ClamAV

Source: Proving Grounds OS: Linux Community Rating: Intermediate

Enumeration & Reconnaissance

  • I ran autorecon as usual, and it showed a mix of open ports:

    • SSH (22 & 60000)

    • SMTP (25)

    • SMB (139 & 445)

    • 199

  • There wasn’t an HTTP service like we’re used to seeing, so I shifted focus to the other services.

Service Analysis

  • During enumeration, I discovered two valid SMTP users: root and ftp. I attempted common credential pairs on SSH root:root, ftp:ftp, and every other lazy combo I could think of. But, none succeeded. A quick check of the SSH version didn’t yield any exploitable CVEs, so I moved on to the SMTP service.

SMTP Users enumerated

Gaining Initial Access

  • The SMTP banner revealed that Sendmail 8.13.4 was in use. After some research, I stumbled onto CVE-2007-4560, a remote code execution exploit.

Sendmail 8.13.4
  • The PoC looked straightforward, but it took me a while to get it working. I ran the exploit script, fired up a netcat listener on port 31337 (Port was written in the PoC) and... bam, a root shell popped up!

PoC
nc 192.168.192.42 31337
perl 4761.pl 192.168.192.42
  • Within moments, the reverse shell connected and, to my surprise, I had root access on the machine.

Access Granted

Privilege Escalation

  • None needed, landed straight into root. Sometimes, outdated services are too generous.

Lessons Learned

  • Old Software, New Problems: Sendmail 8.13.4 was a ticking time bomb. Always check for CVEs on outdated services.

  • SMTP Enumeration Pays Off: Even without HTTP, SMTP user lists can hint at attack vectors.

  • PoC Persistence: Exploit scripts might need tweaking, but don’t give up, they’re often worth the effort.

Last updated