Metasploitable 2 — Walkthrough — SMB Exploit Techniques

These articles are some of my notes as I practice my penetration testing knowledge targeting the Metasploitable 2 box. The contents and techniques shown and used here are for instructions and educational purposes only. For other articles on this series, please see here and here.

Image from here

Exploring File Contents

We continue now our exploration of SMB for the VM Metasploitable 2 and after our enumeration we can further dig into the machine and look at what we can find. We can start with exploration of the contents of the shared drives identified previously. We are looking particularly at the two interesting shared drives as below:

\\10.10.10.4\opt
\\10.10.10.4\tmp

We have many tools in our disposal to connect to this drive. We have used smbclient, smbmap, crackmapexec, enum4linux and metasploit in our enumeration phase. This time we can focus on the use of smbclient to explore these drives.

Using the commands below to access the \tmp directory,

smbclient \\\\10.10.10.4\\tmp

we can notice that it seems anonymous login is enabled as shown below. We have gained access to the system and identify files as below. Some of them may not be useful for now, but the fact that we can access this drive should alarm any systems administrator.

SMB shared drived accessed and directories and files visible

What we can do here in the future is maybe we want to drop a shell or a file that can be useful to establish persistence. In our example we can drop a txt file from the smb command line as below

smb: \> put test.txt

And as you can see, it is now available in the directory

A test file uploaded to the drive

Exploring the other shared drives \opt did not yield us anything as our access is denied.

No access for shared drive \\10.10.10.4\opt

Vulnerability Assessment

As per our initial enumeration here, the version of the samba for this is 3.0.20 Debian.

We can use searchsploit on possible exploits for this if any.

This gives us the following interesting output. I am looking particularly at the 16320.rb file which is a Ruby file that seems to exploit a ‘Username’ map script.

searchsploit results for Samba 3.0.20

Using command

searchsploit 16320 -x

and digging deeper into that yields the description gives us the following:

This module exploits a command execution vulerability in Samba versions 3.0.20
through 3.0.25rc3 when using the non-default
"username map script" configuration option. By specifying a username
containing shell meta characters, attackers can execute arbitrary commands.

Image from here

Exploiting using Metasploit

From the description it seems like there is a module for metasploit for that and after a search, it seems we can use the following module:

exploit/multi/samba/usermap_script

Excellent exploit available in Metasploit

Now, we can use that exploit and fill up the mandatory parameters. In this case it will be the RHOSTS which is the hostname or IP address of the target.

Exploit information and parameters

Examining the information further, it seems like this particular exploit will try to establish a reverse netcat shell to the target and from which we can listen and execute commands.

Running the exploit yields as the following:

Root access gained

Which then gives us the root access to the target. Wonderful!

Recap

In this blog and the previous blog, we explored ways to enumerate, assess vulnerability and exploit the SMB protocol of Metasploitable 2. Hope that is a fun learning experience!