ClamAV
Last updated
Last updated
Source: Proving Grounds OS: Linux Community Rating: Intermediate
I ran autorecon as usual, and it showed a mix of open ports:
SSH (22 & 60000)
SMTP (25)
SMB (139 & 445)
199
There wasnโt an HTTP service like weโre used to seeing, so I shifted focus to the other services.
During enumeration, I discovered two valid SMTP users: root and ftp. I attempted common credential pairs on SSH root:root
, ftp:ftp
, and every other lazy combo I could think of. But, none succeeded. A quick check of the SSH version didnโt yield any exploitable CVEs, so I moved on to the SMTP service.
The SMTP banner revealed that Sendmail 8.13.4 was in use. After some research, I stumbled onto CVE-2007-4560, a remote code execution exploit.
The PoC looked straightforward, but it took me a while to get it working. I ran the exploit script, fired up a netcat listener on port 31337 (Port was written in the PoC) and... bam, a root shell popped up!
Within moments, the reverse shell connected and, to my surprise, I had root access on the machine.
None needed, landed straight into root. Sometimes, outdated services are too generous.
Old Software, New Problems: Sendmail 8.13.4 was a ticking time bomb. Always check for CVEs on outdated services.
SMTP Enumeration Pays Off: Even without HTTP, SMTP user lists can hint at attack vectors.
PoC Persistence: Exploit scripts might need tweaking, but donโt give up, theyโre often worth the effort.