Metasploitable 2 Walkthrough: Part V

Exploiting Port 139 – NetBIOS Session Service, Samba

Session mode lets two computers establish a connection, allows messages to span multiple packets, and provides error detection and recovery. Do you remember what is the exact Samba version that is running on the Metasploitlabe2 VM? Use Nmap to refresh your memory:

Scanning port 139 with Nmap

The vulnerability in this service takes advantage of the username map script functionality of Samba. There is no filtering of user input, so an attacker could connect to an SMB session, and use shell metacharacters as input for the username, causing the commands to be executed on the remote system. This could allow the attacker to gain a remote shell to the victim machine with root access.

This is extremely easy, just load the Metasploit module and run it.

Exploiting Samba with MSF

The default port for the previous exploit is set to port 139 but it can be changed to port 445 as well.

Exploiting Port 445 – SMB, Samba

Confirm version number with Metasploit:

Enumerating service at port 445 with MSF

This version of Samba has several vulnerabilities that can be exploited. The first you will explore is the issue with “wide links” being enabled. This feature is enabled by default on older versions of Samba.

It can be exploited to gain access to file shares without authenticating through SMB.

Exploiting SMB using smbclient

You can use a tool called smbclient to connect to the Metasploitable box, and list the available shares without having a valid username/password. Just hit enter when it asks for root’s password, and it will grant you anonymous access.

Using smbclient to get access

NOTE: In the current Kali version you will need to edit the /etc/samba/smb.conf to get the proper results.

Editing Kali's /etc/samba/smb.conf file

You can get even better results from smbmap:

Using smbmap

What is really important is that you have found a possibly exploitable directory, “tmp”. There is an exploit for this in MSF:

Exploiting SMB with MSF

The exploit was successful, so now you can connect again using smbclient, and see if you can get to the rootfs dir.

Accessing the rootfs directory

So, now you have access to browse the root file system. You could continue enumerating the machine, looking at various config files, etc., to see if we can find any other holes. Please note you don’t have full root access here, so some files/directories will not be accessible.

Exploiting Ports 512, 513, 514: r-Services

TCP ports 512, 513, and 514 are known as “r-services”, and have been misconfigured to allow remote access from any host.

These are related to the historically insecure Berkeley r-commands developed back in 1982 based on an early implementation of the TCP/IP protocol stack.

Scanning r-services ports with Nmap

To take advantage of this, make sure the "rsh-client" client is installed (otherwise the system would default to SSH connections), and run rlogin command as your local root user.

NOTE: Current Kali does not include the rsh-client tool. To install it just type apt-get install rsh-client

Exploiting rexec

It is not possible anymore to install the rexec command on Kali and therefore you cannot take advantage of the vulnerable port 512.

Exploiting rlogin

The rlogin command will automatically connect to port 513 and give you a root shell:

Root access using rlogin

Exploiting rshell

The rshell command will automatically connect to port 514 and give you a root shell.

If you run this command (and the same for rlogin) as root, you don’t need to specify it in the command line:

Root access using rshell



No comments: