📚
OSCP
  • Pentesting
  • Proving Grounds practice
    • Warm up
      • Windows
        • Kevin
        • Internal
        • Metallus
      • Linux
        • ClamAV
        • Exfiltrated
        • Twiggy
    • Get to work
      • Windows
        • Slort
        • Billyboss
        • Fish
        • UT99
        • AuthBy
        • Jacko
        • Shenzi
      • Linux
        • Dibble
        • Pelican
        • Sorcerer
        • Zino
        • Zenphoto
        • Snookums
        • Nibbles
        • Chatty
        • Banzai
    • Try harder
      • Windows
        • Meathead
      • Linux
        • Sirol
        • Peppo
        • Clyde
  • Buffer overflow
    • Buffer Overflow Methodology
    • TryHackMe Practice
      • Overflow1
      • Overflow2
      • Overflow3
      • Overflow4
      • Overflow5
      • Overflow6
      • Overflow7
      • Overflow8
      • Overflow9
      • Overflow10
  • Active Directory
    • AD Authentication
      • NTLM Authentication
      • Kerberos Authentication
    • TryHackMe Practice
      • Attacktive Directory
      • Roasted
      • RazorBlack
    • PG Practice
      • Hutch
      • Vault
      • Heist
Powered by GitBook
On this page
  • Information Gathering
  • Service Enumeration
  • HTTP (Port 80)
  • SMB (Port 139,445)
  • SMTP (Port 25)
  • Exploit

Was this helpful?

  1. Proving Grounds practice
  2. Warm up
  3. Linux

ClamAV

Writeup for ClamAV from offsec Proving Grounds

PreviousLinuxNextExfiltrated

Last updated 3 years ago

Was this helpful?

Information Gathering

sudo nmapAutomator.sh 192.168.220.42 all

Service Enumeration

HTTP (Port 80)

We see that there is some binary on the page.

We can use cyberchef to translate it, however, it doesn't seem too useful.

We try running gobuster on it also, but there isn't anything interesting.

SMB (Port 139,445)

No interesting shares on SMB either.

SMTP (Port 25)

We search the box name and see that there is a RCE exploit with SMTP.

Exploit

Notice that the script opens port 31337 and calls a shell there.

We run the script and it executes without any errors.

Checking port 31337, we see that it is closed before running the Perl script and after running the Perl script, the port becomes open.

We can then connect to it and give the flag -i to get an interactive shell.

LogoSendmail with clamav-milter < 0.91.2 - Remote Command ExecutionExploit Database