Return to forum

mimikatz · June 18, 2022 at 7:17 PM

nc trick.htb 25 [14:16:19]
220 debian.localdomain ESMTP Postfix (Debian/GNU)

EHLO all
250-debian.localdomain
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING

[25][smtp-enum] host: trick.htb login: michael password: localhost
[25][smtp-enum] host: trick.htb login: mail password: localhost
[25][smtp-enum] host: trick.htb login: root password: localhost
[25][smtp-enum] host: trick.htb login: Michael password: localhost
[25][smtp-enum] host: trick.htb login: news password: localhost
[25][smtp-enum] host: trick.htb login: man password: localhost
[25][smtp-enum] host: trick.htb login: bin password: localhost
[25][smtp-enum] host: trick.htb login: games password: localhost
[25][smtp-enum] host: trick.htb login: nobody password: localhost
[25][smtp-enum] host: trick.htb login: MICHAEL password: localhost
[25][smtp-enum] host: trick.htb login: backup password: localhost
[25][smtp-enum] host: trick.htb login: daemon password: localhost
[25][smtp-enum] host: trick.htb login: proxy password: localhost
[25][smtp-enum] host: trick.htb login: list password: localhost
[25][smtp-enum] host: trick.htb login: Man password: localhost
[25][smtp-enum] host: trick.htb login: Daemon password: localhost
[25][smtp-enum] host: trick.htb login: postmaster password: localhost
[25][smtp-enum] host: trick.htb login: angelito password: localhost
[25][smtp-enum] host: trick.htb login: Khan password: localhost
[25][smtp-enum] host: trick.htb login: JohnP password: localhost
[25][smtp-enum] host: trick.htb login: Jethro password: localhost
[25][smtp-enum] host: trick.htb login: Jjimmys password: localhost
[25][smtp-enum] host: trick.htb login: Jacob password: localhost
[25][smtp-enum] host: trick.htb login: sys password: localhost
[25][smtp-enum] host: trick.htb login: Proxy password: localhost
[25][smtp-enum] host: trick.htb login: pulse password: localhost
[25][smtp-enum] host: trick.htb login: Nobody password: localhost

https://www.oreilly.com/library/view/programming-internet-email/9780596802585/ch09s02.html
https://book.hacktricks.xyz/network-services-pentesting/pentesting-smtp

Open Ports on
25,53,22,80

http://preprod-payroll.trick.htb

Admin Credentials -
Enemigosss:SuperGucciRainbowCake

iamnoone777 · June 18, 2022 at 7:25 PM

SMTP not stable...

Maybe we should have a look on userenumeration on...

I try digging into the dns service and seems that the A and AAA records are binding to 127.0.0.1

mimikatz · June 18, 2022 at 7:29 PM

(June 18, 2022, 07:25 PM)iamnoone777 Wrote: SMTP not stable...

Maybe we should have a look on userenumeration on...

I try digging into the dns service and seems that the A and AAA records are binding to 127.0.0.1

Working on enumerating stuff rn

htb_col · June 18, 2022 at 7:35 PM

The user enumeration is a functionally[code]└──╼ $nc tricks.htb 25HELO testHELo test220 debian.localdomain ESMTP Postfix (Debian/GNU)250 debian.localdomain250 debian.localdomainHELo test250 debian.localdomainVRFY someuser550 5.1.1 : Recipient address rejected: User unknown in local recipient tableVRFY tricks550 5.1.1 : Recipient address rejected: User unknown in local recipient tableVRFY root252 2.0.0 root[/code]

mimikatz · June 18, 2022 at 7:37 PM

[25][smtp-enum] host: login: root
[25][smtp-enum] host: login: mysql

mtl87 · June 18, 2022 at 7:51 PM

PORT STATE SERVICE VERSION
53/udp open domain ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux)
| dns-nsid:
|_ bind.version: 9.11.5-P4-5.1+deb10u7-Debian
68/udp open|filtered dhcpc
631/udp open|filtered ipp
5353/udp open|filtered zeroconf
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

iamnoone777 · June 18, 2022 at 7:59 PM

(June 18, 2022, 07:37 PM)mimikatz Wrote: [25][smtp-enum] host: login: root
[25][smtp-enum] host: login: mysql

which command do you use to enumerate users ?

mimikatz · June 18, 2022 at 8:00 PM

(June 18, 2022, 07:59 PM)iamnoone777 Wrote:
(June 18, 2022, 07:37 PM)mimikatz Wrote: [25][smtp-enum] host: login: root
[25][smtp-enum] host: login: mysql

which command do you use to enumerate users ?

You can use msf auxiliary module or nmap, check hacktricks for more info

iamnoone777 · June 18, 2022 at 8:06 PM

(June 18, 2022, 08:00 PM)mimikatz Wrote:
(June 18, 2022, 07:59 PM)iamnoone777 Wrote:
(June 18, 2022, 07:37 PM)mimikatz Wrote: [25][smtp-enum] host: login: root
[25][smtp-enum] host: login: mysql

which command do you use to enumerate users ?

You can use msf auxiliary module or nmap, check hacktricks for more info

Yeap ! auxiliary module from msf didn't give anything. I will try nmap module !

The Postfix exploit : https://www.exploit-db.com/exploits/34896 ==> DIDNT seems to work

Gonna retry enumeration and CVE finding

Raiders1972 · June 18, 2022 at 8:54 PM

I can read all the files but can't write anything anywhere :-(