Enumeration

Nmap

Initial nmap scan revealed many ports were open including FTP, HTTP, SMB …

00 - nmap

Rabbit Hole Enumerations

At first I enumerated FTP as it allowed anonymous login. I downloaded all log files and analyzed them but it was useless. Only useful thing I gathered from the logs was there was an admin user.

01 - anon login ftp

02 - downloaded all logs

I then fuzzed the website at port 80 and found /aspnet_client/system_web/ this path. Then I applied IIS tilde enumeration and found this path /aspnet_client/system_web/4_0_30319. Then I searched the internet that maybe I can find useful information but I could not. I tried some known paths but none of them worked.

Exploitation (Root Directly)

I then visited port 9998 and found out SmarterMail application was running.

03 smarter mail login

Its version was 6919.

08 - version

At first I tried default logins and they did not work. Later I searched the internet and found SmarterMail version 6985 was vulnerable to RCE. The version I found was lower version, so I thought maybe I could run this exploit successfully.

09 - exploit

Then I simply ran the exploit and got SYSTEM shell.

10 - gg

<
Previous Post
Twiggy - Proving Grounds Practice
>
Next Post
AuthBy - Proving Grounds Practice