a leak database and they should change their passwords ASAP.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store