Cyberseclabs - Lazy - Walkthrough [ cyberseclabs ]

NETWORK

ENUMERATION

Anonymous access

sudo nmap --script="smb-enum-shares" -p 445 172.31.1.1

Shares exploration

smbmap -u "" -p "" -P 445 -H 172.31.1.1

We have read / write permissions on /Public

smbclient \\\\172.31.1.1\\public -U ''

Vulnerability

Samba 3.x after 3.5.0 and 4.x before 4.4.14, 4.5.x before 4.5.10, and 4.6.x before 4.6.4 does not restrict the file path when using Windows named pipes, which allows remote authenticated users to upload a shared library to a writable shared folder, and execute arbitrary code via a crafted named pipe.

Msfconsole

Exploit is successful and we get an interactive shell