Posts for: #Smtp

PG: Bratarina

#offsec  #proving-grounds  #easy  #linux  #opensmtpd  #smtp  #python-reverse-shell 
ターゲット // Bratarina
PlatformOffSec Proving Grounds
OSLinux
DifficultyEasy
IP192.168.206.71

Recon

Nmap

1

nmap -sC -sV -oN nmap/initial 192.168.206.71
▶ Full nmap output
PORT    STATE  SERVICE     VERSION
22/tcp  open   ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3
25/tcp  open   smtp        OpenSMTPD
|_ 2.0.0 This is OpenSMTPD 2.0.0
53/tcp  closed domain
80/tcp  open   http        nginx 1.14.0 (Ubuntu)
|_http-title: Page not found - FlaskBB
445/tcp open   netbios-ssn Samba smbd 4.7.6-Ubuntu

Enumeration

Port 80 - Web App (FlaskBB)

A Flask-based forum. No useful content, weird behavior with empty Host: header. Rabbit hole – moving on.

[]

PG: ClamAV

#offsec  #proving-grounds  #easy  #linux  #clamav  #sendmail  #snmp  #smtp 
ターゲット // ClamAV
PlatformOffSec Proving Grounds
OSLinux
DifficultyEasy
IP192.168.57.42

Recon

Nmap

▶ Full nmap output (TCP)
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
25/tcp    open  smtp        Sendmail 8.13.4/8.13.4/Debian-3sarge3
80/tcp    open  http        Apache httpd 1.3.33 ((Debian GNU/Linux))
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
199/tcp   open  smux        Linux SNMP multiplexer
445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
60000/tcp open  ssh         OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
▶ Full nmap output (UDP)
PORT     STATE         SERVICE      VERSION
137/udp  open          netbios-ns   Samba nmbd netbios-ns (workgroup: WORKGROUP)
161/udp  open          snmp         SNMPv1 server (public)
[ 警告 ]
Don’t forget to enumerate UDP. This box has SNMP v1 on UDP 161 which reveals critical information.

Enumeration

Port 25 - SMTP (Sendmail)

Sendmail 8.13.4 is ancient. Searchsploit reveals multiple exploits, and importantly – one that involves ClamAV (hint from the box name):

[]