Disclaimer
An interesting file, /etc/postfix/disclaimer, has been discovered by PEAS and it also appear to be relevant to the root cronjob
/Practice/Postfish/4-Post_Enumeration/attachments/{EB259273-B46E-44A1-849B-CAF53642CBBA}.png)
Looking at the file reveals that its group is set to filter, and the current user, brian.moore is part of the filter group
This would mean that I can read/write/execute the file
brian.moore@postfish:/etc/postfix$ cat /etc/postfix/disclaimer
#!/bin/bash
# Localize these.
INSPECT_DIR=/var/spool/filter
SENDMAIL=/usr/sbin/sendmail
####### Changed From Original Script #######
DISCLAIMER_ADDRESSES=/etc/postfix/disclaimer_addresses
####### Changed From Original Script END #######
# Exit codes from <sysexits.h>
EX_TEMPFAIL=75
EX_UNAVAILABLE=69
# Clean up when done or when aborting.
trap "rm -f in.$$" 0 1 2 3 15
# Start processing.
cd $INSPECT_DIR || { echo $INSPECT_DIR does not exist; exit
$EX_TEMPFAIL; }
cat >in.$$ || { echo Cannot save mail to file; exit $EX_TEMPFAIL; }
####### Changed From Original Script #######
# obtain From address
from_address=`grep -m 1 "From:" in.$$ | cut -d "<" -f 2 | cut -d ">" -f 1`
if [ `grep -wi ^${from_address}$ ${DISCLAIMER_ADDRESSES}` ]; then
/usr/bin/altermime --input=in.$$ \
--disclaimer=/etc/postfix/disclaimer.txt \
--disclaimer-html=/etc/postfix/disclaimer.txt \
--xheader="X-Copyrighted-Material: Please visit http://www.company.com/privacy.htm" || \
{ echo Message content rejected; exit $EX_UNAVAILABLE; }
fi
####### Changed From Original Script END #######
$SENDMAIL "$@" <in.$$
exit $?
brian.moore@postfish:/etc/postfix$ cat disclaimer_addresses
it@postfish.off
brian.moore@postfish.off- This is a modified Bash script to append a disclaimer,
/etc/postfix/disclaimer.txt, to an outgoing mail for those in thedisclaimer_addressesfileit@postfish.offbrian.moore@postfish.off
- The bash script gets executed whenever those 2 users send out mail
- The
/usr/share/doc/altermime/examples/postfix_filter.shfile is the original version
This suggests that somebody was trying to add a disclaimer to mail following this guide
brian.moore@postfish:/etc/postfix$ cat /etc/postfix/master.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
dfilt unix - n n - - pipe flags=Rq user=filter argv=/etc/postfix/disclaimer -f ${sender} -- ${recipient}Checking the master process configuration file reveals that the dfilt service in the master.cf file uses a pipe transport that calls /etc/postfix/disclaimer with appropriate arguments, running as the filter user. This means any email routed through dfilt will automatically execute the disclaimer script.
This is an attack vector given the current user, brian.moore, is part of the filter group, allowing the user to modify the script further to gain lateral movement to the filter account.