ClamAV

Proving Grounds PG practice ClamAV writeup

Nmap

sudo nmap 192.168.142.42 -Pn -p- -sS -sV

PORT      STATE    SERVICE     VERSION
22/tcp    open     ssh         OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
25/tcp    open     smtp        Sendmail 8.13.4/8.13.4/Debian-3sarge3
53/tcp    filtered domain
80/tcp    open     http        Apache httpd 1.3.33 ((Debian GNU/Linux))
139/tcp   open     netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
199/tcp   open     smux        Linux SNMP multiplexer
445/tcp   open     netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
60000/tcp open     ssh         OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
Service Info: Host: localhost.localdomain; OSs: Linux
Unix; CPE: cpe:/o:linux:linux_kernel

After going through all available ports I was unable to enumerate anything interesting...

With no promising avenues for the available ports. We turn to the machine hostname 'ClamAV'. ClamAV is an open source Antivirus solution available here on the vendors website: https://www.clamav.net/.

Using searchsploit we see an available exploit:

Sendmail`` ``with clamav-milter < 0.91.2 - Remote Command Execution (As we know port 25 is open and running Sendmail).

**Linked here: **

Sendmail with clamav-milter < 0.91.2 - Remote Command ExecutionExploit Database

Looking through the exploit code we can see the script will open up port 31337 to receive connections on.

The script was then executed with the following command.

perl clamav.pl 192.168.142.42

Scanning port 31337 after running the exploit shows it as now being open.

We can then use netcat to connect to the port as the root user.

nc 192.168.142.42 31337

Metasploit

A module for Metasploit exists for this vulnerability.

use exploit/unix/smtp/clamav_milter_blackhole

The exploit was configured with the options shown below.

Upon execution we are able to gain root access to the target system.