Lame

⚠️ 郑重声明：文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用，如果您不同意请关闭该页面！任何人不得将其用于非法用途以及盈利等目的，否则后果自行承担！

🎯 明确目标

🔍 信息收集

扫描开放端口


┌──(liona㉿kali)-[~/Workspace/HTB/Lame]
└─$ sudo nmap -n -v -sS -p- -Pn --max-retries=0 -oN allports.txt 10.10.10.3


┌──(liona㉿kali)-[~/Workspace/HTB/Lame]
└─$ cat allports.txt
# Nmap 7.92 scan initiated Sat Mar 26 13:45:35 2022 as: nmap -n -v -sS -p- -Pn --max-retries=0 -oN allports.txt 10.10.10.3
Warning: 10.10.10.3 giving up on port because retransmission cap hit (0).
Nmap scan report for 10.10.10.3
Host is up (0.31s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3632/tcp open  distccd

Read data files from: /usr/bin/../share/nmap
# Nmap done at Sat Mar 26 13:54:29 2022 -- 1 IP address (1 host up) scanned in 534.24 seconds

获取开放端口的详细信息


┌──(liona㉿kali)-[~/Workspace/HTB/Lame]
└─$ sudo nmap -n -v -sC -sV -p $(cat allports.txt | grep ^[0-9] | cut -d / -f1 | tr '\n' ',' | sed s/,$//) 10.10.10.3 -oN nmap.txt -oX nmap.xml -Pn


┌──(liona㉿kali)-[~/Workspace/HTB/Lame]
└─$ cat nmap.txt
# Nmap 7.92 scan initiated Sat Mar 26 14:05:13 2022 as: nmap -n -v -sC -p 21,22,139,445,3632 -oN nmap.txt -Pn 10.10.10.3
Nmap scan report for 10.10.10.3
Host is up (0.37s latency).

PORT     STATE    SERVICE
21/tcp   open     ftp
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 10.10.14.3
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open     ssh
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
139/tcp  open     netbios-ssn
445/tcp  open     microsoft-ds
3632/tcp filtered distccd

Host script results:
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name:
|   Workgroup: WORKGROUP \x00
|_  System time: 2022-03-26T02:05:48-04:00
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 2h00m23s, deviation: 2h49m46s, median: 20s

Read data files from: /usr/bin/../share/nmap
# Nmap done at Sat Mar 26 14:06:12 2022 -- 1 IP address (1 host up) scanned in 58.39 seconds

分析获取到的信息

FTP 允许匿名登陆

Samba 3.0.20

🔍 漏洞探测

匿名登陆的任意文件上传

Samba 3.0 CVE


┌──(liona㉿kali)-[~/Workspace/HTB/Lame]
└─$ searchsploit samba 3.0
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                              |  Path
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass                                                                      | multiple/remote/10095.txt
Samba 3.0.10 (OSX) - 'lsa_io_trans_names' Heap Overflow (Metasploit)                                                        | osx/remote/16875.rb
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)                                            | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow                                                                                       | linux/remote/7701.txt
Samba < 3.0.20 - Remote Heap Overflow                                                                                       | linux/remote/7701.txt
Samba 3.0.21 < 3.0.24 - LSA trans names Heap Overflow (Metasploit)                                                          | linux/remote/9950.rb
Samba 3.0.24 (Linux) - 'lsa_io_trans_names' Heap Overflow (Metasploit)                                                      | linux/remote/16859.rb
Samba 3.0.24 (Solaris) - 'lsa_io_trans_names' Heap Overflow (Metasploit)                                                    | solaris/remote/16329.rb
Samba 3.0.27a - 'send_mailslot()' Remote Buffer Overflow                                                                    | linux/dos/4732.c
Samba 3.0.29 (Client) - 'receive_smb_raw()' Buffer Overflow (PoC)                                                           | multiple/dos/5712.pl
Samba 3.0.4 - SWAT Authorisation Buffer Overflow                                                                            | linux/remote/364.pl
Samba < 3.6.2 (x86) - Denial of Service (PoC)                                                                               | linux_x86/dos/36741.py
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

Offensive Security's Exploit Database Archive

$Id: usermap_script.rb 10040 2010-08-18 17:24:46Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use.