InfoSec LAB

Postfish_Beyond

Created: 3 min read

Beyond

This is the beyond page that an additional post enumeration and assessment are conducted as the root user after compromising the target system.

Cron

root@postfish:/root# crontab -l
* * * * * /root/mail.sh > /dev/null 2>&1
*/3 * * * * /root/disclaimer.sh > /dev/null 2>&1

/root/mail.sh

root@postfish:/root# cat /root/mail.sh
#!/bin/bash
 
File=/var/mail/brian.moore
 
if grep -q "From it@postfish.off" "$File";then
  url=$(grep -Eo "http://[^ >]+" $File|head -1 )
  curl -m 3 -X POST -d "first_name%3DBrian%26last_name%3DMoore%26email%3Dbrian.moore%postfish.off%26username%3Dbrian.moore%26password%3DEternaLSunshinE%26confifind /var/mail/ -type f ! -name "sales" -delete_password%3DEternaLSunshinE" $url
fi
find /var/mail/ -type f ! -name "sales" -delete /var/mail/*

/root/disclaimer.sh

root@postfish:/root# cat /root/disclaimer.sh 
#!/bin/bash
 
cp /root/disclaimer /etc/postfix/disclaimer
chgrp filter /etc/postfix/disclaimer
chmod 770 /etc/postfix/disclaimer

dovecot.service

root@postfish:/root# systemctl status dovecot.service
 dovecot.service - Dovecot IMAP/POP3 email server
     Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2024-08-03 02:30:44 UTC; 7 months 22 days ago
       Docs: man:dovecot(1)
             http://wiki2.dovecot.org/
   Main PID: 841 (dovecot)
      Tasks: 5 (limit: 1074)
     Memory: 6.9M
     CGroup: /system.slice/dovecot.service
             ├─ 841 /usr/sbin/dovecot -F
             ├─ 935 dovecot/anvil
             ├─ 936 dovecot/log
             ├─ 937 dovecot/config
             └─2664 dovecot/stats
 
root@postfish:/root# cat /lib/systemd/system/dovecot.service
# This file is part of Dovecot
#
# DO NOT CUSTOMIZE THIS FILE, INSTEAD
# create the file:
#	`/etc/systemd/system/dovecot.service.d/service.conf'.
# or copy this as
#	`/etc/systemd/system/dovecot.service` and edit then
# and put your changes there
 
[Unit]
Description=Dovecot IMAP/POP3 email server
Documentation=man:dovecot(1)
Documentation=http://wiki2.dovecot.org/
After=local-fs.target network-online.target
 
[Service]
Type=simple
ExecStart=/usr/sbin/dovecot -F
PIDFile=/var/run/dovecot/master.pid
ExecReload=/usr/bin/doveadm reload
ExecStop=/usr/bin/doveadm stop
PrivateTmp=true
NonBlocking=yes
ProtectSystem=full
ProtectHome=no
PrivateDevices=true
 
# You can add environment variables with e.g.:
#Environment='CORE_OUTOFMEM=1'
# If you have trouble with `Too many open files', increase
LimitNOFILE=65535
# If you want to allow the Dovecot services to produce core dumps, use:
#LimitCORE=infinity
 
[Install]
WantedBy=multi-user.target
 
 
 
root@postfish:/root# cat /etc/dovecot/dovecot.conf | grep -v '^[#/]'
listen = *
disable_plaintext_auth = no
 
!include_try /usr/share/dovecot/protocols.d/*.protocol
 
dict {
  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
  #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}
 
!include conf.d/*.conf
!include_try local.conf

postfix@-.service

root@postfish:/root# systemctl status postfix@-.service
 postfix@-.service - Postfix Mail Transport Agent (instance -)
     Loaded: loaded (/lib/systemd/system/postfix@.service; enabled-runtime; vendor preset: enabled)
     Active: active (running) since Sat 2024-08-03 02:30:47 UTC; 7 months 22 days ago
       Docs: man:postfix(1)
      Tasks: 4 (limit: 1074)
     Memory: 15.2M
     CGroup: /system.slice/system-postfix.slice/postfix@-.service
             ├─ 1960 /usr/lib/postfix/sbin/master -w
             ├─ 1967 qmgr -l -t unix -u
             ├─ 2404 tlsmgr -l -t unix -u -c
             └─35661 pickup -l -t unix -u -c
 
 
root@postfish:/root# cat /lib/systemd/system/postfix@.service
[Unit]
Description=Postfix Mail Transport Agent (instance %i)
Documentation=man:postfix(1)
PartOf=postfix.service
Before=postfix.service
ReloadPropagatedFrom=postfix.service
After=network-online.target nss-lookup.target
Wants=network-online.target
 
[Service]
Type=forking
GuessMainPID=no
ExecStartPre=/usr/lib/postfix/configure-instance.sh %i
ExecStart=/usr/sbin/postmulti -i %i -p start
ExecStop=/usr/sbin/postmulti -i %i -p stop
ExecReload=/usr/sbin/postmulti -i %i -p reload
 
[Install]
WantedBy=multi-user.target
 
 
 
root@postfish:/root# cat /etc/postfix/main.cf | grep -v '^[#/]'
mydomain = off
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 2
 
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level=may
 
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 
 
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = postfish.off
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, $myhostname.$mydomain, localhost, $mydomain
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

SSH

root@postfish:/etc/ssh# cat /etc/ssh/sshd_config | grep -v '^[#/]'
Include /etc/ssh/sshd_config.d/*.conf
PermitRootLogin yes
PermitRootLogin yes
ChallengeResponseAuthentication no
 
UsePAM yes
 
X11Forwarding yes
PrintMotd no
 
 
AcceptEnv LANG LC_*
 
Subsystem sftp	/usr/lib/openssh/sftp-server
 
PasswordAuthentication yes
Match User sales
  PasswordAuthentication no

sales user cannot password-authenticate

Interactive Graph View

Backlinks