Skip to main content

ClamAV

Enumeration

  • Found open ports
Nmap 7.98 scan initiated Thu Mar 26 06:16:45 2026 as: /usr/lib/nmap/nmap --privileged -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/ctf/pvg/clamav/results/192.168.240.42/scans/_quick_tcp_nmap.txt -oX /home/kali/ctf/pvg/clamav/results/192.168.240.42/scans/xml/_quick_tcp_nmap.xml 192.168.240.42
Nmap scan report for 192.168.240.42
Host is up, received user-set (0.22s latency).
Scanned at 2026-03-26 06:16:46 UTC for 681s
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
| ssh-hostkey:
| 1024 30:3e:a4:13:5f:9a:32:c0:8e:46:eb:26:b3:5e:ee:6d (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBALr/RyBq802QXa1Bh4SQEUHqD+p9TEx3SUvPHACbT0tQqR3aali+ifDiOpqMToVaRfWzYOOsoM2Neg0EPa4KsJIwSTkFqjd/3Ynp3Yzus0nN+gtmbQRKzo8QfStr6IGt6kaI6viXl4z3ww6ryEkjNnb74KCooHOjyeGPi3o89GVnAAAAFQDSg0dwMrSn9juW/XPvo8S8kVOhDQAAAIARaqFuvZCqiTY8i/PITsr5WvyZm8mQ0nuqB6gW6y1h4jDAvtHO4TIZEMJ5vtPst0w9mVSYGVFlukhCqhbJdBigqH1WB1p7kwC78M9k23zZmzuwbnzYPiLHpEdfFEWdO62ZoCSFBXWOqe1IZaTaRCgUZPeB1QFXRCQ96VrJizPLUAAAAIEArOALxR78fZrUqmUcYOs5tf8wu5xChAUqAfh1ElJ6r3EjcWwXId12jo1uAz0JmCTluUQhjhNDJB6XIgUzoFzW1NZPjGCkex7s1+2+TUTmqFr6Nr97k2RIy91Bpuxwg5jzE83cKPCOoWVbYlfzAqNkF4xxznfC3fRtmj2e/L9chzg=
| 1024 af:a2:49:3e:d8:f2:26:12:4a:a0:b5:ee:62:76:b0:18 (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAviGcDkDxKzv7w++DXy6q+5AJDpG/q8Um8j4BheW9fgwsOvQCuDvLcPUIKMYEz4aUgkt/sSCXu29XTlu79pEkb48+BnaRCKrHLH/YWM79GT6Q5ie9jP47HjjJeCCBI/c02qpkH/fjz9FK4HQPC7WtXY9EgW4IMB+pzX2KZxK2PF0=
25/tcp open smtp? syn-ack ttl 61
|_smtp-commands: Couldn't establish connection on port 25
80/tcp open http syn-ack ttl 61 Apache httpd 1.3.33 ((Debian GNU/Linux))
|_http-server-header: Apache/1.3.33 (Debian GNU/Linux)
| http-methods:
| Supported Methods: GET HEAD OPTIONS TRACE
|_ Potentially risky methods: TRACE
|_http-title: Ph33r
139/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
199/tcp open smux syn-ack ttl 61 Linux SNMP multiplexer
445/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.0.14a-Debian (workgroup: WORKGROUP)
OS fingerprint not ideal because: maxTimingRatio (1.538000e+00) is greater than 1.4
Aggressive OS guesses: Dell Integrated Remote Access Controller (iDRAC5) (96%), OpenWrt White Russian 0.9 (Linux 2.4.30) (96%), Linux 2.6.9 - 2.6.27 (95%), Sony SMP-N200 media player (95%), ZyXEL o2 HomeBox 6641 router (95%), Linux 2.6.21 (95%), Linux 2.6.18 (95%), Tomato 1.28 (Linux 2.6.22) (95%), Asus RT-AC66U router (Linux 2.6) (95%), Asus RT-N16 WAP (Linux 2.6) (95%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.98%E=4%D=3/26%OT=22%CT=1%CU=43239%PV=Y%DS=4%DC=T%G=N%TM=69C4D1F7%P=x86_64-pc-linux-gnu)
SEQ(SP=C6%GCD=1%ISR=CD%TI=Z%CI=Z%II=I%TS=A)
SEQ(SP=C7%GCD=1%ISR=CB%TI=Z%CI=Z%II=I%TS=A)
SEQ(SP=C8%GCD=1%ISR=CA%TI=Z%CI=Z%II=I%TS=A)
OPS(O1=M578ST11NW0%O2=M578ST11NW0%O3=M578NNT11NW0%O4=M578ST11NW0%O5=M578ST11NW0%O6=M578ST11)
WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)
ECN(R=Y%DF=Y%T=40%W=16D0%O=M578NNSNW0%CC=N%Q=)
T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=N)
U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 0.011 days (since Thu Mar 26 06:12:13 2026)
Network Distance: 4 hops
TCP Sequence Prediction: Difficulty=199 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| nbstat: NetBIOS name: 0XBABE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| 0XBABE<00> Flags: <unique><active>
| 0XBABE<03> Flags: <unique><active>
| 0XBABE<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| Statistics:
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 13151/tcp): CLEAN (Couldn't connect)
| Check 2 (port 58160/tcp): CLEAN (Couldn't connect)
| Check 3 (port 47949/udp): CLEAN (Failed to receive data)
| Check 4 (port 39860/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-security-mode:
| account_used: guest
| authentication_level: share (dangerous)
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-security-mode: Couldn't establish a SMBv2 connection.
|_clock-skew: mean: 5h59m59s, deviation: 2h49m43s, median: 3h59m58s
| smb-os-discovery:
| OS: Unix (Samba 3.0.14a-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP\x00
|_ System time: 2026-03-26T06:26:19-04:00
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE (using port 995/tcp)
HOP RTT ADDRESS
1 235.45 ms 192.168.45.1
2 235.43 ms 192.168.45.254
3 235.59 ms 192.168.251.1
4 229.17 ms 192.168.240.42

