25 ~ SMTP

https://docs.google.com/document/d/1e4qV-nTF3guKg9g9bJSx6uMzdJz4uzY_0W3veNiTgSY/edit?tab=t.0

Enumeration

First, we have to establish a TCP connection on port 25 of the SMTP server:

$ nc -nv <target> 25
EHLO <address>

250-<address>
250-<command>
...
250-SIZE
250-DSN
250 PIPELINING
...

Log poisoning

Given that we have found a way to access log file (eg. LFI) directories such as:

/var/log/mail
/var/log/syslog

There are some commands that may allow us to have our input directly appear in the logs:

1. RCPT TO

RCPT TO:<payload>

2. VRFY

VRFY <payload>
Previous22 ~ SSHNext53 ~ DNS

Last updated