Postfish Proving Grounds Write-Up

SUMMARY

This write-up covers the Postfish machine from Offsec’s Proving Grounds, a Linux machine with a multi-stage mail exploitation chain.

SMTP user enumeration identified valid accounts, and Hydra was used to bruteforce POP3 credentials. Reading mail via POP3 revealed that the IT team conducts internal phishing simulations, providing context for the next step. A phishing email sent via SMTP to brian.moore captured his password when he clicked the link and authenticated.

SSH as brian.moore revealed membership in the filter group, which had write access to a mail processing script executed periodically. Injecting a reverse shell payload into the script delivered a shell as filter. From there, a sudo mail rule was abused via the standard GTFOBins technique to escape to a root shell.

---

PATH TO FOLLOW

1. Reconnaissance & SMTP User Enumeration
2. POP3 Credential Bruteforce via Hydra
3. Mail Reading → Phishing Context Discovery
4. SMTP Phishing → brian.moore Credential Capture
5. filter Group Mail Script Injection → Shell as filter
6. Sudo mail GTFOBins Escape → Shell as Root

Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.