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar 26 06:28:07 2026 -- 1 IP address (1 host up) scanned in 681.77 seconds
  • Netcat to port 25
  • We see netcat is running sendmail service, searching exploits for it

┌──(kali㉿hd)-[~]
└─$ searchsploit sendmail
---------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------- ---------------------------------
Berkeley Sendmail 5.58 - Debug | linux/remote/19028.txt
BSD 2 / CND 1 / Sendmail 8.x / FreeBSD 2.1.x / HP-UX 10.x / AIX 4 / R | multiple/local/19556.sh
Caldera OpenLinux 2.2 / Debian 2.1/2.2 / RedHat 6.0 - Vixie Cron MAIL | linux/local/19474.txt
ClamAV Milter 0.92.2 - Blackhole-Mode (Sendmail) Code Execution (Meta | multiple/remote/9913.rb
Eric Allman Sendmail 8.8.x - Socket Hijack | linux/local/19602.c
Eric Allman Sendmail 8.9.1/8.9.3 - ETRN Denial of Service | linux/dos/19701.sh
Indexu 5.0/5.3 - 'Sendmail.php' Multiple Cross-Site Scripting Vulnera | php/webapps/29481.txt
Linux Kernel 2.0 Sendmail - Denial of Service | linux/dos/19282.c
Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - Sendmail 8.10. | linux/local/20001.sh
Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - Sendmail Capab | linux/local/20000.c
Metainfo Sendmail 2.0/2.5 / MetaIP 3.1 - Upload / Execute Read Script | multiple/remote/19084.txt
Morris Worm - sendmail Debug Mode Shell Escape (Metasploit) | unix/remote/45789.rb
ObieWebsite Mini Web Shop 2 - 'Sendmail.php?PATH_INFO' Cross-Site Scr | php/webapps/29957.txt
PHP 4.x/5.0/5.1 with Sendmail Mail Function - 'additional_param' Arbi | php/local/27334.txt
PHPMailer < 5.2.19 - Sendmail Argument Injection (Metasploit) | multiple/webapps/41688.rb
Sendmail 8.11.6 - Address Prescan Memory Corruption | unix/local/22442.c
Sendmail 8.11.x (Linux/i386) - Local Privilege Escalation | linux/local/411.c
Sendmail 8.11/8.12 Debugger - Arbitrary Code Execution (1) | linux/local/21060.c
Sendmail 8.11/8.12 Debugger - Arbitrary Code Execution (2) | linux/local/21061.c
Sendmail 8.11/8.12 Debugger - Arbitrary Code Execution (3) | linux/local/21062.txt
Sendmail 8.11/8.12 Debugger - Arbitrary Code Execution (4) | linux/local/21063.txt
Sendmail 8.12.6 - Compromised Source Backdoor | unix/remote/21919.sh
Sendmail 8.12.8 (BSD) - 'Prescan()' Remote Command Execution | linux/remote/24.c
Sendmail 8.12.9 - 'Prescan()' Variant Remote Buffer Overrun | linux/remote/23154.c
Sendmail 8.12.x - 'X-header' Remote Heap Buffer Overflow (PoC) | linux/dos/32995.txt
Sendmail 8.12.x - Header Processing Buffer Overflow (1) | unix/remote/22313.c
Sendmail 8.12.x - Header Processing Buffer Overflow (2) | unix/remote/22314.c
Sendmail 8.12.x - SMRSH Double Pipe Access Validation | unix/local/21884.txt
Sendmail 8.13.5 - Remote Signal Handling (PoC) | linux/dos/2051.py
Sendmail 8.6.9 IDENT - Remote Command Execution | unix/remote/20599.sh
Sendmail 8.9.2 - Headers Prescan Denial of Service | irix/dos/23167.c
Sendmail 8.9.x/8.10.x/8.11.x/8.12.x - File Locking Denial of Service | linux/dos/21476.c
Sendmail 8.9.x/8.10.x/8.11.x/8.12.x - File Locking Denial of Service | linux/dos/21477.c
Sendmail with clamav-milter < 0.91.2 - Remote Command Execution | multiple/remote/4761.pl
WEBgais 1.0 - websendmail Remote Command Execution | cgi/remote/20483.txt
---------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Exploit

  • Selecting below exploit due to machine name is clamav
Sendmail with clamav-milter < 0.91.2 - Remote Command Execution | multiple/remote/4761.pl
  • Executing the perl script
  • Open newly created port using nc
  • And we are root