šŸ•µļøā€ā™‚ļø How I Got Access to a UK Government Organizationā€™s SMTP Server? šŸ“§šŸšØ

B4LOGIB4LOGI
3 min read

While researching Google Dorking over my favorite cup of coffee ā˜•, I stumbled upon something unexpectedā€”an exposed mail server belonging to a UK government organization. Excited by the discovery, I decided to investigate further. Using Telnet, I attempted to connect, and to my surprise, I gained access to their mail server!

Curious about the extent of the exposure, I followed a structured approach to assess the risk while ensuring ethical boundaries. In this blog, Iā€™ll walk you through my methodology, how I responsibly disclosed the issue through their Vulnerability Disclosure Program (VDP) on HackerOne, and the lessons we can learn from this security lapse.

Before that, let me introduce myselfā€”Iā€™m Ganesh Balaji V., an ethical hacker and pentester who thrives on uncovering vulnerabilities and making the digital world a safer (and more interesting) place. šŸ”šŸ’»šŸ˜

How I got connected?

With my usual, yet favorite coffee in hand, I fired up my Kali terminalā€”the classic black screen that every hacker loves. Curious about the exposed mail server, I decided to interact with it directly using Telnet. I ran the following command:

telnet domain 25

To my surprise, the connection was successfulā€”I was now interacting with a UK government organizationā€™s mail server! What followed was a mix of excitement, curiosity, and responsibility.

I wanted to assess how vulnerable the server was without crossing ethical boundaries. To do this, I tested its email handling capabilities using standard SMTP commands. Below is the sequence I used:

HELO domain
MAIL FROM: <mail@mail.com>
RCPT TO: <mail@mail.com>
DATA
From: mail@mail.com
To: mail@mail.com
Subject: Test Mail
<Needed content>
.

If every command in the above snippet executes successfully, congratulationsā€”youā€™ve discovered an open relay vulnerability in the SMTP mail server!

An open relay allows anyone to send emails on behalf of legitimate domains without proper authentication, making it a prime target for spammers and attackers. This vulnerability can be exploited for phishing, email spoofing, or even large-scale spam campaignsā€”posing a significant risk to the organization.

To validate my findings, I performed a Proof of Concept (PoC), demonstrating how an attacker could misuse this vulnerability. Below is the PoC I conducted:

I successfully reported the issue to the security team through their Vulnerability Disclosure Program (VDP) on HackerOne. Given the severity of the vulnerability, I expected a responsible fix or at least an acknowledgment of its potential risks.

But to my surprise, they marked it as ā€œinformationalā€ā€”stating that future awareness campaigns would be conducted instead of addressing the issue directly.

Seriously? An open relay vulnerability that allows unauthorized users to send emails impersonating legitimate personnelā€”brushed off as just informational?

Frustrated with their response, I sighed, leaned back, and reached for another cup of coffeeā€”because clearly, caffeine was the only fix happening here.

Despite their dismissal, the reality remains: this vulnerability, if left unchecked, could lead to email spoofing, phishing campaigns, and even large-scale cyber threats. Ignoring it doesn't make the risk disappear.

šŸ“¢ Disclaimer: The knowledge shared here is strictly for educational purposes. The usage of these commands to perform malicious actions is a serious offense and punishable by law. šŸšØ

Conclusion

Even though the report was marked as informational, I still found it to be a valuable learning experience. This was my first-ever HackerOne report, and despite the unexpected response, it felt like an important milestone in my journey. šŸ„³šŸ„³

Security research is all about persistence, learning from every experience, and continuously improving. While this report didnā€™t get the recognition I had hoped for, it was a stepping stone toward bigger challenges and more impactful discoveries.

This was just the beginning of my HackerOne journey, and I can't wait for whatā€™s next! šŸš€

Letā€™s connect on LinkedIn ā€” because networking isnā€™t just for packets! šŸ˜‰šŸ’»

https://www.linkedin.com/in/ganesh-balaji-v

0
Subscribe to my newsletter

Read articles from B4LOGI directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

B4LOGI
B4LOGI