2.2 Getting Started
Make sure to revert the Atmail virtual machine from your student control panel before starting this module.
The Atmail Webmail System has two different (but similar) web interfaces: one for webmail and the other for the mail server administration. Please refer to the student control panel for the credentials of both web interfaces.
In the examples that follow, the IP address of the Atmail server is mapped to the hostname
2.3 Atmail Vulnerability Discovery
As described by its vendor,the Atmail Mail Server appliance is built as a complete messaging platform for any industry type. Atmail contains web interfaces for reading email and server administration, providing a rich web environment and most interestingly, a large attack surface.
In this part of the module, we will start by attempting to detect XSS vulnerabilities with the help of a fuzzing tool.
2.4 Session Hijacking
Depending on any session protection mechanisms that may be present in the Atmail server, we now may have the ability to steal cookies and session information. This would allow us to impersonate our victim and access their webmail from a different location while bypassing any authentication. This is known as a session hijacking attack and is a well known vector while attacking web applications. To implement this attack vector, we can choose one of two options.
Recall that these two choices are based on the results of our fuzzing efforts from the previous section.
2.5 Session Riding
Since we are targeting an administrative Atmail user, we could have unrestricted access to the application. However, while we have successfully hijacked the admin’s Atmail session, we will only be able to impersonate the target user as long as the session is alive. In other words, should the admin user log out, the session cookie will be invalidated and prevent us from accessing the admin’s Atmail interface and finishing whatever attack we planned.
2.6 Gaining Remote Code Execution
As attackers, we want to find a way to gain full control of our target, and that means
compromising the entire underlying operating system. Of course, one vulnerability alone is not
always sufficient. Often, we have to use more than one in the audited application, or even target a different software running on the system.
In this module, we first discovered and then later exploited an XSS vulnerability in the Atmail Server.
We showed how this vulnerability is triggered when a user views their inbox.
We then combined it with a post-authenticated payload that will send an email on behalf of the administrator to any user, essentially spoofing the administrator.
Finally, we walked through a file upload vulnerability so that you can build an end-to-end exploit combining all the vulnerabilities that will result in remote code execution and compromise the underlying server.