43 lines
No EOL
1.7 KiB
Text
43 lines
No EOL
1.7 KiB
Text
*On one machine (Windows Server 2003), install a new instance of AMS with
|
|
these configurations*
|
|
|
|
1. Primary Domain: hack.local
|
|
2. Enable the WebMail Service
|
|
3. Domain Name: hack.local
|
|
4. Add a User and set Password. In this case I created a user named,
|
|
victim, with a password of victim
|
|
5. Finish installation
|
|
|
|
|
|
*On an instance of Kali*
|
|
|
|
1. Open a web browser and navigate to AMS WebMail Login
|
|
2. Log in as the user victim
|
|
3. Go to Options -> Advanced Options
|
|
4. Verify that the Password Resetting section is blank
|
|
5. Start Apache and place csrf-password_reset.js in /var/www/ability
|
|
6. As a sanity check, try to navigate to csrf-password_reset.js to make
|
|
sure you can access it, i.e. 192.168.1.1/ability/csrf-password_reset.js
|
|
7. Update resetpassword.py with the IP addresses of the server running
|
|
AMS and the kali attack machine. If the user/password account you created
|
|
in AMS is different, update that information here as well.
|
|
8. Run the script by typing, "python resetpassword.py"
|
|
9. Go back to your web browser, you should notice that victim now has an
|
|
email
|
|
10. Open the email
|
|
11. You should observe an alert box that says, Password Reset!
|
|
12. Click OK
|
|
13. Go to Options -> Advanced Options
|
|
14. Verify that the Password Resetting section is now populated with the
|
|
question and answer set to hacked
|
|
15. Logout of AMS
|
|
16. Click on Return to Login Page
|
|
17. Click on Forgot your password?
|
|
18. Enter an email address of victim@hack.local
|
|
19. Enter an answer of hacked and set a new password (you can leave zip
|
|
code and telephone number blank)
|
|
20. Click on Return to Login Page
|
|
21. Login as user victim with the password you have chosen
|
|
|
|
Proof of Concept Files:
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/31221.tar.gz |