Initial Nmap scan revealed key services pointing to a legacy Linux box with Sendmail + ClamAV integration — the machine name itself was the primary clue.
nmap -sV -sC 192.168.220.42
Port
Service
Version
Significance
22
SSH
OpenSSH
Potential foothold, not used
25
SMTP
Sendmail 8.13.4
Primary attack surface
80
HTTP
Apache 1.3.33
Legacy web server
139/445
SMB
Samba 3.0.14a
Alternative exploitation path
199
SNMP
—
Enumeration vector
60000
SSH
non-standard
Potential backdoor
[i]
Machine naming clue: Box is called "ClamAV" — the anti-virus software. Sendmail on port 25 strongly suggests clamav-milter integration, a known CVE vector.
0x02
SMTP Enumeration — VRFY & Milter Detection
Manual interaction with Sendmail to verify user existence and test mail delivery through the milter.
nc 192.168.220.42 25
EHLO test
VRFY root
250 2.1.5 root → root exists
VRFY admin
550 5.1.1 User unknown → no admin
MAIL FROM:<test@local>
RCPT TO:<root@local>
DATA
Subject: test
.
250 2.0.0 Message accepted → milter is active!
[!]
Milter detection confirmed: The "250 Message accepted" response after DATA indicates ClamAV-milter is processing emails — vulnerable versions <0.91.2 suffer from command injection in the RCPT TO field.
Exploit ID: 4761.pl — "Sendmail with clamav-milter < 0.91.2 - Remote Command Execution". The exploit works by injecting shell metacharacters into the RCPT TO field, which gets passed unsanitized to a system() call inside the milter running as root.
Vulnerability mechanism: ClamAV milter's blackhole mode had a bug where recipient addresses weren't properly sanitized before being passed to a shell. Embedding backticks or $() in the RCPT TO executes arbitrary commands as root.
0x04
Exploit Execution — Root Shell on 31337
perl 4761.pl 192.168.220.42
[+] Connecting to target...
[+] Sending payload to inject inetd backdoor...
[+] Done. Connect to port 31337 for root shell.
Root obtained instantly: The exploit writes a shell service to /etc/inetd.conf and restarts inetd, binding a root shell to port 31337. No privilege escalation needed — milter runs as root.
0x05
Methodology — The Reasoning Chain
Box name "ClamAV" → immediate association with ClamAV anti-virus software
Sendmail on port 25 → common integration: ClamAV runs as a milter alongside Sendmail
Both are ancient versions (Sendmail 8.13.4, ClamAV <0.91.2) → known CVEs exist
SMTP is unauthenticated by design → exploitable without credentials
The exploit doesn't attack Sendmail directly. It uses Sendmail as a transport to reach the vulnerable ClamAV milter, where the RCPT TO field gets passed unsanitized to a shell. Embedding shell metacharacters executes OS commands as root.
[i]
OSCP mindset: Box names often give away the vulnerability. ClamAV + Sendmail = CVE-2007-4560. Always check searchsploit before manual enumeration.
0x06
Improvements — Workflow Optimization
Faster tools / parallel enumeration
nmap --script smtp-enum-users — automates VRFY across a wordlist instead of manual checks
enum4linux -a <ip> — dumps SMB users, shares, OS info in one shot
Run searchsploit immediately after nmap — don't manually explore before checking known exploits
Alternative root path — Samba usermap_script
Samba 3.0.14a on this box is vulnerable to usermap_script (CVE-2007-2447). Two independent roads to root existed.
searchsploit samba 3.0.14
[!]
Parallel recon: Run enum4linux and gobuster while SMTP enumeration is happening. Don't serialize — exploit every open service concurrently.
Workflow insight: nmap → searchsploit every version → prioritize unauthenticated services → read exploit → run exploit → root. Don't get stuck manually poking services when searchsploit can skip you ahead.
Persistence note: inetd-based shells are not persistent. The port closes after your session ends or machine restarts. Re-run the exploit to reconnect.
0x07
Troubleshooting Common Issues
[!]
No shell on port 31337 after exploit: inetd may not be installed, or the write to inetd.conf failed. Connect immediately after exploit fires — there's a brief window. Re-run exploit; first attempt may have failed silently. Use nc -v to distinguish "connection refused" from "timed out".
[!]
SMTP connection gets no response: Wait 5 seconds — SMTP banners are slow. Try telnet instead of nc. Send EHLO or HELO to prompt the server.
[!]
Searchsploit finds nothing: Try broader terms: 'clamav', 'milter', 'sendmail' separately. Update DB: searchsploit -u. Fall back to exploit-db.com search by version or CVE manually.
[!]
Exploit runs but SMTP rejects injection: Check that 'Recipient ok' appears for the RCPT TO injection lines — that's confirmation it worked. Try the Metasploit version (16924.rb) as a fallback.
0x08
Command Cheat Sheet
nmap -sV -sC -p- <ip> Full port scan + versions + default scripts
searchsploit <keyword> Search Exploit-DB locally
searchsploit -x <path> Read exploit without copying
searchsploit -m <path> Copy exploit to current dir
smbclient -L //<ip>/ -N List SMB shares anonymously
whoami First command after shell
snmpwalk -v1 -c public <ip> SNMP enumeration on port 199
01Nmap ScanPort 25 Sendmail + ClamAV name
↓
02SMTP VRFY + Milter CheckConfirmed root exists, milter active
↓
03Searchsploit → 4761.plCVE-2007-4560 RCE
↓
04Inject Command via RCPT TOWrite inetd backdoor
↓
05nc to 31337 → root shellProof.txt captured
// Key Takeaway — OSCP Style
CVE-2007-4560 demonstrates how a single misconfiguration (running a vulnerable milter as root) can lead to immediate domain-equivalent compromise. The box name "ClamAV" was the biggest clue — always correlate service versions with known CVEs using searchsploit. The optimal workflow is: nmap full scan → searchsploit on every version → prioritize unauthenticated services → read exploit → run → root. Don't over-analyze; let searchsploit do the heavy lifting.
Alternative root path: Samba 3.0.14a usermap_script (CVE-2007-2447) was also exploitable. Always check all open ports for separate attack vectors.
0x09
TODOs — Post-Exploitation & Further Enumeration
Exploit Samba 3.0.14a via usermap_script — separate root path on same box (CVE-2007-2447)
Enumerate SMB shares: smbclient -L //192.168.220.42/ -N and enum4linux -a
Gobuster the web server on port 80 — Apache 1.3.33 may have additional vulns
SNMP enumeration on port 199: snmpwalk -v1 -c public 192.168.220.42
Investigate port 60000 SSH — non-standard port, may be intentional backdoor or admin access
Build a recon script that runs nmap → searchsploit automatically for each discovered service version