algernon - writeup - Konstantinovitz

## Recon - 80 - HTTP - apparently empty IIS server - #todo run directory enumeration on this anyway - 445 - SMB - null auth - denied - guest - disabled - 9998/TCP - MS IIS httpd 10.0 - |_Requested resource was /interface/root - 5040/TCP - unknown - 17001 - SmarterMail Related ### 21 FTP ``` PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 125 Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 04-29-20 10:31PM <DIR> ImapRetrieval | 04-25-25 08:14AM <DIR> Logs | 04-29-20 10:31PM <DIR> PopRetrieval |_04-25-25 08:14AM <DIR> Spool ``` Notice some of the dates, whilst some of the files are generated on the day of writing (2025-04-25) there's also files that are from: `04-29-20` (2020-04-29). - anonymous auth - permitted - cannot `PUT` files Dump FTP share: ```sh # as anonymous user mkdir FTP-DUMP cd FTP-DUMP wget -r --ftp-user=anonymous ftp://$RHOST/ ╭─[λ]-[noctua.konstantinovitz.com]-[/targets/algernon/FTP-dump]-[192.168.188.65] ╰─> find . . ./Spool ./Spool/SubSpool3 ./Spool/SubSpool6 ./Spool/SubSpool0 ./Spool/SubSpool4 ./Spool/SubSpool5 ./Spool/SubSpool2 ./Spool/Drop ./Spool/SubSpool1 ./Spool/SubSpool8 ./Spool/SubSpool9 ./Spool/SubSpool7 ./ImapRetrieval ./Logs ./Logs/2025.04.25-activation.log ./Logs/2025.04.25-delivery.log ./PopRetrieval ``` Logs could be interesting... ``` ./Logs/2025.04.25-activation.log # contains nothing interesting ./Logs/2025.04.25-delivery.log ╭─[λ]-[noctua.konstantinovitz.com]-[/targets/algernon/FTP-dump/Logs]-[192.168.188.65] ╰─> cat 2025.04.25-delivery.log 08:14:49.735 Updating ClamAV database... 09:10:45.418 Updating the ClamAV database has completed successfully ``` We now got indication that there's some [[ClamAV]] likely to be running on the system. ### 9998/HTTP - MS IIS httpd 10.0 - [Docs](https://help.smartertools.com/SmarterMail/Current/Topics/) - http://192.168.188.65:9998/interface/root#/login ![[Pasted image 20250425183736.png]] And we get "SmarterMail". - Default credentials? - No success, need an email/domain for this. - Service version? - nothing in source suggests version number (apart from the whole ordeal being in angularjs potentially old?) - `angular-v-100.0.6919.30414.8d65fc3f1d47d00.js` this is a potentially ancient version - according to wappalyzer it's [1.6.10](https://www.wappalyzer.com/technologies/javascript-frameworks/angularjs/?utm_source=popup&utm_medium=extension&utm_campaign=wappalyzer) - based on [stackoverflow posts](https://stackoverflow.com/questions/56342429/migrating-angular-js-1-6-10-to-1-7-8) it's more than 5 years old. - a list of possible service versions: https://www.smartertools.com/smartermail/release-notes/current - correlated with some of the folder dates from the `FTP` enumeration (2020-04-29) we may be able to deduce the service version? - Build 7459 (2020-06-03) - contains mentions of `CLamAV v.0.103.2` - Build 7242 (2019-11-01) - seems to be the only one matching the date, above mentioned one is too new ``` ╭─[λ]-[noctua.konstantinovitz.com]-[/targets/algernon/FTP-dump/Logs]-[192.168.188.65] ╰─> searchsploit "smarter mail" ----------------------------------------------------------------------- --------------------------------- Exploit Title | Path ----------------------------------------------------------------------- --------------------------------- SmarterMail 16 - Arbitrary File Upload | multiple/webapps/48580.py SmarterMail 7.1.3876 - Directory Traversal | windows/remote/15048.txt SmarterMail 7.3/7.4 - Multiple Vulnerabilities | asp/webapps/16955.txt SmarterMail 8.0 - Multiple Cross-Site Scripting Vulnerabilities | asp/webapps/16975.txt SmarterMail < 7.2.3925 - LDAP Injection | asp/webapps/15189.txt SmarterMail < 7.2.3925 - Persistent Cross-Site Scripting | asp/webapps/15185.txt SmarterMail Build 6985 - Remote Code Execution | windows/remote/49216.py SmarterMail Enterprise and Standard 11.x - Persistent Cross-Site Scrip | asp/webapps/31017.php smartermail free 9.2 - Persistent Cross-Site Scripting | windows/webapps/20362.py SmarterTools SmarterMail 4.3 - 'Subject' HTML Injection | php/webapps/31240.txt SmarterTools SmarterMail 5.0 - HTTP Request Handling Denial of Service | windows/dos/31607.py ----------------------------------------------------------------------- --------------------------------- Shellcodes: No Results Papers: No Results ``` Potential RCE: https://www.exploit-db.com/exploits/49216 ```py # Exploit Title: SmarterMail Build 6985 - Remote Code Execution # Exploit Author: 1F98D # Original Author: Soroush Dalili # Date: 10 May 2020 # Vendor Hompage: re # CVE: CVE-2019-7214 # Tested on: Windows 10 x64 # References: # https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-smartermail/ # # SmarterMail before build 6985 provides a .NET remoting endpoint # which is vulnerable to a .NET deserialisation attack. ``` No luck with this one? Taking a break here... ### Smartermail - likely build Build 7242 (2019-11-01) -