Bratarina Walkthrough (Practice)
Keyword: SMPT vul, wget without http, Add new user to /etc/passwd
Started with port scanning, web server , smb, smtp and ssh were open
I scanned the web directories but nothing was useful. I sacnned SMB and found some shared drive (backups)
I used smbclient to connect without password and managed to have access. There was passwd.bak file.
That was everything I could get from SMB, I moved my attention to SMPT, the smpt version is OPENSMTP, i searched for a vulnerability and there was one RCE
The exploit enabled use to run a command
I had two attack vectors here to use this vulnerbality:
- Reverse shell:
I tried it with nc, but no shell was recevied
I also tried with msfvenom, but did not work either.
Notice that wget here does not need http
2. Password
Since the first attack surface was not successful, I moved to the next one.
I will edit the passwd.back, add new user, upload it back to the machine to replace /etc/passwd and then use the new user to have access.
