Lame
Nmap
Looking at the results I first checked FTP. Anonymous login was confirmed working however, no files or folder was contained in the FTP and as shown below file upload was unsuccessful.
Using searchsploit against the version of vsftpd running (2.3.4) we see this is vulnerable to a Backdoor Command Execution exploit.
However, trying various exploits I was unable to get successful exploitation.
Looking at nmap on port 3632 we do have distcc deamon running. distcc is a tool for speeding up compilation of source code by using distributed computing over a computer network. With the right configuration, distcc can dramatically reduce a project's compilation time.
Looking for exploits we see that an unauthenticated RCE exists given CVE-2004-2687 for this daemon.
Description:
distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks.
Researching for exploits on GitHub we come to: https://gist.github.com/ypcrts/12522c1cf6afda03a4f774bcf4d8e940
I downloaded the exploit and executed with the following command:
With confirmed command executed we can now attempt to gain a proper reverse shell. First start a netcat listener on the attacking machine:
Then check to see if nc is installed on the target machine:
With nc confirmed installed on the target machine run the command below to spawn a reverse shell to the attacking machine netcat listener.
Where we will then catch a reverse shell.
Now on the target machine I uploaded linpeas.sh through a Python SimpleHTTPServer and after running we find the binary nmap has the SUID bit set.
Checking this binary against GTFOBins shows this can be abused to spawn a system shell.
I then executed nmap in interactive mode then escaped to a system shell to gain shell as root.
Last updated
