SENDEMAIL
OFFSEC - Proving Grounds - POSTFISH
·3193 words·15 mins
OFFSEC PG PRACTICE
SMTP-USER-ENUM
USERNAME_GENERATOR
HYDRA
IMAP
IMAPS
SENDEMAIL
PWNKIT
Website PostFish on port 80 and SMTP on port 25 reveal usernames. Hydra finds credentials, sending an email with a reset link grants brian access. Pwnkit (CVE-2021-4034) escalates to root.