We begin with a full SYN scan, which reveals some open ports:
/tmp/tmp.TBaz18HKK2 ❯ hping3 -S --scan 1-65535 10.10.10.51 | grep -v "Not" | tee general/hping3/syn_scan root@kali
Scanning 10.10.10.51 (10.10.10.51), port 1-65535
65535 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+
All replies received. Done.
22 ssh : .S..A... 63 0 29200 44
25 smtp : .S..A... 63 0 29200 44
80 http : .S..A... 63 0 29200 44
110 pop3 : .S..A... 63 0 29200 44
119 nntp : .S..A... 63 0 29200 44
4555 : .S..A... 63 0 29200 44
Our first impressions are as follows:
A targeted nmap safe scan confirms the open ports and services in addition to revealing that port port 4555 may be of interest given its unusual banner.
/tmp/tmp.ollYc4FpHL ❯ nmap -A -p22,25,80,110,119,4555 -oA general/nmap/safe_scan 10.10.10.51
# Nmap 7.92 scan initiated Sun Jun 9 12:05:16 2024 as: nmap -A -p22,25,80,110,119,4555 -oA general/nmap/safe_scan -v 10.10.10.51
Nmap scan report for target (10.10.10.51)
Host is up (0.051s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
| 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp open smtp JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello target (10.10.16.18 [10.10.16.18])
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-title: Home - Solid State Security
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.25 (Debian)
110/tcp open pop3 JAMES pop3d 2.3.2
119/tcp open nntp JAMES nntpd (posting ok)
4555/tcp open rsip?
| fingerprint-strings:
| GenericLines:
| JAMES Remote Administration Tool 2.3.2
| Please enter your login and password
| Login id:
| Password:
| Login failed for
|_ Login id:
Running searchsploit against all discovered services reveals that the possibility of a RCE vulnerability.
[i] /usr/bin/searchsploit -t james
------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Apache James Server 2.2 - SMTP Denial of Service | multiple/dos/27915.pl
Apache James Server 2.3.2 - Insecure User Creation Arbitrary File Write (Metasploit) | linux/remote/48130.rb
Apache James Server 2.3.2 - Remote Command Execution | linux/remote/35513.py
Apache James Server 2.3.2 - Remote Command Execution (RCE) (Authenticated) (2) | linux/remote/50347.py
WheresJames Webcam Publisher Beta 2.0.0014 - Remote Buffer Overflow | windows/remote/944.c
------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Paper Title | Path
------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploiting Apache James Server 2.3.2 | docs/english/40123-exploiting-ap
------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Visiting the referenced paper reveals the following: