InfoSec LAB

Axlle_SMTP

Created: 2 min read

SMTP

Nmap discovered a SMTP service on the target port 25 The running service is hMailServer smtpd

Interestingly the mail server is NOT registered to the DNS record as MX record was nowhere to be found

┌──(kali㉿kali)-[~/archive/htb/labs/axlle]
└─$ nmap -Pn --script smtp-* -p25 $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-26 17:49 CEST
NSE: [smtp-brute] usernames: Time limit 10m00s exceeded.
NSE: [smtp-brute] usernames: Time limit 10m00s exceeded.
NSE: [smtp-brute] passwords: Time limit 10m00s exceeded.
Nmap scan report for mainframe.axlle.htb (10.10.11.21)
Host is up (0.036s latency).
 
PORT   STATE SERVICE
25/tcp open  smtp
| smtp-enum-users: 
|   root
|   admin
|   administrator
|   webadmin
|   sysadmin
|   netadmin
|   guest
|   user
|   web
|_  test
| smtp-vuln-cve2010-4344: 
|_  The SMTP server is not Exim: NOT VULNERABLE
|_smtp-open-relay: Server is an open relay (8/16 tests)
| smtp-commands: MAINFRAME, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| smtp-brute: 
|   Accounts: No valid accounts found
|_  Statistics: Performed 17856 guesses in 600 seconds, average tps: 29.8
 
Nmap done: 1 IP address (1 host up) scanned in 599.79 seconds

Performing an additional Nmap scan reveals users as well as the available commands.

┌──(kali㉿kali)-[~/archive/htb/labs/axlle]
└─$ telnet $IP 25
Trying 10.10.11.21...
Connected to 10.10.11.21.
Escape character is '^]'.
220 MAINFRAME ESMTP

Connected to MAINFRAME via telnet

EHLO all
250-MAINFRAME
250-SIZE 20480000
250-AUTH LOGIN
250 HELP
  • 250-MAINFRAME is a response from the server, indicating its identity or hostname.
  • 250-SIZE 20480000 suggests that the server supports message sizes up to 20,480,000 bytes.
  • 250-AUTH LOGIN indicates that the server supports the LOGIN authentication method.
  • 250 HELP signifies that the server is ready to accept additional commands, and it also provides help information.
HELP
211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
TURN
502 TURN disallowed.
VRFY
502 VRFY disallowed.

the subsequent lines list the additionally supported smtp commands: DATA, HELO, EHLO, MAIL, NOOP, QUIT, RCPT, RSET, SAML, TURN, and VRFY However, not all of them seems supported

Interactive Graph View

Backlinks