Running all scans on 10.10.10.3 Host is likely running Linux ---------------------Starting Nmap Quick Scan--------------------- Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-29 17:46 EDT Nmap scan report for 10.10.10.3 Host is up (0.12s latency). Not shown: 996 filtered ports Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 139/tcp open netbios-ssn 445/tcp open microsoft-ds Nmap done: 1 IP address (1 host up) scanned in 8.33 seconds ---------------------Starting Nmap Basic Scan--------------------- Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-29 17:46 EDT Nmap scan report for 10.10.10.3 Host is up (0.12s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.14.27 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: -3d00h56m26s, deviation: 2h49m45s, median: -3d02h56m28s | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | Computer name: lame | NetBIOS computer name: | Domain name: hackthebox.gr | FQDN: lame.hackthebox.gr |_ System time: 2020-09-26T14:50:25-04:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 52.53 seconds ----------------------Starting Nmap UDP Scan---------------------- Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-29 17:47 EDT Nmap scan report for 10.10.10.3 Host is up (0.12s latency). All 1000 scanned ports on 10.10.10.3 are open|filtered (997) or closed (3) Nmap done: 1 IP address (1 host up) scanned in 58.57 seconds ---------------------Starting Nmap Full Scan---------------------- Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-29 17:48 EDT Initiating Parallel DNS resolution of 1 host. at 17:48 Completed Parallel DNS resolution of 1 host. at 17:48, 0.02s elapsed Initiating SYN Stealth Scan at 17:48 Scanning 10.10.10.3 [65535 ports] Discovered open port 22/tcp on 10.10.10.3 Discovered open port 139/tcp on 10.10.10.3 Discovered open port 445/tcp on 10.10.10.3 Discovered open port 21/tcp on 10.10.10.3 SYN Stealth Scan Timing: About 11.76% done; ETC: 17:52 (0:03:53 remaining) SYN Stealth Scan Timing: About 23.19% done; ETC: 17:52 (0:03:22 remaining) SYN Stealth Scan Timing: About 34.62% done; ETC: 17:52 (0:02:52 remaining) SYN Stealth Scan Timing: About 46.05% done; ETC: 17:52 (0:02:22 remaining) SYN Stealth Scan Timing: About 57.47% done; ETC: 17:52 (0:01:52 remaining) SYN Stealth Scan Timing: About 68.90% done; ETC: 17:52 (0:01:22 remaining) Discovered open port 3632/tcp on 10.10.10.3 SYN Stealth Scan Timing: About 80.33% done; ETC: 17:52 (0:00:52 remaining) Completed SYN Stealth Scan at 17:52, 262.71s elapsed (65535 total ports) Nmap scan report for 10.10.10.3 Host is up (0.11s latency). Not shown: 65530 filtered ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3632/tcp open distccd Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 262.82 seconds Raw packets sent: 131255 (5.775MB) | Rcvd: 196 (8.624KB) Making a script scan on extra ports: 3632 Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-29 17:52 EDT Nmap scan report for 10.10.10.3 Host is up (0.12s latency). PORT STATE SERVICE VERSION 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.02 seconds ---------------------Starting Nmap Vulns Scan--------------------- Running CVE scan on all ports Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-29 17:52 EDT Nmap scan report for 10.10.10.3 Host is up (0.13s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | vulners: | cpe:/a:openbsd:openssh:4.7p1: | CVE-2008-3844 9.3 https://vulners.com/cve/CVE-2008-3844 |_ CVE-2010-4478 7.5 https://vulners.com/cve/CVE-2010-4478 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.52 seconds Running Vuln scan on all ports Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-29 17:53 EDT Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Nmap scan report for 10.10.10.3 Host is up (0.12s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_clamav-exec: ERROR: Script execution failed (use -d to debug) |_sslv2-drown: 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) |_clamav-exec: ERROR: Script execution failed (use -d to debug) | vulners: | cpe:/a:openbsd:openssh:4.7p1: | CVE-2008-3844 9.3 https://vulners.com/cve/CVE-2008-3844 | CVE-2010-4478 7.5 https://vulners.com/cve/CVE-2010-4478 | CVE-2008-1657 6.5 https://vulners.com/cve/CVE-2008-1657 | CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906 | CVE-2010-5107 5.0 https://vulners.com/cve/CVE-2010-5107 | CVE-2007-2768 4.3 https://vulners.com/cve/CVE-2007-2768 | CVE-2014-9278 4.0 https://vulners.com/cve/CVE-2014-9278 | CVE-2010-4755 4.0 https://vulners.com/cve/CVE-2010-4755 | CVE-2012-0814 3.5 https://vulners.com/cve/CVE-2012-0814 | CVE-2011-5000 3.5 https://vulners.com/cve/CVE-2011-5000 | CVE-2011-4327 2.1 https://vulners.com/cve/CVE-2011-4327 |_ CVE-2008-3259 1.2 https://vulners.com/cve/CVE-2008-3259 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) |_clamav-exec: ERROR: Script execution failed (use -d to debug) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) |_clamav-exec: ERROR: Script execution failed (use -d to debug) 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) |_clamav-exec: ERROR: Script execution failed (use -d to debug) | distcc-cve2004-2687: | VULNERABLE: | distcc Daemon Command Execution | State: VULNERABLE (Exploitable) | IDs: CVE:CVE-2004-2687 | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) | Allows executing of arbitrary commands on systems running distccd 3.1 and | earlier. The vulnerability is the consequence of weak service configuration. | | Disclosure date: 2002-02-01 | Extra information: | | uid=1(daemon) gid=1(daemon) groups=1(daemon) | | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687 | https://distcc.github.io/security.html |_ https://nvd.nist.gov/vuln/detail/CVE-2004-2687 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: false |_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 144.95 seconds ---------------------Recon Recommendations---------------------- SMB Recon: smbmap -H 10.10.10.3 | tee recon/smbmap_10.10.10.3.txt smbclient -L "//10.10.10.3/" -U "guest"% | tee recon/smbclient_10.10.10.3.txt enum4linux -a 10.10.10.3 | tee recon/enum4linux_10.10.10.3.txt Which commands would you like to run? All (Default), enum4linux, smbclient, smbmap, Skip Running Default in (1) s: ---------------------Running Recon Commands---------------------- Starting smbmap scan [+] IP: 10.10.10.3:445 Name: 10.10.10.3 Disk Permissions Comment ---- ----------- ------- print$ NO ACCESS Printer Drivers tmp READ, WRITE oh noes! opt NO ACCESS IPC$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian)) ADMIN$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian)) Finished smbmap scan ========================= Starting smbclient scan protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED Finished smbclient scan ========================= Starting enum4linux scan Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Sep 29 17:56:13 2020 ========================== | Target Information | ========================== Target ........... 10.10.10.3 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ================================================== | Enumerating Workgroup/Domain on 10.10.10.3 | ================================================== [E] Can't find workgroup/domain ========================================== | Nbtstat Information for 10.10.10.3 | ========================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437. Looking up status of 10.10.10.3 No reply from 10.10.10.3 =================================== | Session Check on 10.10.10.3 | =================================== [E] Server doesn't allow session using username '', password ''. Aborting remainder of tests. Finished enum4linux scan ========================= ---------------------Finished all Nmap scans--------------------- Completed in 10 minute(s) and 5 second(s)