Nmap done: 1 IP address (1 host up) scanned in 42.36 secondsīased on the OpenSSH version, the host is likely running Debian 10 buster. Service Info: Host: debian OSs: Unix, Linux CPE: cpe:/o:linux:linux_kernel |_http-open-proxy: Proxy might be redirecting requests |_imap-capabilities: CHILDREN IDLE QUOTA AUTH=PLAIN NAMESPACE UIDPLUS CAPABILITY ENABLE ACL2=UNION THREAD=ORDEREDSUBJECT OK completed ACL THREAD=REFERENCES UTF8=ACCEPTA0001 IMAP4rev1 SORT |_ssl-date: TLS randomness does not represent timeĩ93/tcp open ssl/imap Courier Imapd (released 2018) | Subject Alternative Name: Not valid before: T17:14:21 | ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US |_imap-capabilities: CHILDREN IDLE QUOTA NAMESPACE UIDPLUS CAPABILITY ENABLE ACL2=UNION THREAD=ORDEREDSUBJECT completed OK STARTTLS ACL THREAD=REFERENCES UTF8=ACCEPTA0001 IMAP4rev1 SORT |_http-title: Did not follow redirect to ġ43/tcp open imap Courier Imapd (released 2018) |_smtp-commands: debian, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING, In Beyond Root, I’ll look at the automation on the box running as services. For root, I’ll abuse a sudo rule to run pip, installing the same package again. To privesc, I’ll submit a malicious Python package to the local PyPi server, which provides execution and a shell as that user. The FTP access is in the web directory, and while there’s nothing interesting there, I can write a webshell and get execution, and a shell.
That provides access to the IMAP inbox for that user, where I’ll find creds for FTP. One of the users will click on the link, and return a POST request with their login creds. SneakyMailer starts with web enumeration to find a list of email addresses, which I can use along with SMTP access to send phishing emails.
0 kommentar(er)
