- Nmap reveals that VSFTPD and Samba services are running.
- VSFTPD's popular exploit doesn't work.
'Username' map script' Command Executionexploit on version 3.0.20 works perfectly and instantly gives a shell as root.
nmap -n -sV -p- -T 5 -Pn 10.10.10.3
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
nmap -n -A -p 21 -T 5 -Pn 10.10.10.3
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status Service Info: OS: Unix
There is a popular exploit for this version of VSFTPD (2.3.4) that I've seen in many CTF's before. It utilizes a malicious backdoor that was added to the VSFTPD download archive. The exploit I've used is available HERE.
Surprisingly... it didn't work.
nmap -A -T 5 -n -p 139,445 -Pn 10.10.10.3
PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) Host script results: |_clock-skew: mean: -3d00h52m19s, deviation: 2h49m42s, median: -3d02h52m19s | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | Computer name: lame | NetBIOS computer name: | Domain name: hackthebox.gr | FQDN: lame.hackthebox.gr |_ System time: 2020-07-04T10:20:51-04:00 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2)
A quick search on ExploitDB revealed an exploit for this exact version (3.0.20) of Samba.
"This module exploits a command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default "username map script" configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication!"
It is available HERE.
After setting up module and payload options in Metasploit we get an instant root shell!
I have recently created my own implementation of this exploit in Python. It is available HERE.