Postfish
Pg Practice Postfish writeup
Last updated
Pg Practice Postfish writeup
Last updated
Heading straight into SMTP I ran smtp-user-enum.pl with the syntax below:
Looks like we have some non default emails shown above that are listed below:
Checking our port 80 from here we find the web page attempts to direct us to http://postfish.off. We can add the IP and domain name into /etc/hosts to get this working. Once completed the web pages should load correctly.
Checking out the link for 'Our Team' shows further departments and users.
We can run the users against smtp-user-enum to try and identify further usernames. Companies generally use naming conventions so we will either try and guess it or use a tool to help us identify.
Download the following python script: https://raw.githubusercontent.com/jseidl/usernamer/master/usernamer.py
We can then run the script against each user and this will generate variations of the username.
Repeat for each user and save the results into a text file. We can then run the variations against smtp-user-enum again.
At this point I tried to brute force the various accounts we have over IMAP and POP3. I was able to get a valid result with Hydra for sales:sales.
The password list was generated with cewl from the http://postfish.off/team.html web page.
I then run our known users names with the output generated from cewl against Hydra.
I then logged into the sales account with telnet on port 110 for POP3 and was able to retrieve a singular email message.
The email indicates the IT team (it@postfish.off) will be sending password reset links to the sales team. From here we can potentially spear phish someone. Looking at http://postfish.off/team.html again shows that Brian Moore is the sales manager. We already know his email address from earlier as well from our smtp enumeration.
First set up a netcat listener on port 80.
Next connect to SMTP using netcat then do the following to compose an email from it@postfish.off to brian.moore@postfish.off.
After a short while Brian will send us details regarding his current login to our netcat listener.
We now have the password EternaLSunshinE We can then login to SSH.
I then transferred linpeas over to the target machine. After running we identify being a member of the 'filter' group which is a non default group. We also find /etc/postfix/disclaimer as being of interest.
A Google search on 'postfix disclaimer' results in the following being the first result on Google: https://www.howtoforge.com/how-to-automatically-add-a-disclaimer-to-outgoing-emails-with-altermime-postfix-on-debian-squeeze.
Looking through this it seems the admin on the box has followed the included steps to install and configure alterMIME to get disclaimers appended to emails.
Reading through the article essentially we see that for any emails included in the file /etc/postfix/disclaimer_addresses. When any of these addresses send or recieve an email the following file gets executed /etc/postfix/disclaimer. The file takes the contents of /etc/postfix/disclaimer.txt and appends it to the emails.
As we are a member the group 'filter' we can edit the script /etc/postfix/disclaimer. Using nano to edit the script I inserted a bash reverse shell to the top of the script.
Then like we did earlier I connected to SMTP with netcat and sent an email to trigger the shell.
After doing so we should receive a shell.
From here I checked sudo permissions with sudo -l and found that we can run the mail binary as any user without a password.
Referring to GTFOBins we can use this to gain a root shell.
We then gain a root shell.
