References

Connecting

Port 143 (plain / no SSL)

telnet <IP> 143
nc --crlf --verbose <IP> 143

Port 993 (SSL)

openssl s_client -connect <IP>:993
openssl s_client -connect <IP>:993 -crlf -quiet

Command Format

Input

<RandomStringID> command

Response

<RandomStringID> OK <ANSWER DETAIL>

Login

Login Method

A1 login someuser@example.com My_P@ssword1

When AUTH=PLAIN (SASL PLAIN Method)

echo -en "\0someuser@example.com\0My_P@ssword1" | openssl base64
a authenticate plain
<send null separated encoded username, password>

When AUTH=LOGIN (SASL AUTH LOGIN)

echo -en "someuser@example.com" | openssl base64
echo -en "My_P@ssword1" | base64
a AUTHENTICATE LOGIN
<send encoded username>
<send encoded password>

SASL PLAIN as an Admin User (Masquerade another user)

authcidNULauthzidNULpassword
echo -en "someuser@example.com\0admin\0admin1234" | openssl base64
a authenticate plain
<send encoded authcidNULauthzidNULpassword>

Capability

a capability

Retrieving Emails and Modifying the Inbox

Namespaces

n namespace

Examine Inbox

ex1 EXAMINE INBOX

List of folders

LIST "<mailbox path>" "<search argument>"

L1 list "INBOX/" "*"
  • <mailbox path>

  • if empty list shows all content from root

  • <search argument>

  • case-sensitive mailbox name with possible wildcards

  • - is a wildcard, and matches zero or more characters at this position.
  • % is similar to * but it does not match a hierarchy delimiter

Fetch Messages

f1 FETCH 1 BODY[]
f2 fetch 2 RFC822
f3 fetch 1:4 (BODY[HEADER.FIELDS (Subject)])

Unseen

s search UNSEEN

Delete

d store 2 +FLAGS (\Deleted)
e expunge

Example Session

1\. telnet brainfuck.htb 143
2\. a1 LOGIN orestis kHGuERB29DNiNE
3\. a2 LIST "" "*"
4\. a3 EXAMINE INBOX
5\. a4 FETCH 1 BODY[]
6\. a5 FETCH 2 BODY[]