I am new to the area and have been trying to learn from easy retired machines like Lame, Legacy and Optimum, I tried to use the write-ups that HTB offered me and other write-ups made by users and all took me to MetaSploit at some point, but always I will try any exploit in MetaSploit, especially those that the HTB itself recommended, they always got the same result …
[*] Started reverse TCP double handler on 10.10.14.3:4444
[*] Exploit completed, but no session was created.
(multi/samba/usermap_script ← the exploit i use)
all commands lead me to this result, I correctly set RHOSTS as the target, my LHOST as tun0, my VPN is turned on correctly, the machine is turned on and connected to the server I’m on, I’ve tried MetaSploit on Parrot and Windows, even being in the HTB write-up, I checked nmap more than 10 times if the machine is vulnerable to the exploit I’m using, and yet it continues! Does anyone know how to solve?
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.10.3 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST tun0 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
the Lame machine, for example, features the use of Samba 3.x - 4.x, and according to [CVE-2013-0214] it could be the target of remote attack through the Samba “username map script” Command Execution (usermap_script)
Module options (exploit/multi/samba/usermap_script): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 10.10.10.3 yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:’ RPORT 139 yes The target port (TCP)Payload options (cmd/unix/reverse): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST tun0 yes The listen address (an interface may be specified) LPORT 4444 yes The listen portExploit target: Id Name – ---- 0 Automatic
the Lame machine, for example, features the use of Samba 3.x - 4.x, and according to [CVE-2013-0214] it could be the target of remote attack through the Samba “username map script” Command Execution (usermap_script)
Oh right, I misread. But well, that vulnerability a web vuln, a CSRF, that requires knowing an admin password.
It seems to be configured for the old netbios port (139)? Shouldn’t it be a web port for the web admin interface? Just guessing. And LHOST can’t be set to your interface name, it needs your IP.
nmap gave me 2 open ports, betting for Samba, port 139 and 445, I tried both ports and both gave the same result, I also tried to change LHOST for my HTB IP 10.10.xx and also did not work ;-;
They’re both samba, but neither is the vulnerable web application. Perhaps you can do something else using those ports? They do expose the full netbios and cifs functionality, and those can be a goldmine if you tease them into giving you the goods.
They’re both samba, but neither is the vulnerable web application. Perhaps you can do something else using those ports? They do expose the full netbios and cifs functionality, and those can be a goldmine if you tease them into giving you the goods.
It’s CVE-2007-2447.
Why do you say it is Web app exploit and CSRF related ? It is a samba server vuln so it has to use smb or netbios port. And yes it’s an exploit, because it grants you a shell. So it’s not an enumeration script.
@Wardy : I didnt use this exploit. I went for the longer way. Maybe try others LPORT. Or restart the box. Also, check if you dont have VPN connections issues.
@Crafty CVE-2013-0214 was mentioned, which is a web vulnerability. And no, samba is more than just cifs and netbios. It has a web-based admin interface, which is where CVE-2013-0214 lives.