Enumeration
Initially I tried pinging the IP address. It is reachable.
┌──(kali㉿kali)-[~]
└─$ ping 10.10.10.3 -c 3
PING 10.10.10.3 (10.10.10.3) 56(84) bytes of data.
64 bytes from 10.10.10.3: icmp_seq=1 ttl=63 time=173 ms
64 bytes from 10.10.10.3: icmp_seq=2 ttl=63 time=189 ms
64 bytes from 10.10.10.3: icmp_seq=3 ttl=63 time=172 ms
--- 10.10.10.3 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 171.906/178.070/189.264/7.928 ms
I run nmap all ports on it for getting to know the open ports. It shows that the server is down.
┌──(kali㉿kali)-[~]
└─$ nmap 10.10.10.3 -p- --min-rate 2500 -T4
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-03 10:15 PST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 1.05 seconds
Maybe it was not accepting the ping requests so I used -Pn.
Now it worked and shows the following results.
┌──(kali㉿kali)-[~]
└─$ nmap 10.10.10.3 -p- --min-rate 2500 -T4 -Pn
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-03 10:16 PST
Nmap scan report for 10.10.10.3
Host is up (0.18s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3632/tcp open distccd
Nmap done: 1 IP address (1 host up) scanned in 52.88 seconds
Now I separated the open ports as
21,22,139,445,3632
Now I can add these ports for Service version enumeration.
┌──(kali㉿kali)-[~/Desktop/HackTheBox/lame]
└─$ nmap -p 21,22,139,445,3632 10.10.10.3 -sC -sV -oN nmapSVscan.txt -Pn
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-03 10:36 PST
Stats: 0:00:13 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 100.00% done; ETC: 10:37 (0:00:00 remaining)
Nmap scan report for 10.10.10.3
Host is up (0.29s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.16.6
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 600fcfe1c05f6a74d69024fac4d56ccd (DSA)
|_ 2048 5656240f211ddea72bae61b1243de8f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2h30m24s, deviation: 3h32m10s, median: 22s
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2023-03-03T13:37:39-05:00
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.19 seconds
Exploitation
The vsftpd 2.3.4 seems vulnerable. I quicly googled the version and got the it can be exploited with Metasploit. You can check here the guide.
I opened up the Metasploit, searched for vsftpd and set the options as shown below.
I failed couple of time, so I stopped further trying the vsftpd.
I moved to the next potential vulnerability, which i came across when i googled the version of smbd. Which is smbd 3.0.20. I found the following, According to which, we can use metasploit to exploit this.
I tried exploiting this, as shown below.
Yes, it worked. So I got root access. That was it.
Conclusion
The smbd 3.0.20 was outdated and was vulnerable, which we exploited with Metasploit.
Get more updates and follow me on LinkedIn.
LinkedIn Link: https://www.linkedin.com/in/muhammadyqb/
Thank You!!