echoCTF.RED Target: CVE-2020-7247 vs Player: galoget

Target from: CVE Network

Intermediate, Rootable

CVE-2020-7247 / 0.0.0.0

4: Flags (2:system, env, root)
1: Service
3,600 pts

A small and easy target that implements the OpenSMTPD CVE-2020-7247 vulnerability

#headshot

Level 11 / Senior PenTester

galoget / 127th Place

4: Flags found
1: Service discovered
3,600 pts
2,212 minutes

OSCP | Penetration Tester | Ethical Hacker

This is a target running a vulnerable OpenSMTPD instance of CVE-2020-7247.

Description

A vulnerability discovered in OpenSMTPD, OpenBSD's mail server was exploitable since May 2018 (commit a8e222352f, "switch smtpd to new grammar") and allows an attacker to execute arbitrary shell commands, as root

Environment details

The system is accessible at 10.0.100.33 and runs OpenSMTPD on Debian Buster on the default port (25/tcp).

Flags can be found at the usual places:

/root
/etc/passwd gecos
/etc/shadow password hash
env variable

References

55 Headshots (newer first)

Caritattriste, c0nfirm, alisa, hackercon101, D4rkZone, michyamrane, snipeXZ, mokrates, darklordbnl, falconsec, 44756D6D506C61796572, BlackAnon, luismtzsilva, ks4v3r, Winsad, L0v3, jaxafed, dogolinho, antonioban

noother, markuche, Twelve, 0xRaef, M4sk0ff, Grosik, 0x1337, sirEgghead, JDgodd, ElleuchX1, Muzec, wonderchild, R4V3N, hacker, g0rchy, jinake, biba22, Pegasus, rootz, M96oL, vvip1337, Wh04m1, r0b0tG4nG, sn1per, TheCyberGeek, galoget, 0xRar, lMinzarl, PufferOverflow, R4kan, AKMalware

4 Writeups by:

biba22 (en) Not rated!Muzec (en) Not rated!sirEgghead (en) Not rated!hackercon101 (en) Not rated!

Activity Stream

Latest activity on the platform

galoget managed to headshot [CVE-2020-7247], 48 months ago

galoget Gained access to data stored in environmental variables from CVE-2020-7247 for 700 points, 48 months ago

galoget Discovered the ETSCTF username flag under the /etc/shadow file from CVE-2020-7247 for 1000 points, 48 months ago

galoget Discovered the ETSCTF username gecos flag under the /etc/passwd file from CVE-2020-7247 for 800 points, 48 months ago

galoget Got the /root flag from CVE-2020-7247 for 1000 points, 48 months ago

galoget Connected to the smtp port of CVE-2020-7247 for 100 points, 48 months ago