Pre Foothold

All port scan came back

Description of image

Deep Scan came back, anonymous login available. I’ll run a deep scan on that odd 3632 port as well

Description of image

3632 Port. Something called distccd

Description of image

I tried to login to the ftp and get some info but found it to be in passive mode meaning I wouldn’t get output to the ftp shell. So I started to inquire about this odd port I had never seen before. Hack tricks immediately gave me some good info.

Description of image

Nice! I opted to use the nmap vulnerability check instead of spinning up metasploit and got a good result.

Description of image

According to the nmap script the target is vulnerable. Now I’ll move to metasploit to get the exploit to return a shell for me.

First the listener

Description of image

Then the exploit

Description of image

I was having some trouble generating the shell, so I switch payloads to a command execution payload and tried reading the passwd file. Success.

Description of image

At the end we can see there is a user named makis. I am going to try to use this to execute the remote shell. I end up opting for a netcat reverse shell after listing the /bin/ folder and finding nc.traditional installed, which enables the use of the -e option.

Description of image

The shell is unstable, but I got the information I needed :) I realized python3 wasn’t working and had to use regular python after checking the /usr/bin folder and finding that the only versions of python that were installed were python and python 2.5.

Post Foothold

I spun my wheels for a bit and decided to go back to my enumeration I realize the Samba version is most likely vulnerable. A search turned up CVE-2007-2447, which I subsequently used to get a root shell.

Description of image

I probably didn’t have to go through all that I went through in the beginning, but it’s always a learning process and I am pretty sure I got the foothold in a fairly unconventional way :)

Cheers!