Snmp :: ioctl

ターゲット // ClamAV
Platform	OffSec Proving Grounds
OS	Linux
Difficulty	Easy
IP	`192.168.57.42`

Recon

Nmap

▶ Full nmap output (TCP)

PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
25/tcp    open  smtp        Sendmail 8.13.4/8.13.4/Debian-3sarge3
80/tcp    open  http        Apache httpd 1.3.33 ((Debian GNU/Linux))
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
199/tcp   open  smux        Linux SNMP multiplexer
445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
60000/tcp open  ssh         OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)

▶ Full nmap output (UDP)

PORT     STATE         SERVICE      VERSION
137/udp  open          netbios-ns   Samba nmbd netbios-ns (workgroup: WORKGROUP)
161/udp  open          snmp         SNMPv1 server (public)

[ 警告 ]

Don’t forget to enumerate UDP. This box has SNMP v1 on UDP 161 which reveals critical information.

Enumeration

Port 25 - SMTP (Sendmail)

Sendmail 8.13.4 is ancient. Searchsploit reveals multiple exploits, and importantly – one that involves ClamAV (hint from the box name):

Posts for: #Snmp

PG: ClamAV

Recon

Nmap

Enumeration

Port 25 - SMTP (Sendmail)