The third in my series of write-ups from HTB and The Cyber Mentor’s mid course capstone from his Practical Ethical Hacking Course, this time we are doing Lame<\/p>\n\n\n\n
So as you should be aware by now we start with our normal reconnaissance using Nmap<\/em><\/p>\n\n\n\n
sudo nmap -A -T4 -p- 10.10.10.3<\/pre>\n\n\n\n
and as you would expect we have some output<\/p>\n\n\n\n
screenshot showing the output of an Nmap scan<\/figcaption><\/figure><\/div>\n\n\n\n
So what does this tell us? Well we have open ports 21, 22, 139 and 445. That should tell you that we have FTP, SSH and SMB all running<\/p>\n\n\n\n
What is the OS? What version of those services are running? The Nmap<\/em> scan give us that information<\/p>\n\n\n\n
screenshot of the Nmap scan output with the services and OS versions highlighted<\/figcaption><\/figure><\/div>\n\n\n\n
FTP is running vsftpd 2.3.4<\/li>
SSH is running on OpenSSG 4.7 for Debian<\/li>
SMB is using Samba, 3.0.20 for Debian<\/li><\/ul>\n\n\n\n
As I’ve worked through the course material, TCM has suggested that SMB should be the first port of call, at the time I didn’t know that so I started with FTP<\/p>\n\n\n\n
First of all, it tells us that anonymous FTP is allowed<\/p>\n\n\n\nScreenshot of Nmap output highlighting that FTP allows Anonymous login is allowed<\/figcaption><\/figure>\n\n\n\n
What can we see if we login to FTP? Anonymous login from a terminal is easy<\/p>\n\n\n\n
ftp 10.10.10.3\n Connected to 10.10.10.3.\n 220 (vsFTPd 2.3.4)\n Name (10.10.10.3:htb-sailingbikeruk): anonymous\n 331 Please specify the password.\n Password:<manually enter something\/anything here><\/strong><\/em>\n 230 Login successful.\n Remote system type is UNIX.\n Using binary mode to transfer files.\n ftp>\n<\/pre>\n\n\n\n
screenshot of console connecting to ftp session with anonymous login<\/figcaption><\/figure><\/div>\n\n\n\n
Have a look around using standard FTP commands<\/p>\n\n\n\nscreenshot of the output from the ftp commands pwd & ls -al<\/figcaption><\/figure>\n\n\n\n
As can be seen from the screenshots, there wasn’t much available via FTP, we were in the root directory for FTP and there were no other hidden directories we can move to.<\/p>\n\n\n\n
Lets have a look at that FTP software version, is it exploitable? I used Searchsploit<\/em><\/p>\n\n\n\n
searchsploit vsftpd<\/pre>\n\n\n\n
It looks as though it might be (excitement grew at this point)<\/p>\n\n\n\nscreenshot showing the output of searchsploit with vsftpd exploit highlighted<\/figcaption><\/figure>\n\n\n\n
Time to fire up Metasploit <\/em>again<\/p>\n\n\n\n
msfconsole<\/pre>\n\n\n\n
As I had checked using Searchsploit<\/em> but I am still more comfortable using Metasploit <\/em>I repeated the search in the msfconsole<\/em>. <\/p>\n\n\n\n
Set the options and run the exploit<\/p>\n\n\n\n
search vsftpd\nuse 0\nshow options\nset rhosts 10.10.10.3\nrun<\/pre>\n\n\n\nScreenshot showing the msfconsole commands and output with listed commands highlighted<\/figcaption><\/figure>\n\n\n\n
It seems that FTP, whilst there is a vulnerability in that version, wasn’t the route to success on this occasion.<\/p>\n\n\n\n
back to the Nmap<\/em> output, we have SSH and SMB. SMB is know to be vulnerable so I chose to have a look at that next. <\/p>\n\n\n\n
The OS is Linux, reported as Debian and SMB on Linux uses Samba. The Nmap<\/em> scan reports the Samba version as 3.0.20 – let’s check.<\/p>\n\n\n\n
As mentioned, I am much more comfortable using Metasploit<\/em> so I tried to search in the console<\/p>\n\n\n\n
search samba 3.0.20<\/pre>\n\n\n\n
It brought back a lot of results and didn’t give any specific detail about versions <\/p>\n\n\n\n
screenshot showing output of search in metasploit<\/figcaption><\/figure><\/div>\n\n\n\n
So I tried Searcshploit <\/em>and it did come back with a specific exploit for this version of Samba, but I couldn’t match it against anything in Metasploit<\/em>. Maybe there is a way, I just don’t now it at this point.<\/p>\n\n\n\n
![\"\"](\"http:\/\/vroamam.com\/wordpress\/wp-content\/uploads\/2020\/07\/image-46.png\")
![\"\"](\"http:\/\/vroamam.com\/wordpress\/wp-content\/uploads\/2020\/07\/image-48.png\")
![\"\"](\"http:\/\/vroamam.com\/wordpress\/wp-content\/uploads\/2020\/07\/image-49.png\")
![\"\"](\"http:\/\/vroamam.com\/wordpress\/wp-content\/uploads\/2020\/07\/image-50.png\")
![\"\"](\"http:\/\/vroamam.com\/wordpress\/wp-content\/uploads\/2020\/07\/image-51.png\")
![\"\"](\"http:\/\/vroamam.com\/wordpress\/wp-content\/uploads\/2020\/07\/image-54.png\")
![\"\"](\"http:\/\/vroamam.com\/wordpress\/wp-content\/uploads\/2020\/07\/image-55.png\")
![\"\"](\"http:\/\/vroamam.com\/wordpress\/wp-content\/uploads\/2020\/07\/image-58.png\")
![\"\"](\"http:\/\/vroamam.com\/wordpress\/wp-content\/uploads\/2020\/07\/image-60.png\")
<\/figure>\n\n\n\n![\"\"](\"http:\/\/vroamam.com\/wordpress\/wp-content\/uploads\/2020\/07\/image-59.png\")