We covered an introduction to web applications and how they can be accessed. We also covered types of web applications security vulnerabilities including OWASP top 10. OWASP top 10 are the most common web application vulnerabilities that can be found and detected in web applications. Lastly, we demonstrated a practical scenario of IDOR or insecure direct object reference vulnerability that’s categorized as a broken access control vulnerability according to OWASP top 10. This was part of TryHackMe Intro to web application security room.
SMTP stands for “Simple Mail Transfer Protocol”. It is utilised to handle the sending of emails. In order to support email services, a protocol pair is required, comprising of SMTP and POP/IMAP. Together they allow the user to send outgoing mail and retrieve incoming mail, respectively.
The SMTP server performs three basic functions:
- It verifies who is sending emails through the SMTP server.
- It sends the outgoing mail
- If the outgoing mail can’t be delivered it sends the message back to the sender
Most people will have encountered SMTP when configuring a new email address on some third-party email clients, such as Thunderbird; as when you configure a new email client, you will need to configure the SMTP server configuration in order to send outgoing emails.
POP and IMAP
POP, or “Post Office Protocol” and IMAP, “Internet Message Access Protocol” are both email protocols who are responsible for the transfer of email between a client and a mail server. The main differences is in POP’s more simplistic approach of downloading the inbox from the mail server, to the client. Where IMAP will synchronise the current inbox, with new mail on the server, downloading anything new. This means that changes to the inbox made on one computer, over IMAP, will persist if you then synchronise the inbox from another computer. The POP/IMAP server is responsible for fulfiling this process.
How does SMTP work?
Email delivery functions much the same as the physical mail delivery system. The user will supply the email (a letter) and a service (the postal delivery service), and through a series of steps- will deliver it to the recipients inbox (postbox). The role of the SMTP server in this service, is to act as the sorting office, the email (letter) is picked up and sent to this server, which then directs it to the recipient.
SMTP Enumeration
Enumerating Server Details
Poorly configured or vulnerable mail servers can often provide an initial foothold into a network, but prior to launching an attack, we want to fingerprint the server to make our targeting as precise as possible. We’re going to use the “smtp_version” module in MetaSploit to do this. As its name implies, it will scan a range of IP addresses and determine the version of any mail servers it encounters.
Enumerating Users from SMTP
The SMTP service has two internal commands that allow the enumeration of users: VRFY (confirming the names of valid users) and EXPN (which reveals the actual address of user’s aliases and lists of e-mail (mailing lists). Using these SMTP commands, we can reveal a list of valid users
We can do this manually, over a telnet connection- however Metasploit comes to the rescue again, providing a handy module appropriately called “smtp_enum” that will do the legwork for us! Using the module is a simple matter of feeding it a host or range of hosts to scan and a wordlist containing usernames to enumerate.
Requirements
As we’re going to be using Metasploit for this, it’s important that you have Metasploit installed. It is by default on both Kali Linux and Parrot OS; however, it’s always worth doing a quick update to make sure that you’re on the latest version before launching any attacks. You can do this with a simple “sudo apt update”, and accompanying upgrade- if any are required.
Alternatives
It’s worth noting that this enumeration technique will work for the majority of SMTP configurations; however there are other, non-metasploit tools such as smtp-user-enum that work even better for enumerating OS-level user accounts on Solaris via the SMTP service. Enumeration is performed by inspecting the responses to VRFY, EXPN, and RCPT TO commands.
This technique could be adapted in future to work against other vulnerable SMTP daemons, but this hasn’t been done as of the time of writing. It’s an alternative that’s worth keeping in mind if you’re trying to distance yourself from using Metasploit e.g. in preparation for OSCP.
Room Answers
What does NFS stand for?
What protocol does NFS use to communicate between the server and client?
What two pieces of user data does the NFS server take as parameters for controlling user permissions? Format: parameter 1 / parameter 2
Can a Windows NFS server share files with a Linux client? (Y/N)
Can a Linux NFS server share files with a MacOS client? (Y/N)
What is the latest version of NFS? [released in 2016, but is still up to date as of 2020] This will require external research.
Conduct a thorough port scan scan of your choosing, how many ports are open?
Which port contains the service we’re looking to enumerate?
Now, use /usr/sbin/showmount -e [IP] to list the NFS shares, what is the name of the visible share?
Time to mount the share to our local machine!
First, use “mkdir /tmp/mount” to create a directory on your machine to mount the share to. This is in the /tmp directory- so be aware that it will be removed on restart.
