ClamAV

The first thing I notice is the name of the machine, which gives me a hint abount what am I am up against.

A quick Google search shows me that ClamAV is an Open source Antivirus. Its mainly used as a server-side email virus scanner.

To start the Recon, I scan through all the open ports with Nmap to check the available services that the machine is running, and I find this:

The first thing that comes to my mind is that the port 25 is running an SMTP service. I think that its interesting since the name of the machine is pointing me towards something related with emails.

After trying some basic enumeration, I check the web server hosted at the port 80.

I notice that this message is binary:

which means “ifyoudontpwnmeuran00b” in plain text.

I start enumerating potentially interesting files and subdomains but I find nothing, and I decide to come back to the email service in the port 25.

A search in Google “Sendmail 8.13.4” shows something potentially interesting.

[Sendmail with clamav-milter < 0.91.2 - Remote Command Execution] (https://www.exploit-db.com/exploits/4761) comes with a PoC in a perl script.

What this does, is to modify the /etc/inetd.conf configuration file to enable a remote shell on a Unix/Linux system via the inetd service at the port 31337. After modifying the configuration file and restart the service, we can create a backdoor for remote access as root user.
We can save the script directly from the website or use the tool searchsploit for the same purpose

$ searchsploit -m multiple/remote/4761.pl

It seems to be working. To be sure, we run nmap again to check if the port has been enabled:

And we see that the port 31337 is now there. We try to perform a simple connection to the port with netcat…

And we get the shell as root user.