• IP —
  • OS — linux based

This machine is useful to practice basic skills of metasploits and as a beginner to get hands on in simple steps to launch an exploit on a vulnerable machine.

1. First, I started from nmap to do the target enumeration

Sudo nmap -sT -sV -O -A –version-light

  • -sT = TCP /SYN/Connect()/ACK/Window/Maimon scan
  • -sV = Probe open ports to determine service/version info
  • -O = Enable OS detection
  • -A= Enable OS detection, version detection, script scanning, and traceroute
  • -version-light = Limit to most likely probes (Intensity 2)

After completing nmap, you will get a rough Idea about the target and which ports are open and closed.According to ‘Lame’ I found that Samba 3.0.20 is a vulnerable software used to block messages in network protocols same as SMB (Server Message Block) helping ActiveDirectory and Data sharing.

For further information


2. Internet search

As the second step I tried to connect with File Transfer Protocol (ftp) through internet.I found that there is a ftp server which auto generates directories by clicking “Up to higher level directory”

3. Trying to connect with ftp on terminal

As the third step, I blind tested to connect ftp through the terminal and tried several default usernames and passwords. But I could not gain access despite several attempts.

4. Searching exploits

As the fourth step I search Samba 3.0.20 exploit in searchsploit database to find an ideal module.

Command used

searchsploit Samba 3.0.20

I found that unix/remote/16320.rb is in the Metasploit database.

What is Metasploit?

Simply metasploit is a framework which contains any previous exploited modules within its database. It is a free tool for linux users and also, you can find exploits online in rapid7 , exploit database, CVE (Common Vulnerabilities and Exploits) and many more.

Links are as following

- https://www.exploit-db.com/

- https://www.rapid7.com/

- https://cve.mitre.org

more reference in msfconsole ( Metasploit )

- https://www.offensive-security.com/metasploit-unleashed/msfconsole/

5. Using Metasploit

I opened Metasploit by using command “msfconsole”

6. Search the exploit in msf-database

According to searchsploit result, I searched the specific module using command

  • Search Samba 3.0.20

7. Use module

I used the exploit for the usermap script.

Command used

use exploit/multi/samba/usermap_script

8. Configure exploit according to the target

After setting up the module we need to configure the exploit according to the target environment. So, I used the following commands to configure the Remote Host and the Local Host.

  • Show options (To see the options configured)
  • Set RHOST
  • Set LHOST (call back address of local host tun0)

9. When the configuring of the exploit is done, it is already prepared to run the exploit.

Used command


10. Gaining into the server.

To check which Operating system is running on the target, I typed command “whoami”. As the results I got “root”. Because the host is running in linux kernel, I used linux commands to list all directories and got the user.txt file .

The flag to the user found in User.txt file directory.