This is more just notes for me than anything, but here we go:
So this is an nmap scan being used to enumerate for SMB shares. Let’s dissect it.
- “-p 445” means it is only scanning the specified port, AKA port 445
- “–script=” there are a bunch of different scripts, directories, script-categories, and more in here
- “smb-enum-shares.nse” and “smb-enum-users.nse” are scripts developed for nmap to do what their names describe; they enumerate smb shares and users of the smb shares. More info on at least one of these scripts can be found here.
The rest of this (nmap, machine_ip) is pretty self-explanatory.
Here are some of the SMB commands. Luckily, “smbclient” is a pretty simple one. It is similar to how an ftp connection works through the command line, and just connects to an SMB instance on a certain machine’s IP.
“smbget -r” downloads files from a share. The “r” is for resume, which means it automatically resumes aborted files.
So, here’s another nmap scan:
- “nfs-ls,nfs-statfs,nfs-showmount” these can be looked at online @ nmap’s official site, the main one we are concerned with is here.
This shows NFS exports, and is what we are mainly after. The others gather the extra info that we rely on as well, but this question on the box’s page surrounds the mount that we can see.
The next question I need to answer for myself is: what is netcat?
Well, netcat is a utility that lets you read and write from connections using TCP or UDP. It has been described as a “networking swiss army knife” and can do a ton of different things. It would definitely be out of my depth to currently attempt to put into words all the things it can do, but it does look very useful.
Searchsploit is a command line search tool that checks Exploit-Db. This is useful because it lets you take an offline version of their database with you wherever you go, and is easily accessed from the command line. It can show exploits and shellcode useful for all manner of things.
Here “proftpd” is the service we are looking for exploits for, and “version” is where we will put the version number, like “1.3.5”.
Now we’ll take a look at two more commands. “SITE CPFR” specifies the file you want to copy, while “SITE CPTO” specifies where you want to copy it to.
“Mkdir” creates a directory. “mount” mounts a drive/directory. This can be used to mount an smb share. “mount machine_ip:/var /mnt/kenobiNFS” mounts this machines /var to our newly created directory. “ls -la” then displays the contents of a directory with a lot of extra info for each file, like the size in bytes, last time of modification, etc. The “a” of “la” lists all entries in the directory, including the entries that begin with a period.
- “find” takes a path to find things, searches for the parameters you feed it.
- “/” means find will look through every file on the system.
- “-perm” means you are looking for a file based on permissions. Which is where this next bit comes in.
- “-u=s” u stands for user, and the s means “set user or group ID on execution”.
- “-type f” means that it will only look for files. So type is specifying what type of things it is looking for, and f is specifying files.
- “2>/dev/null” is apparently a fancy way of redirecting stderr to a black hole. This means it discards the output of the command.
Now, I’m going to attempt to walk myself through this. It might be right, it might be wrong.
So since we cannot run usr/bin/sh the way we want to, we copied its contents, and created a new file named curl with the same content. Now, just running curl wouldn’t work because we still need the correct permissions inside and out. We moved it into the way of /usr/bin/menu, a file that we CAN run, and so that when menu gets run, it hits our curl, which in turn gives us the access we need. This is because it has now fully run our shell (curl) as root.
Hopefully that was a semi-correct explanation. Cool stuff though, I’m looking forwards to doing more of these!