> For the complete documentation index, see [llms.txt](https://rahuldhawan.gitbook.io/braindump/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://rahuldhawan.gitbook.io/braindump/oscp/pg-practice/hepet.md). # Hepet ## Summary * Discovered a wide attack surface: mail services, multiple HTTP ports, FTP, VNC, and Microsoft RPC endpoints. * Anonymous FTP access revealed internal files but no write permission. * Web app on port 443 listed employee names, useful for username generation. * Finger service on port 79 helped enumerate valid usernames. * IMAP login (via Evolution client) revealed internal emails: * Organization uses **LibreOffice** for documents. * Employees are asked to send spreadsheets to `mailadmin@localhost`, where they are “automatically processed.” * *** ### 🧵 Let's Unpack ## Enumeration **🔹 Nmap Full TCP Scan** ```bash nmap -p- -T5 192.168.172.140 -vv # Extracted open ports: 25,79,105,106,110,135,139,143,443,445,2224,5040,8000,11100,20001,33006,49664-49669 ``` **🔹 Nmap Detailed Service Scan** ```bash sudo nmap -sC -sN -A -p [above ports] 192.168.172.140 ``` * Multiple **Mercury/32** mail services (SMTP, POP3, IMAP, HTTP, Finger) * Apache HTTP server on ports 443 & 8000 hosting a “Time Travel Company” site * VNC on port `11100` with unknown auth type (40) * FTP on `20001` allowed **anonymous login** * IMAP on port `143` revealed accessible emails after login *** #### 🗂️ FTP Enumeration – Port 20001 ```bash ftp 192.168.172.140 -p 20001 ``` * Anonymous login allowed. * Found frontend dev files: `.babelrc`, `index.html`, `README.md`, `src/`, etc. * No upload rights available — marked for later revisit once credentials are obtained. *** #### 🖥️ Web App Recon – Ports 443 / 8000 * Site lists employee names: *Agnes, Charlotte, Ela Arwel, Magnus, Jonas, Martha* * Guessed usernames: ``` agnes, charlotte, jonas, magnus, martha, ela_arwel ``` * Captured for use across email, FTP, and finger enumeration. *** #### ☎️ Finger Service – Port 79 * Used `finger-user-enum.pl` and `nc` to validate usernames. * Discovered that `agnes`, `charlotte`, `jonas`, `magnus`, and `martha` are valid accounts. * Verified one set of credentials: ``` jonas:SicMundusCreatusEst ``` *** #### 📩 IMAP Enumeration – Port 143 Used **Evolution Mail Client** to log in via IMAP and read messages. **Key Findings from Emails:** * Employees use **LibreOffice** for documents. * Emails containing spreadsheets sent to `mailadmin@localhost` are auto-processed. * Strong indicator of **automated document parsing pipeline** on the mail server. *** Took help from official writeup after this. :bulb:Hint: * After reading internal emails via IMAP, you’ll find that documents sent to `mailadmin@localhost` are auto-processed using LibreOffice. * 🧠 Craft a `.ods` spreadsheet with a malicious **macro payload**, and email it to `mailadmin@localhost` to gain code execution. ## Privilege Escalation :bulb:Hint: * Once you gain a foothold, enumerate running services. * If you find any service binary residing inside the current user’s directory and running as `SYSTEM`, you may be able to **replace it with a reverse shell** and trigger it via system reboot for privilege escalation. :wink' --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://rahuldhawan.gitbook.io/braindump/oscp/pg-practice/hepet.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.