OSCP Practice Default Credentials

In our practice today, we started on a machine that would have default credentials. Through the default credentials, we were able to identify vulnerable software with known exploits. The known exploits lead directly to escalated root privileges.

Identifying the Default Credentials

Running NMAP with the “-sC and -sV” switches on the top 100 UDP ports showed, that SNMP was running.

A default community string of public was in use, and this allowed the script to read process information from the system. Review of processes shows, that clamav-milter is running, and is using the parameter “–black-hole-mode”

At this point we can review exploit-db / searchsploit to see, if there are any known vulnerabilities for the software. There are 3 exploits referring to ClamAV with Blackhole-Mode. The last also refers to Sendmail with ClamAC-Milter.

Testing the Metasploit exploit, allowed us to get a reverse shell back to our system as the root user.

Another NMAP Option for Identifying the Default Credentials

NMAP scripts are available for a large number of tasks. In this case, the snmp-brute.nse script will look for known default community strings, and will identify the public string in use.

Enumerating SNMP if we know the Community String

“snmpwalk” can be used to query the system to gather as much information as possible. If we had not found anything interesting in the initial NMAP scan, we could have used this to possibly find something.