1. Executive Summary
Based on enumeration, it is discovered that there are SMB services running in the host. Sever Message Block or in short SMB is a network protocol for communications on a Windows-based system. SMB attacks are the best known remote code execution attacks for Windows systems.
2. Description
2.1 Enumeration
Given IP address is 10.10.10.3. By using nmap, I scanned the host to check what port is open for the service.
And according to nmap scan result, there are four ports open : 21 (FTP), 22 (SSH), 139 and 445 (SMB).
Seeing a service using two ports is something worth to suspicious.
2.2 Exploitation
From the screenshot above, I discovered information about version of SMB that the host used.
After discovering the version my next to do list is looking for the exploit. Using CVE-2007–2447, I used metasploit module named “/exploit/multi/samba/usermap_script” to exploit Samba to gain root shell.
As I manage to slide in myself inside the shell as root, I discovered user flag in /home/makis/user.txt and root flag in /root/root.txt
This is my expression after finishing this machine.
