Enumeration

Lets kick off with a port scan to get a better idea of our target. Basic_Port_Scan There are a couple of interesting finds here. So lets start digging!

FTP - port 21

FTP_Scan.png

FTP Exploit attempt

FTP allows for anonymous login but nothing seems to be in the hosted file server

Looking into the detected software vsftpd 2.3.4 with searchsploit reviles these two known exploits

FTP_exploits.png

These however, when I try to execute the exploit, don’t seem to execute successfully. Which is a bummer but lets move on to the other ports.

SMB - port 129, 445

SMB_Image.png

Performing a deeper inspection of the open SMB ports we are able to determine the software version. There are a number of known exploits when we dig into searchsploit for this version of Samba. I’m intentionally not using metasploit but we can look for a PoC for cve-2007-2447.

samba_details.png

We find this GitHub gem to do all the heavy lifting for us. Reviewing the code it is a perfect python reproduction of the metasploit exploit! Love you amriunix <3


Exploitation

Lets prep for running the python script

pyhton3 -m venv venv
source venv/bin/activate
pip install pysmb

And prepare our netcat listener

nc -nlvp 1234

Now we run the exploit python script and pray to the tech gods that it works.

Exploiation.png

Looking at our listener we go shell baby and a root shell at that!

SHELL

The root flag can be found at cat /root/root.txt

FLAG_ROOT

Funnily enough it was harder for me to find the user flag. But a cheeky find script did the trick.

FLAG_USER

And that’s a wrap folks. Now go touch some grass but first look at my achievement thing!