ClamAV

Writeup for ClamAV from offsec Proving Grounds

Information Gathering

sudo nmapAutomator.sh 192.168.220.42 all

Service Enumeration

HTTP (Port 80)

We see that there is some binary on the page.

We can use cyberchef to translate it, however, it doesn't seem too useful.

We try running gobuster on it also, but there isn't anything interesting.

SMB (Port 139,445)

No interesting shares on SMB either.

SMTP (Port 25)

We search the box name and see that there is a RCE exploit with SMTP.

Exploit

Sendmail with clamav-milter < 0.91.2 - Remote Command ExecutionExploit Database

Notice that the script opens port 31337 and calls a shell there.

We run the script and it executes without any errors.

Checking port 31337, we see that it is closed before running the Perl script and after running the Perl script, the port becomes open.

We can then connect to it and give the flag -i to get an interactive shell.