Introduction
In this walkthrough, we went over a Linux box where we demonstrated basic exploitation of the SAMBA server with Metasploit Framework To obtain Root access.
Machine Name: Lazy
Difficulty: Easy
Skills Learned
- Metasploit
- Linux Privilege Escalation
Initial Reconnaissance
The first thing I always do is run a scan to see what I’m up against. My initial scan of the machine revealed a few open ports:
- Port 22: This is for SSH (Secure Shell), which is a way to get a secure command-line interface on a remote machine.
- Port 80: This is for HTTP, which means there’s a web server running. In this case, it’s an Nginx server.
- Port 139/445: These ports are for Samba, which is a service that allows for file sharing between Linux and Windows systems.
I also identified that the machine was running a Linux operating system. With this information, I had two main avenues of attack to explore: the web server on port 80 and the Samba shares.
Exploring the Web Server (A Dead End)
I started by taking a look at the web server. When I tried to access it in my browser, all I got was a blank page. This is pretty common, so I decided to run a Nikto scan to see if I could find any hidden files or vulnerabilities.
The scan did turn up a couple of interesting file names, like backup.jks
and site.cer
, but when I tried to access them, I just got the same blank page. It seemed like the web server was configured to show the same page no matter what I requested. After a while, it became clear that the web server wasn’t going to be my way in, so I moved on.
Samba to the Rescue!
Next, I turned my attention to the Samba server. I started by using a tool called enum4linux
to see if I could get any information about the shares, but that didn’t give me anything useful at first.
So, I decided to see if there were any known exploits for the versions of Nginx and Samba that were running on the machine. I used a tool called searchsploit
to do this. The search for Nginx didn’t turn up anything, but when I searched for Samba, I found a promising exploit for Samba 3.5.0 called “is_known_pipe_name arbitrary module load“.
This exploit had a couple of requirements: I needed valid credentials and a writable folder in a share that I could access. The exploit’s description also mentioned that sometimes you can get in with anonymous access if you can find a common file system location.
To see if I could get in anonymously, I used a tool called smbmap
. And what do you know, it worked! I found a publicly shared folder called “public” that I had read/write access to. This was the key I needed. I had anonymous access and a writable share, which meant I could use the exploit I found earlier.
Gaining Root Access
Now it was time to put it all together. I fired up the Metasploit Framework and loaded the Samba exploit. I configured the exploit with the target machine’s IP address and the name of the public share, and then I launched the attack.
It worked like a charm! The exploit was successful, and I was granted access to the remote machine. To confirm my privileges, I ran the id
command, and sure enough, I was running as root.
The reason this worked was because the public Samba share didn’t have any authentication, which allowed me to write a malicious file to it and then execute it using the vulnerability in the Samba software. This is a great example of why it’s so important to have proper authentication, even on “public” shares.
Technical Commands Used
Here are the commands I used throughout the process:
sudo nikto -h 172.31.1.1
sudo enum4linux.py -t 172.31.1.1
searchsploit nginx 1.1.19
searchsploit samba
searchsploit samba 3.6.25
sudo smbmap.py -u '' -p '' -H 172.31.1.1
msfconsole
search type:exploit name: "known pipe name"
use exploit/linux/samba/is_known_pipe_name
show options
set RHOSTS 172.31.1.1
set SMBShareName public
exploit
id