InfoSec LAB

SolidState_POP3

Created: 4 min read

POP3

Nmap discovered a POP3 service running on the target port 110 it’s running james pop3d 2.3.2 likely from apache james

Initial Enumeration

I don’t seem to be able to do anything without a valid credential.

With Credentials

I got 5 sets of valid credentials ready

james

┌──(kali㉿kali)-[~/archive/htb/labs/solidstate]
└─$ telnet $IP 110                      
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
USER james
+OK
PASS qwe123
+OK Welcome james
STAT
+OK 0 0
LIST
+OK 0 0
.
CAPA
-ERR

The james doesn’t have anything

thomas

┌──(kali㉿kali)-[~/archive/htb/labs/solidstate]
└─$ telnet $IP 110 
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
USER thomas
+OK
PASS qwe123
+OK Welcome thomas
STAT
+OK 0 0
LIST
+OK 0 0
.
CAPA
-ERR

Neither does the thomas user

john

┌──(kali㉿kali)-[~/archive/htb/labs/solidstate]
└─$ telnet $IP 110 
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
USER john
+OK
PASS qwe123
+OK Welcome john
STAT
+OK 1 743
LIST
+OK 1 743
1 743
.

The john user has a single mail with 743 bytes of data

RETR 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <9564574.1.1503422198108.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: john@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for <john@localhost>;
          Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
From: mailadmin@localhost
Subject: New Hires access
John, 
 
Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.
 
Thank you in advance.
 
Respectfully,
James

The mail was originally sent from the james user through mailadmin. The mail notes

  • restricting mindy’s access until she gets read on to a program
  • sending themindy user a temporary password

I wonder if it is some sort of security program that administers access control?

mindy

┌──(kali㉿kali)-[~/archive/htb/labs/solidstate]
└─$ telnet $IP 110 
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
USER mindy
+OK
PASS qwe123
+OK Welcome mindy
STAT
+OK 2 1945
LIST
+OK 2 1945
1 1109
2 836
.

The mindy user has 2 mails

1st mail

RETR 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798
          for <mindy@localhost>;
          Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
From: mailadmin@localhost
Subject: Welcome
 
Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.
 
We are looking forward to you joining our team and your success at Solid State Security. 
 
Respectfully,
James
.

The first mail is sent from the james user through mailadmin. James sent this mail about 2 minutes before mailing the john user The first mail notes that:

  • The mindy user just joined the team as a junior defense analyst
  • There is an enclosed information to serve her employment transition

2nd mail

RETR 2
+OK Message follows
return-path: <mailadmin@localhost>
message-id: <16744123.2.1503422270399.JavaMail.root@solidstate>
mime-version: 1.0
content-type: text/plain; charset=us-ascii
content-transfer-encoding: 7bit
delivered-to: mindy@localhost
received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for <mindy@localhost>;
          tue, 22 aug 2017 13:17:28 -0400 (EDT)
date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
from: mailadmin@localhost
subject: Your Access
 
Dear Mindy,
 
 
Here are your ssh credentials to access the system. Remember to reset your password after your first login. 
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path. 
 
username: mindy
pass: P@55W0rd1!2@
 
Respectfully,
James
 
.

The second mail also is sent from the james user through mailadmin. This mail was sent after the first mail The mail provides a SSH credential to the system and notes a limited access as well as adding needed commands to the path. mindy:P@55W0rd1!2@

mailadmin

┌──(kali㉿kali)-[~/archive/htb/labs/solidstate]
└─$ telnet $IP 110
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready 
USER mailadmin
+OK
PASS qwe123
+OK Welcome mailadmin
STAT
+OK 0 0
LIST
+OK 0 0
.
CAPA
-ERR

mailadmin doesn’t have anything. The account was likly functioning as a proxy

Interactive Graph View

Backlinks