{"id":153,"date":"2023-06-11T19:19:06","date_gmt":"2023-06-11T19:19:06","guid":{"rendered":"https:\/\/justatrainingblog.co.uk\/?p=153"},"modified":"2023-06-11T20:02:55","modified_gmt":"2023-06-11T20:02:55","slug":"thm-enumerating-and-exploiting-a-smtp-server","status":"publish","type":"post","link":"https:\/\/justatrainingblog.co.uk\/?p=153","title":{"rendered":"THM &#8211; Enumerating and Exploiting a SMTP server"},"content":{"rendered":"\n<p>To follow up on todays knowledge post we are doing some practice on some active footprinting, enumerating and exploiting a SMTP server. <\/p>\n\n\n\n<p>Target IP Address: 10.10.239.254<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span style=\"text-decoration: underline;\">Footprinting \/ Enumeration<\/span><\/h2>\n\n\n\n<p>So to start with we&#8217;ll run a port scan. Again for this we&#8217;ll be using nmap. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"951\" height=\"739\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-5.png\" alt=\"\" class=\"wp-image-154\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-5.png 951w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-5-300x233.png 300w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-5-768x597.png 768w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-5-850x661.png 850w\" sizes=\"(max-width: 951px) 100vw, 951px\" \/><\/figure>\n\n\n\n<p>Analysing the output we can see that port 22 and 25 are open. We are currently targeting SMTP so it strongly suggests port 25 as this is the default. <\/p>\n\n\n\n<p>Next we&#8217;ll open up the metasploit console using msfconsole. Once done we&#8217;ll check the version using <mark style=\"background-color:#fcb900\" class=\"has-inline-color\"><em>search smtp_versio<\/em>n<\/mark><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"867\" height=\"129\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-6.png\" alt=\"\" class=\"wp-image-155\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-6.png 867w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-6-300x45.png 300w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-6-768x114.png 768w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-6-850x126.png 850w\" sizes=\"(max-width: 867px) 100vw, 867px\" \/><\/figure>\n\n\n\n<p>Once we have the options lets take a look for any issues with the configuration of the optins..<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"941\" height=\"214\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-7.png\" alt=\"\" class=\"wp-image-156\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-7.png 941w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-7-300x68.png 300w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-7-768x175.png 768w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-7-850x193.png 850w\" sizes=\"(max-width: 941px) 100vw, 941px\" \/><\/figure>\n\n\n\n<p>We can see from the above that RHOSTS has no current setting. This can be exploited. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"914\" height=\"113\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-8.png\" alt=\"\" class=\"wp-image-157\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-8.png 914w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-8-300x37.png 300w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-8-768x95.png 768w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-8-850x105.png 850w\" sizes=\"(max-width: 914px) 100vw, 914px\" \/><\/figure>\n\n\n\n<p>We can see from this that SMTP is using Postfix as it&#8217;s <a href=\"https:\/\/mailtrap.io\/blog\/mail-transfer-agent\/\" title=\"\">Mail Transfer Agent<\/a>. This is typically the default for Ubuntu. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"919\" height=\"169\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-9.png\" alt=\"\" class=\"wp-image-158\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-9.png 919w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-9-300x55.png 300w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-9-768x141.png 768w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-9-850x156.png 850w\" sizes=\"(max-width: 919px) 100vw, 919px\" \/><\/figure>\n\n\n\n<p>Going back we will now search for the <a href=\"https:\/\/www.infosecmatter.com\/metasploit-module-library\/?mm=auxiliary\/scanner\/smtp\/smtp_enum\" title=\"\">smtp_enum module<\/a>. <\/p>\n\n\n\n<p>Great. We&#8217;re now going to hunt for a username. To do so we&#8217;re going to use SecLists.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"946\" height=\"318\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-10.png\" alt=\"\" class=\"wp-image-159\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-10.png 946w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-10-300x101.png 300w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-10-768x258.png 768w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-10-850x286.png 850w\" sizes=\"(max-width: 946px) 100vw, 946px\" \/><\/figure>\n\n\n\n<p>Looks like there&#8217;s a file containing usernames. We can exploit this by using SecLists with the parameter RHOSTS. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"729\" height=\"53\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-12.png\" alt=\"\" class=\"wp-image-161\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-12.png 729w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-12-300x22.png 300w\" sizes=\"(max-width: 729px) 100vw, 729px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"723\" height=\"103\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-13.png\" alt=\"\" class=\"wp-image-162\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-13.png 723w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-13-300x43.png 300w\" sizes=\"(max-width: 723px) 100vw, 723px\" \/><\/figure>\n\n\n\n<p>We have a username! <strong>Administrator<\/strong>. <\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span style=\"text-decoration: underline;\">Exploiting SMTP<\/span><\/h2>\n\n\n\n<p>So far then we&#8217;ve come up with a username but no password. Based on the fact they kept the admin account under such a simple name suggests it hasn&#8217;t been configured well. <\/p>\n\n\n\n<p>Since we&#8217;re trying to crack a password, lets move to Hydra to attempt a brute force crack. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-14.png\" alt=\"\" class=\"wp-image-163\" width=\"646\" height=\"26\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-14.png 957w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-14-300x12.png 300w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-14-768x31.png 768w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-14-850x35.png 850w\" sizes=\"(max-width: 646px) 100vw, 646px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"816\" height=\"135\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-15.png\" alt=\"\" class=\"wp-image-164\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-15.png 816w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-15-300x50.png 300w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-15-768x127.png 768w\" sizes=\"(max-width: 816px) 100vw, 816px\" \/><\/figure>\n\n\n\n<p>Success! Obviously no password complexity requirements here. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"956\" height=\"439\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-16.png\" alt=\"\" class=\"wp-image-165\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-16.png 956w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-16-300x138.png 300w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-16-768x353.png 768w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-16-850x390.png 850w\" sizes=\"(max-width: 956px) 100vw, 956px\" \/><\/figure>\n\n\n\n<p>Connect with SSH and we have successful login!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>To follow up on todays knowledge post we are doing some practice on some active footprinting, enumerating and exploiting a&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[6,3],"tags":[],"class_list":["post-153","post","type-post","status-publish","format-standard","hentry","category-practice","category-tryhackme"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/153","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=153"}],"version-history":[{"count":1,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/153\/revisions"}],"predecessor-version":[{"id":166,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/153\/revisions\/166"}],"wp:attachment":[{"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=153"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=153"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=153"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}