Welcome to another Hack The Box exercise. In this blog post, I have documented how I pwned the Mailing machine on Hack The Box. Hack The Box is a cybersecurity platform that helps you bridge knowledge gaps and prepares you for cyber security jobs. You can also test and grow your penetration testing skills, from gathering information to reporting. If you are new to this blog, please do not forget to like, comment and subscribe to my YouTube channel and follow me on LinkedIn for more updates.
About the Machine
Mailing is an easy Windows machine that runs hMailServer and hosts a website vulnerable to Path Traversal. This vulnerability can be exploited to access the hMailServer configuration file, revealing the Administrator password hash. Cracking this hash provides the Administrator password for the email account. I leveraged CVE-2024-21413 in the Windows Mail application on the remote host to capture the NTLM hash for user maya. I then crack this hash to obtain the password and log in as user maya via WinRM. For privilege escalation, I exploited CVE-2023-2255 in LibreOffice.
The first step in pwning the Mailing machine like I have always done in my previous writeups is to connect my Kali Linux terminal with Hack the Box server. To establish this connection, I ran the following command in the terminal:
After the connection has been set up, I started the target machine, and I was assigned an IP address of 10.10.11.14. The first step in any good enumeration process is to run an aggressive Nmap scan against the target. I used the following command:
This tells Nmap to run with service/version detection (-sV), default scripts (-sC), and aggressive OS/trace detection (-A) all in one go.
The scan immediately revealed that the host at 10.10.11.14 is alive and exposing a variety of interesting services:
- Port 25 (SMTP) is open, running hMailServer. The service banner shows common SMTP commands and even leaks the hostname
mailing.htb, which will likely be useful later. - Port 80 (HTTP) is running Microsoft IIS 10.0, though the Nmap script noted that it didn’t follow a redirect to
http://mailing.htb. This suggests the webserver expects us to use the hostname rather than the raw IP, a hint that we may need to add this to our/etc/hostsfile. - Port 110 (POP3) and Port 143 (IMAP) are also open, again tied to hMailServer. Both support authentication and could provide access to mailboxes if valid credentials are found.
- Ports 135 and 139 show Microsoft Windows RPC and NetBIOS, which confirms the target is a Windows machine and could be relevant later for SMB or RPC-based enumeration.
- Port 445 indicates an SMB service (possibly
microsoft-ds), another strong Windows fingerprint. - Finally, Port 465 (SMTPS) is running hMailServer over SSL. The certificate reveals the common name
mailing.htband the organization as Mailing Ltd in the EU. Certificates like this often confirm the intended hostname for interacting with the service.
At this stage, it’s clear we’re dealing with a Windows server acting as a mail host (hMailServer) and a webserver (IIS 10.0) that expects us to use the domain mailing.htb. The combination of email services (SMTP/POP3/IMAP) and SMB makes it likely that credentials will come into play, so I’ll keep that in mind as I continue.
Nmap gave us a clear hint: the SSL certificate and SMTP banners both referenced mailing.htb. The web server redirected when queried by IP, which usually means the site expects requests for a specific virtual host. To interact properly with the site we need to resolve that hostname to the target IP.
On Kali I added the entry to /etc/hosts so my browser and tooling would send the proper Host: header:
After adding the mapping I reloaded the site in the browser (or from the terminal with curl) and got a nicely rendered marketing page for Mailing - The ultimate mail server. The UI confirms what the Nmap banner suggested — this machine is intentionally serving content for mailing.htb and advertises hMailServer.
Why this matters
Virtual hosts are common on Windows/IIS — if the site expects a particular hostname, enumerating by IP will often miss host-specific pages, downloads, or files. Now that mailing.htb resolves, we can enumerate site directories and pull any files meant for that host.
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
0 Comments