Lame
Nmap Scanning
I will begin with an nmap scan to find open ports on the machine.
$ nmap -T4 -p- 10.10.10.3 -Pn
We have five ports open. I will run another nmap scan to find the services running on them, versions, and also perform OS detection.
$ nmap -A -T4 -p 21,22,139,445,3632 10.10.10.3 -Pn
Accessing Shares
I will begin by listing the smb shares.
$ smbclient -L \\\\10.10.10.3\\ --option='client min protocol=NT1'
I get nothing of value from the shares, and I can't access some of them.
I could potentially upload a malicious file inside the /tmp share, but how will I execute it??? I need to find another way.
Exploiting with Metasploit
Since I know the version of samba running on the machine (Samba 3.0.20-Debian), I will search on Google if any exploits exist for it.
I find an interesting exploit on this link below:
I am going to fire up metasploit and try it out.
After setting all the options and running the exploit, I get a shell :)
So let me first updatedb (creates or updates a database used by locate), then locate the flags and go grab them.
And boom. Both flags retrieved.
Other Attack Surface (Dead End)
We could connect to port 21 (ftp) using anonymous login, but there were no files located on the server. We could have uploaded a file, which when executed could give us a reverse shell, but how would we execute it??
An exploit existed for the ftp version vsftpd 2.3.4.
However, trying to exploit it resulted in a dead end.
Last updated
Was this helpful?