Then, use the mount command we broke down earlier to mount the NFS share to your local machine. Change directory to where you mounted the share- what is the name of the folder inside?
Have a look inside this directory, look at the files. Looks like we’re inside a user’s home directory…
Interesting! Let’s do a bit of research now, have a look through the folders. Which of these folders could contain keys that would give us remote access to the server?
Which of these keys is most useful to us?
Copy this file to a different location your local machine, and change the permissions to “600” using “chmod 600 [file]”.
Assuming we were right about what type of directory this is, we can pretty easily work out the name of the user this key corresponds to.
Can we log into the machine using ssh -i <key-file> <username>@<ip> ? (Y/N)
First, change directory to the mount point on your machine, where the NFS share should still be mounted, and then into the user’s home directory.
Download the bash executable to your Downloads directory. Then use “cp ~/Downloads/bash .” to copy the bash executable to the NFS share. The copied bash shell must be owned by a root user, you can set this using “sudo chown root bash”
Now, we’re going to add the SUID bit permission to the bash executable we just copied to the share using “sudo chmod +[permission] bash”. What letter do we use to set the SUID bit set using chmod?
Now, SSH into the machine as the user. List the directory to make sure the bash executable is there. Now, the moment of truth. Lets run it with “./bash -p“. The -p persists the permissions, so that it can run as root with SUID- as otherwise bash will sometimes drop the permissions.
Great! If all’s gone well you should have a shell as root! What’s the root flag?
What does SMTP stand for?
What does SMTP handle the sending of? (answer in plural)
What is the first step in the SMTP process?
Where does the SMTP server send the email if the recipient’s server is not available?
Can a Linux machine run an SMTP server? (Y/N)
Can a Windows machine run an SMTP server? (Y/N)
First, lets run a port scan against the target machine, same as last time. What port is SMTP running on?
Okay, now we know what port we should be targeting, let’s start up Metasploit. What command do we use to do this?
If you would like some more help or practice using Metasploit, TryHackMe has a module on Metasploit that you can check out here:
Great, now- select the module and list the options. How do we do this?
Have a look through the options, does everything seem correct? What is the option we need to set?
Set that to the correct value for your target machine. Then run the exploit. What’s the system mail name?
What Mail Transfer Agent (MTA) is running the SMTP server? This will require some external research.
We’re going to be using the “top-usernames-shortlist.txt” wordlist from the Usernames subsection of seclists (/usr/share/wordlists/SecLists/Usernames if you have it installed).
Seclists is an amazing collection of wordlists. If you’re running Kali or Parrot you can install seclists with: “sudo apt install seclists” Alternatively, you can download the repository from here.
What option do we need to set to the wordlist’s path?
Once we’ve set this option, what is the other essential paramater we need to set?
Now, run the exploit, this may take a few minutes, so grab a cup of tea, coffee, water. Keep yourself hydrated!
Okay! Now that’s finished, what username is returned?
What is the password of the user we found during our enumeration stage?
Great! Now, let’s SSH into the server as the user, what is contents of smtp.txt
What type of software is MySQL?
What language is MySQL based on?
What communication model does MySQL use?
What is a common application of MySQL?
What major social network uses MySQL as their back-end database? This will require further research.
Good, now- we think we have a set of credentials. Let’s double check that by manually connecting to the MySQL server. We can do this using the command “mysql -h [IP] -u [username] -p”
Okay, we know that our login credentials work. Lets quit out of this session with “exit” and launch up Metasploit.
We’re going to be using the “mysql_sql” module.
Search for, select and list the options it needs. What three options do we need to set? (in descending order).
Great! We know that our exploit is landing as planned. Let’s try to gain some more ambitious information. Change the “sql” option to “show databases”. how many databases are returned?
First, let’s search for and select the “mysql_schemadump” module. What’s the module’s full name?
Again, I’ll let you take it from here. Set the relevant options, run the exploit. What non-default user stands out to you?
Another user! And we have their password hash. This could be very interesting. Copy the hash string in full, like: bob:*HASH to a text file on your local machine called “hash.txt”.
What is the user/hash combination string?
Now, we need to crack the password! Let’s try John the Ripper against it using: “john hash.txt” what is the password of the user we found?
Awesome. Password reuse is not only extremely dangerous, but extremely common. What are the chances that this user has reused their password for a different service?
What’s the contents of MySQL.txt
Video Walkthrough
