Introduction

In this walkthrough, we went over a Linux box where we demonstrated basic exploitation of the SAMBA server with Metasploit Framework To obtain Root access.

Machine Name: Lazy

Difficulty: Easy

Skills Learned

  • Metasploit
  • Linux Privilege Escalation

Initial Reconnaissance

The first thing I always do is run a scan to see what I’m up against. My initial scan of the machine revealed a few open ports:

  • Port 22: This is for SSH (Secure Shell), which is a way to get a secure command-line interface on a remote machine.
  • Port 80: This is for HTTP, which means there’s a web server running. In this case, it’s an Nginx server.
  • Port 139/445: These ports are for Samba, which is a service that allows for file sharing between Linux and Windows systems.

I also identified that the machine was running a Linux operating system. With this information, I had two main avenues of attack to explore: the web server on port 80 and the Samba shares.

Exploring the Web Server (A Dead End)

I started by taking a look at the web server. When I tried to access it in my browser, all I got was a blank page. This is pretty common, so I decided to run a Nikto scan to see if I could find any hidden files or vulnerabilities.

The scan did turn up a couple of interesting file names, like backup.jks and site.cer, but when I tried to access them, I just got the same blank page. It seemed like the web server was configured to show the same page no matter what I requested. After a while, it became clear that the web server wasn’t going to be my way in, so I moved on.

Samba to the Rescue!

Next, I turned my attention to the Samba server. I started by using a tool called enum4linux to see if I could get any information about the shares, but that didn’t give me anything useful at first.

So, I decided to see if there were any known exploits for the versions of Nginx and Samba that were running on the machine. I used a tool called searchsploit to do this. The search for Nginx didn’t turn up anything, but when I searched for Samba, I found a promising exploit for Samba 3.5.0 called “is_known_pipe_name arbitrary module load“.

This exploit had a couple of requirements: I needed valid credentials and a writable folder in a share that I could access. The exploit’s description also mentioned that sometimes you can get in with anonymous access if you can find a common file system location.

To see if I could get in anonymously, I used a tool called smbmap. And what do you know, it worked! I found a publicly shared folder called “public” that I had read/write access to. This was the key I needed. I had anonymous access and a writable share, which meant I could use the exploit I found earlier.

Gaining Root Access

Now it was time to put it all together. I fired up the Metasploit Framework and loaded the Samba exploit. I configured the exploit with the target machine’s IP address and the name of the public share, and then I launched the attack.

It worked like a charm! The exploit was successful, and I was granted access to the remote machine. To confirm my privileges, I ran the id command, and sure enough, I was running as root.

The reason this worked was because the public Samba share didn’t have any authentication, which allowed me to write a malicious file to it and then execute it using the vulnerability in the Samba software. This is a great example of why it’s so important to have proper authentication, even on “public” shares.

Technical Commands Used

Here are the commands I used throughout the process:

  • sudo nikto -h 172.31.1.1
  • sudo enum4linux.py -t 172.31.1.1
  • searchsploit nginx 1.1.19
  • searchsploit samba
  • searchsploit samba 3.6.25
  • sudo smbmap.py -u '' -p '' -H 172.31.1.1
  • msfconsole
  • search type:exploit name: "known pipe name"
  • use exploit/linux/samba/is_known_pipe_name
  • show options
  • set RHOSTS 172.31.1.1
  • set SMBShareName public
  • exploit
  • id

Video Walk-through

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles