InfoSec LAB

SolidState_Apache_JAMES

Created: 2 min read

JAMES Remote Administration Tool

The earlier Nmap scan showed that the target port 4555 is open. Nmap also grabbed the network fingerprint, and it shows the service, JAMES Remote Administration Tool 2.3.2, and a prompt for authentication

This can be reproduced By connecting to the target port 4555 via Netcat, it prints out the same data string as well as a prompt for authentication

Vulnerability

┌──(kali㉿kali)-[~/archive/htb/labs/solidstate]
└─$ searchsploit Apache James 2.3.2
------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                       |  Path
------------------------------------------------------------------------------------- ---------------------------------
Apache James Server 2.3.2 - Insecure User Creation Arbitrary File Write (Metasploit) | linux/remote/48130.rb
Apache James Server 2.3.2 - Remote Command Execution                                 | linux/remote/35513.py
Apache James Server 2.3.2 - Remote Command Execution (RCE) (Authenticated) (2)       | linux/remote/50347.py
------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
------------------------------------------------------------------------------------- ---------------------------------
 Paper Title                                                                         |  Path
------------------------------------------------------------------------------------- ---------------------------------
Exploiting Apache James Server 2.3.2                                                 | docs/english/40123-exploiting-ap
------------------------------------------------------------------------------------- ---------------------------------

searchsploit result shows that there is a RCE exploit for `JAMES Remote Administration Tool 2.3.2

I will go over this later

Default Credential

i tried some default/weak credentials and was able to authentication with; root:root root is indeed confirmed to be a valid user from the SMTP enumeration

Enumeration

It makes sense that the credentials works here because this is supposedly the remote administration tool for Apache JAMES, On top of that, the SMTP, POP3, and NNTP services all are based on the Apache James as discovered from the initial Nmap scan

There are a lot of commands available

There are 5 users

Password Reset

Since Apache JAMES is a primary mail server, these 5 users must have their emails. I should be able to check these users emails as I am the root user who can modify their passwords.

So I changed all of their passwords to qwe123

I should now be able to authenticate to and read their email from the POP3 server I will get back to it.

Interactive Graph View

Backlinks