Lame Writeup
Without Metasploit
Reconnaissance
Initial Nmap Scan to find open ports, using treat all hosts as online (-Pn)
Nmap Scan on all ports (including UDP) so that we do not miss any ports that did not show up in the initial scan
Nmap Scan for service version (-sV) running default nmap scripts (-sC) enumerating ports 21, 22, 139, 445 (-p) and saving it into a file called nmap (-oN).
Enumeration
Port 21: FTP; vsftpd 2.3.4
First thing to do is to search this version on google and look for knows exploits
The first link is a Metasploit tutorial on how to exploit it, but we are doing it without Metasploit so lets click the second link.
Now, we can copy this exploit or we can search it up on searchsploit and copy it to our directory there.
Now lets copy the exploit to our directory
I tried exploiting this using the python exploit we found, but it constantly showed a time out error, which means that the exploit is probably is outdated and does not work anymore.
Next thing to do is to enumerate the Anonymous FTP login allowed we found on our nmap scan
Let us login
Username: anonymous
Password: anonymous
Lets list what the ftp server contains
and ….. nothing , well, at least we tried. 😉
Port 22 OpenSSH 4.7p1
Searching on google does not give us something interesting. And usually we cannot exploit port 22, we only use it to ssh into the machine after we find the username or password from other ports or if we find a id_rsa file.
Port 139 and 445 Samba
Usually we find exploits on ports 139 and 445 which are Samba ports, so let us enumerate these ports
smbclient is a very common tool used to enumerate Samba ports, so let us use smbclient to access the SMB server.
Now let us look at the permission on the share drives (this can be done with the -H flag)
Looking at this , we can see that we have Read and Write permissions for the tmp Disk on the Smb server. Lets go look for vulnerabilities on this version, and code execution ones as we have write permissions on a share.
After searching for a while I found a exploit that looks like the one we want. CVE-2007-2447
Reading through the exploit, we can understand that we are able to execute arbitrary commands via shell metacharacters. Lets search this on exploit-db and look at the code.
This line tells us that we can add our payload in the "payload.encoded" space and it will work, we can try adding a simple Netcat reverse shell and get a reverse shell.
Port 3632 distcc v1
Let us go to google.com and try finding some information on this
Google says that this service is vulnerable to a remote code execution vulnerability and we can use a nmap script that will give us more information.
Exploitation
Samba
Lets start a Netcat listener on our machine
Now let us login into the smb client that we found while enumerating
Now we have to send the shell metacharacters as input into the username parameter with a reverse shell payload to get a reverse shell on our machine.
We can find a good reverse shell on pentestmonkey's reverse shell cheat sheet. Replace the ip with yours, you can find your ip with this command.
It is the number next to inet under tun0 (make sure you are connected to the OpenVPN).
Now let us add our payload in the username parameter
"logon" is the command used for logging into a user within smbclient
After clicking enter, you should get a reverse shell on your reverse shell listener
And we are root :), Go get both those flags.
Distcc
In the enumeration part we found out that the service is vulnerable to CVE-2004-2687 and we found a nmap script that can be used to exploit this vulnerability.
This is the nmap command, we can see that we try running a reverse shell instead of 'id' and try getting a reverse shell.
Lets start a Netcat reverse shell listener and wait for a connection after entering this command
And we get a reverse shell, but as a user :/, time to privilege escalate and get root
Lets look at the OS version and look for exploits
After a lot of searching I found an exploit that might work, lets copy it form searchsploit
Now we have to transfer it to the victim machine, we can do this by starting a python http server and using "wget" on the victim machine to get the file.
We can see that it transferred successfully, now we have to compile the .c file using gcc and change the name to exploit
Now we have to run this, to do this we have to look at the instruction they gave us when we found this exploit.
Now first we have to find the PID of the udevd netlink socket, to do this we can use this command
And now we have to subtract one from the PID which will 2740
Now we have to create a file called run in the /tmp folder and add a payload in it, which will be our reverse shell.
First we need to add
to the file as then it can recognize that it is a bash script
After this , start a listener on your machine and run the exploit with the PID - 1
After this you should have root :)
Last updated