Hepet

Auto-parsed spreadsheets on the mail server + LibreOffice macros injection

Summary

• Discovered a wide attack surface: mail services, multiple HTTP ports, FTP, VNC, and Microsoft RPC endpoints.

• Anonymous FTP access revealed internal files but no write permission.

• Web app on port 443 listed employee names, useful for username generation.

• Finger service on port 79 helped enumerate valid usernames.

• IMAP login (via Evolution client) revealed internal emails:

  • Organization uses LibreOffice for documents.

  • Employees are asked to send spreadsheets to mailadmin@localhost, where they are “automatically processed.”

---

🧵 Let's Unpack

Enumeration

🔹 Nmap Full TCP Scan

nmap -p- -T5 192.168.172.140 -vv
# Extracted open ports:
25,79,105,106,110,135,139,143,443,445,2224,5040,8000,11100,20001,33006,49664-49669

🔹 Nmap Detailed Service Scan

sudo nmap -sC -sN -A -p [above ports] 192.168.172.140

• Multiple Mercury/32 mail services (SMTP, POP3, IMAP, HTTP, Finger)

• Apache HTTP server on ports 443 & 8000 hosting a “Time Travel Company” site

• VNC on port 11100 with unknown auth type (40)

• FTP on 20001 allowed anonymous login

• IMAP on port 143 revealed accessible emails after login

---

🗂️ FTP Enumeration – Port 20001

ftp 192.168.172.140 -p 20001

• Anonymous login allowed.

• Found frontend dev files: .babelrc, index.html, README.md, src/, etc.

• No upload rights available — marked for later revisit once credentials are obtained.

---

🖥️ Web App Recon – Ports 443 / 8000

• Site lists employee names: Agnes, Charlotte, Ela Arwel, Magnus, Jonas, Martha

• Guessed usernames:

  agnes, charlotte, jonas, magnus, martha, ela_arwel

• Captured for use across email, FTP, and finger enumeration.

---

☎️ Finger Service – Port 79

• Used finger-user-enum.pl and nc to validate usernames.

• Discovered that agnes, charlotte, jonas, magnus, and martha are valid accounts.

• Verified one set of credentials:

  jonas:SicMundusCreatusEst

---

📩 IMAP Enumeration – Port 143

Used Evolution Mail Client to log in via IMAP and read messages.

Key Findings from Emails:

• Employees use LibreOffice for documents.

• Emails containing spreadsheets sent to mailadmin@localhost are auto-processed.

• Strong indicator of automated document parsing pipeline on the mail server.

---

Took help from official writeup after this.

💡Hint:

• After reading internal emails via IMAP, you’ll find that documents sent to mailadmin@localhost are auto-processed using LibreOffice.

• 🧠 Craft a .ods spreadsheet with a malicious macro payload, and email it to mailadmin@localhost to gain code execution.

Privilege Escalation

💡Hint:

• Once you gain a foothold, enumerate running services.

• If you find any service binary residing inside the current user’s directory and running as SYSTEM, you may be able to replace it with a reverse shell and trigger it via system reboot for privilege escalation. :wink'